Thanks a lot. I think I need the ‘ –alias’ option.
From: Adam Holmberg [mailto:adam.holmb...@datastax.com] Sent: 2015年2月4日 23:17 To: user@cassandra.apache.org Subject: Re: FW: How to use cqlsh to access Cassandra DB if the client_encryption_options is enabled Since I don't know what's in your keystore, or how it was generated, I don't know how much help I can be. You probably need "-alias <something>" on the command line, and make sure a cert by the name "<something>" exists in your keystore. You can use "keytool -list ..." to examine the contents. Adam Holmberg On Mon, Feb 2, 2015 at 4:15 AM, Lu, Boying <boying...@emc.com<mailto:boying...@emc.com>> wrote: Hi, Holmberg, I tried your suggestion and run the following command: keytool –exportcert –keystore path-to-my-keystore-file –storepass my-keystore-password –storetype JKS –file path-to-outptfile and I got following error: keytool error: java.lang.Exception: Alias <mykey> does not exist Do you know how to fix this issue? Thanks Boying From: Adam Holmberg [mailto:adam.holmb...@datastax.com<mailto:adam.holmb...@datastax.com>] Sent: 2015年1月31日 1:12 To: user@cassandra.apache.org<mailto:user@cassandra.apache.org> Subject: Re: FW: How to use cqlsh to access Cassandra DB if the client_encryption_options is enabled Assuming the truststore you are referencing is the same one the server is using, it's probably in the wrong format. You will need to export the cert into a PEM format for use in the (Python) cqlsh client. If exporting from the java keystore format, use keytool -exportcert <source keystore, pass, etc> -rfc -file <output file> If you have the crt file, you should be able to accomplish the same using openssl: openssl x509 -in <in crt> -inform DER -out <output file> -outform PEM Then, you should refer to that PEM file in your command. Alternatively, you can specify a path to the file (along with other options) in your cqlshrc file. References: How cqlsh picks up ssl options<https://github.com/apache/cassandra/blob/cassandra-2.1/pylib/cqlshlib/sslhandling.py> Example cqlshrc file<https://github.com/apache/cassandra/blob/cassandra-2.1/conf/cqlshrc.sample> Adam Holmberg On Wed, Jan 28, 2015 at 1:08 AM, Lu, Boying <boying...@emc.com<mailto:boying...@emc.com>> wrote: Hi, All, Does anyone know the answer? Thanks a lot Boying From: Lu, Boying Sent: 2015年1月6日 11:21 To: user@cassandra.apache.org<mailto:user@cassandra.apache.org> Subject: How to use cqlsh to access Cassandra DB if the client_encryption_options is enabled Hi, All, I turned on the dbclient_encryption_options like this: client_encryption_options: enabled: true keystore: path-to-my-keystore-file keystore_password: my-keystore-password truststore: path-to-my-truststore-file truststore_password: my-truststore-password … I can use following cassandra-cli command to access DB: cassandra-cli -ts path-to-my-truststore-file –tspw my-truststore-password –tf org.apache.cassandra.thrift.SSLTransportFactory But when I tried to access DB by cqlsh like this: SSL_CERTFILE=path-to-my-truststore cqlsh –t cqlishlib.ssl.ssl_transport_factory I got following error: Connection error: Could not connect to localhost:9160: [Errno 0] _ssl.c:332: error:00000000:lib(0):func(0):reason(0) I guess the reason maybe is that I didn’t provide the trustore password. But cqlsh doesn’t provide such option. Does anyone know how to resolve this issue? Thanks Boying