[
https://issues.apache.org/jira/browse/CASSANDRA-7848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14115283#comment-14115283
]
Hendrik van Huyssteen commented on CASSANDRA-7848:
--------------------------------------------------
Patch to be submitted soon. Comments are welcome in the meantime.
> Additional keystore configurations for SSL with HSMs
> ----------------------------------------------------
>
> Key: CASSANDRA-7848
> URL: https://issues.apache.org/jira/browse/CASSANDRA-7848
> Project: Cassandra
> Issue Type: Improvement
> Components: Config
> Reporter: Hendrik van Huyssteen
> Priority: Minor
>
> In order to use Cassandra with a Hardware Security Module (HSM) for encrypted
> communications, additional configuration options are required in terms of
> keystore configurations.
> A user configuring Cassandra must be able to:
> # Specify the truststore and keystore type independently (eg. keystore would
> be in hardware and truststore in software)
> # Specify the desired certificate and private key entry that should be used,
> by setting an alias
> # Specify the keystore and keypair passwords independently
>
> At the moment Cassandra only allows:
> # A global keystore type
> # Expects one keypair per keystore and
> # Uses the same password for the keystore and keypair
>
> The appropriate changes have been made to Cassandra 1.2 to support the above
> mentioned configuration.
> The proposed cassandra.yaml would then look as follows, with the new changes
> marked with *:
> {noformat}
> server_encryption_options:
> internode_encryption: all
> keystore: <path to keystore>
> keystore_password: <password of keystore>
> store_type: <hsm storetype>
> *keystore_entry_alias: <alias of key entry in keystore to use>*
> *keystore_entry_password: <password of key entry in keystore to use>*
>
> truststore: <path to truststore>
> truststore_password: <password of truststore>
> # More advanced defaults below:
> # protocol: TLS
> *truststore_type: JKS*
> # cipher_suites:
> [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA]
> {noformat}
>
> In terms of backwards compatibility, the following defaults should be used
> for the newly proposed settings:
> * truststore_type = store_type;
> * keystore_entry_password = keystore_password;
> * keystore_entry_alias = autoselect
> Example use case with HSM:
> * Keystore is stored in HSM.
> * store_type is set to the HSM store type.
> * keystore_password is set to the slot password of the HSM.
> * keystore_entry_password set to the keypair password.
> * Truststore is stored on disk, with type set to JKS.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
