January 9, 2025
Tweet
Overview
This guide demonstrates how to set up SSL/TLS encryption for Apache Cassandra 5.0 clusters using modern security practices. We’ll cover both client-to-node and node-to-node encryption using TLS 1.3, container-based deployments, and automated certificate management.
What’s New in 2025
Cassandra 5.0 Security Enhancements
- Native TLS 1.3 Support: Full support for TLS 1.3 with improved performance and security
- Dynamic Certificate Reloading: Hot-reload certificates without cluster restart
- Mutual TLS (mTLS) by Default: Enhanced zero-trust security model
- Improved JFR Integration: Better security event monitoring and auditing
- Vector Search Security: Encrypted vector embeddings for AI workloads
Modern Infrastructure Updates
- Container-First Deployment: Docker and Kubernetes native approaches
- Service Mesh Integration: Istio/Linkerd for additional security layers
- Certificate Automation: cert-manager and HashiCorp Vault integration
- Cloud-Native Secrets: AWS Secrets Manager, Azure Key Vault, GCP Secret Manager
- Zero-Trust Architecture: Enhanced network policies and RBAC
Prerequisites
- Cassandra 5.0.x
- Docker 24.x / Kubernetes 1.28+
- OpenSSL 3.0+ or cert-manager 1.13+
- kubectl and helm (for Kubernetes deployments)
Certificate Generation with Modern Tools
Option 1: Using cert-manager (Kubernetes)
# cert-manager-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: cassandra-ca-issuer
spec:
ca:
secretName: cassandra-ca-secret
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cassandra-node-cert
namespace: cassandra
spec:
secretName: cassandra-node-tls
issuerRef:
name: cassandra-ca-issuer
kind: ClusterIssuer
commonName: cassandra-node
dnsNames:
- cassandra-0.cassandra.svc.cluster.local
- cassandra-1.cassandra.svc.cluster.local
- cassandra-2.cassandra.svc.cluster.local
- "*.cassandra.svc.cluster.local"
duration: 8760h # 1 year
renewBefore: 720h # 30 days
usages:
- digital signature
- key encipherment
- server auth
- client auth
Option 2: Using OpenSSL with Modern Configuration
#!/bin/bash
# generate-certs.sh - Modern certificate generation script
# Create CA with TLS 1.3 compatible settings
openssl req -new -x509 -keyout ca-key.pem -out ca-cert.pem -days 3650 \
-subj "/C=US/ST=CA/L=San Francisco/O=YourOrg/CN=Cassandra CA" \
-addext "keyUsage=critical,keyCertSign,cRLSign" \
-addext "basicConstraints=critical,CA:TRUE" \
-nodes -newkey ec:secp384r1
# Generate node certificates with SAN
for node in cassandra-0 cassandra-1 cassandra-2; do
# Create private key using ECDSA (more efficient than RSA)
openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:secp384r1 \
-out ${node}-key.pem
# Create CSR with SAN
cat > ${node}-csr.conf <<EOF
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
CN = ${node}
[v3_req]
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${node}
DNS.2 = ${node}.cassandra.svc.cluster.local
DNS.3 = localhost
IP.1 = 127.0.0.1
EOF
openssl req -new -key ${node}-key.pem -out ${node}.csr \
-config ${node}-csr.conf \
-subj "/C=US/ST=CA/L=San Francisco/O=YourOrg/CN=${node}"
# Sign certificate
openssl x509 -req -in ${node}.csr -CA ca-cert.pem -CAkey ca-key.pem \
-CAcreateserial -out ${node}-cert.pem -days 365 \
-extensions v3_req -extfile ${node}-csr.conf
done
# Convert to PKCS12 for Java compatibility
for node in cassandra-0 cassandra-1 cassandra-2; do
openssl pkcs12 -export -in ${node}-cert.pem -inkey ${node}-key.pem \
-out ${node}.p12 -name ${node} -CAfile ca-cert.pem -caname "Cassandra CA" \
-password pass:cassandra
done
# Create truststore
keytool -import -file ca-cert.pem -alias cassandra-ca -keystore truststore.jks \
-storepass cassandra -noprompt -storetype PKCS12
Cassandra 5.0 SSL Configuration
Modern cassandra.yaml Configuration
# /etc/cassandra/cassandra.yaml
# Client-to-node encryption with TLS 1.3
client_encryption_options:
enabled: true
optional: false
keystore: /etc/cassandra/certs/keystore.p12
keystore_password: cassandra
keystore_type: PKCS12
truststore: /etc/cassandra/certs/truststore.jks
truststore_password: cassandra
truststore_type: PKCS12
protocol: TLSv1.3
cipher_suites:
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
- TLS_CHACHA20_POLY1305_SHA256
require_client_auth: true
# New in 5.0: Dynamic certificate reloading
enable_certificate_reload: true
certificate_reload_interval_ms: 3600000 # 1 hour
# Node-to-node encryption
server_encryption_options:
internode_encryption: all
enable_legacy_ssl_storage_port: false
keystore: /etc/cassandra/certs/keystore.p12
keystore_password: cassandra
keystore_type: PKCS12
truststore: /etc/cassandra/certs/truststore.jks
truststore_password: cassandra
truststore_type: PKCS12
protocol: TLSv1.3
cipher_suites:
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
require_client_auth: true
enable_certificate_reload: true
# New in 5.0: Enhanced security settings
security:
authentication_enabled: true
authorization_enabled: true
audit_logging_enabled: true
encryption_at_rest:
enabled: true
key_provider: com.datastax.bdp.cassandra.crypto.kmip.KmipKeyProvider
Container Deployment
Dockerfile for Cassandra 5.0 with SSL
FROM cassandra:5.0
# Install certificate management tools
RUN apt-get update && apt-get install -y \
openssl \
ca-certificates \
&& rm -rf /var/lib/apt/lists/*
# Create certificate directory
RUN mkdir -p /etc/cassandra/certs
# Copy certificates (in production, use secrets)
COPY --chown=cassandra:cassandra certs/* /etc/cassandra/certs/
# Copy custom configuration
COPY --chown=cassandra:cassandra cassandra.yaml /etc/cassandra/
COPY --chown=cassandra:cassandra cassandra-env.sh /etc/cassandra/
# Add certificate refresh script
COPY --chown=cassandra:cassandra refresh-certs.sh /usr/local/bin/
RUN chmod +x /usr/local/bin/refresh-certs.sh
# Health check with SSL
HEALTHCHECK --interval=30s --timeout=10s --start-period=60s --retries=3 \
CMD cqlsh --ssl -e "SELECT now() FROM system.local" || exit 1
EXPOSE 9042 7000 7001 9160
CMD ["cassandra", "-f"]
Docker Compose with SSL
version: '3.8'
services:
cassandra-seed:
build: .
container_name: cassandra-seed
hostname: cassandra-seed
networks:
- cassandra-net
volumes:
- cassandra-seed-data:/var/lib/cassandra
- ./certs:/etc/cassandra/certs:ro
- ./cassandra.yaml:/etc/cassandra/cassandra.yaml:ro
environment:
- CASSANDRA_CLUSTER_NAME=SecureCluster
- CASSANDRA_DC=dc1
- CASSANDRA_RACK=rack1
- CASSANDRA_ENDPOINT_SNITCH=GossipingPropertyFileSnitch
- CASSANDRA_SEEDS=cassandra-seed
- JVM_OPTS=-Xms2G -Xmx2G
healthcheck:
test: ["CMD", "cqlsh", "--ssl", "-e", "SELECT now() FROM system.local"]
interval: 30s
timeout: 10s
retries: 5
cassandra-node1:
build: .
container_name: cassandra-node1
hostname: cassandra-node1
networks:
- cassandra-net
volumes:
- cassandra-node1-data:/var/lib/cassandra
- ./certs:/etc/cassandra/certs:ro
- ./cassandra.yaml:/etc/cassandra/cassandra.yaml:ro
environment:
- CASSANDRA_CLUSTER_NAME=SecureCluster
- CASSANDRA_DC=dc1
- CASSANDRA_RACK=rack1
- CASSANDRA_ENDPOINT_SNITCH=GossipingPropertyFileSnitch
- CASSANDRA_SEEDS=cassandra-seed
- JVM_OPTS=-Xms2G -Xmx2G
depends_on:
cassandra-seed:
condition: service_healthy
cassandra-node2:
build: .
container_name: cassandra-node2
hostname: cassandra-node2
networks:
- cassandra-net
volumes:
- cassandra-node2-data:/var/lib/cassandra
- ./certs:/etc/cassandra/certs:ro
- ./cassandra.yaml:/etc/cassandra/cassandra.yaml:ro
environment:
- CASSANDRA_CLUSTER_NAME=SecureCluster
- CASSANDRA_DC=dc1
- CASSANDRA_RACK=rack1
- CASSANDRA_ENDPOINT_SNITCH=GossipingPropertyFileSnitch
- CASSANDRA_SEEDS=cassandra-seed
- JVM_OPTS=-Xms2G -Xmx2G
depends_on:
cassandra-seed:
condition: service_healthy
networks:
cassandra-net:
driver: bridge
ipam:
config:
- subnet: 172.30.0.0/16
volumes:
cassandra-seed-data:
cassandra-node1-data:
cassandra-node2-data:
Kubernetes Deployment with SSL
StatefulSet with Certificate Management
apiVersion: v1
kind: Service
metadata:
name: cassandra
namespace: cassandra
spec:
clusterIP: None
selector:
app: cassandra
ports:
- port: 9042
name: cql
- port: 7000
name: inter-node
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: cassandra
namespace: cassandra
spec:
serviceName: cassandra
replicas: 3
selector:
matchLabels:
app: cassandra
template:
metadata:
labels:
app: cassandra
spec:
initContainers:
- name: setup-certs
image: busybox:1.36
command:
- sh
- -c
- |
# Convert cert-manager certificates to Java format
cp /tls/tls.crt /certs/node-cert.pem
cp /tls/tls.key /certs/node-key.pem
cp /tls/ca.crt /certs/ca-cert.pem
chmod 600 /certs/*
volumeMounts:
- name: cert-manager-tls
mountPath: /tls
- name: certs
mountPath: /certs
containers:
- name: cassandra
image: cassandra:5.0
ports:
- containerPort: 9042
name: cql
- containerPort: 7000
name: inter-node
env:
- name: CASSANDRA_CLUSTER_NAME
value: "SecureCluster"
- name: CASSANDRA_DC
value: "dc1"
- name: CASSANDRA_RACK
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: CASSANDRA_SEEDS
value: "cassandra-0.cassandra.cassandra.svc.cluster.local"
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
volumeMounts:
- name: data
mountPath: /var/lib/cassandra
- name: certs
mountPath: /etc/cassandra/certs
readOnly: true
- name: config
mountPath: /etc/cassandra/cassandra.yaml
subPath: cassandra.yaml
resources:
requests:
memory: "4Gi"
cpu: "2"
limits:
memory: "8Gi"
cpu: "4"
livenessProbe:
exec:
command:
- /bin/bash
- -c
- |
cqlsh --ssl -e "SELECT now() FROM system.local" || exit 1
initialDelaySeconds: 90
periodSeconds: 30
readinessProbe:
exec:
command:
- /bin/bash
- -c
- |
cqlsh --ssl -e "SELECT now() FROM system.local" || exit 1
initialDelaySeconds: 60
periodSeconds: 10
volumes:
- name: cert-manager-tls
secret:
secretName: cassandra-node-tls
- name: certs
emptyDir: {}
- name: config
configMap:
name: cassandra-config
volumeClaimTemplates:
- metadata:
name: data
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: fast-ssd
resources:
requests:
storage: 100Gi
ConfigMap for Cassandra Configuration
apiVersion: v1
kind: ConfigMap
metadata:
name: cassandra-config
namespace: cassandra
data:
cassandra.yaml: |
cluster_name: 'SecureCluster'
num_tokens: 256
allocate_tokens_for_local_replication_factor: 3
seed_provider:
- class_name: org.apache.cassandra.locator.SimpleSeedProvider
parameters:
- seeds: "cassandra-0.cassandra.cassandra.svc.cluster.local"
endpoint_snitch: GossipingPropertyFileSnitch
# SSL Configuration
client_encryption_options:
enabled: true
optional: false
keystore: /etc/cassandra/certs/keystore.p12
keystore_password: cassandra
keystore_type: PKCS12
truststore: /etc/cassandra/certs/truststore.jks
truststore_password: cassandra
truststore_type: PKCS12
protocol: TLSv1.3
cipher_suites:
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
require_client_auth: true
enable_certificate_reload: true
server_encryption_options:
internode_encryption: all
keystore: /etc/cassandra/certs/keystore.p12
keystore_password: cassandra
keystore_type: PKCS12
truststore: /etc/cassandra/certs/truststore.jks
truststore_password: cassandra
truststore_type: PKCS12
protocol: TLSv1.3
cipher_suites:
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
require_client_auth: true
enable_certificate_reload: true
Client Configuration
Modern cqlsh Configuration
# ~/.cassandra/cqlshrc
[connection]
hostname = cassandra-0.cassandra.svc.cluster.local
port = 9042
ssl = true
[ssl]
validate = true
certfile = ~/certs/ca-cert.pem
userkey = ~/certs/client-key.pem
usercert = ~/certs/client-cert.pem
version = TLSv1.3
Python Driver with SSL (5.x)
from cassandra.cluster import Cluster
from cassandra.auth import PlainTextAuthProvider
from ssl import SSLContext, PROTOCOL_TLS_CLIENT, CERT_REQUIRED
# Create SSL context with TLS 1.3
ssl_context = SSLContext(PROTOCOL_TLS_CLIENT)
ssl_context.minimum_version = ssl.TLSVersion.TLSv1_3
ssl_context.check_hostname = True
ssl_context.verify_mode = CERT_REQUIRED
# Load certificates
ssl_context.load_cert_chain(
certfile='client-cert.pem',
keyfile='client-key.pem'
)
ssl_context.load_verify_locations('ca-cert.pem')
# Connect with authentication
auth_provider = PlainTextAuthProvider(
username='cassandra',
password='cassandra'
)
cluster = Cluster(
['cassandra-0.cassandra.svc.cluster.local'],
ssl_context=ssl_context,
auth_provider=auth_provider,
protocol_version=5 # Cassandra 5.0 uses protocol v5
)
session = cluster.connect()
# Test connection
result = session.execute("SELECT release_version FROM system.local")
print(f"Connected to Cassandra {result.one().release_version}")
Java Driver Configuration
import com.datastax.oss.driver.api.core.CqlSession;
import com.datastax.oss.driver.api.core.config.DriverConfigLoader;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.KeyManagerFactory;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.net.InetSocketAddress;
public class SecureCassandraClient {
public static void main(String[] args) throws Exception {
// Load keystore and truststore
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("client.p12"), "cassandra".toCharArray());
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream("truststore.jks"), "cassandra".toCharArray());
// Create SSL context
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, "cassandra".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLSv1.3");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
// Create session with SSL
CqlSession session = CqlSession.builder()
.addContactPoint(new InetSocketAddress("cassandra-0.cassandra.svc.cluster.local", 9042))
.withSslContext(sslContext)
.withAuthCredentials("cassandra", "cassandra")
.withLocalDatacenter("dc1")
.build();
// Test connection
session.execute("SELECT release_version FROM system.local")
.one()
.getString("release_version");
System.out.println("Connected to secure Cassandra cluster");
session.close();
}
}
Certificate Automation
Cert-Manager Auto-Renewal Script
#!/bin/bash
# refresh-certs.sh - Automatically refresh certificates
# Function to convert cert-manager certs to Java format
convert_certs() {
# Wait for cert-manager to update certificates
while [ ! -f /tls/tls.crt ] || [ ! -f /tls/tls.key ]; do
echo "Waiting for certificates..."
sleep 5
done
# Convert to PKCS12
openssl pkcs12 -export \
-in /tls/tls.crt \
-inkey /tls/tls.key \
-out /etc/cassandra/certs/keystore.p12 \
-name cassandra \
-CAfile /tls/ca.crt \
-caname "Cassandra CA" \
-password pass:cassandra
# Create truststore
keytool -import -file /tls/ca.crt \
-alias cassandra-ca \
-keystore /etc/cassandra/certs/truststore.jks \
-storepass cassandra \
-noprompt \
-storetype PKCS12
# Signal Cassandra to reload certificates (Cassandra 5.0 feature)
nodetool reloadssl
}
# Monitor certificate changes
inotifywait -m -e modify,create /tls/ |
while read -r directory events filename; do
if [[ "$filename" == "tls.crt" ]] || [[ "$filename" == "tls.key" ]]; then
echo "Certificate change detected, converting..."
convert_certs
echo "Certificates reloaded successfully"
fi
done
HashiCorp Vault Integration
# vault-cassandra-pki.hcl
path "pki/issue/cassandra" {
capabilities = ["create", "update"]
}
path "pki/cert/ca" {
capabilities = ["read"]
}
#!/bin/bash
# vault-cert-rotation.sh
# Login to Vault
export VAULT_TOKEN=$(vault login -token-only -method=kubernetes)
# Generate new certificate
vault write -format=json pki/issue/cassandra \
common_name="cassandra-$(hostname)" \
ttl="720h" \
alt_names="localhost,$(hostname).cassandra.svc.cluster.local" \
ip_sans="127.0.0.1,$(hostname -i)" > cert.json
# Extract certificates
jq -r '.data.certificate' cert.json > /etc/cassandra/certs/node-cert.pem
jq -r '.data.private_key' cert.json > /etc/cassandra/certs/node-key.pem
jq -r '.data.ca_chain[]' cert.json > /etc/cassandra/certs/ca-cert.pem
# Convert to Java format
openssl pkcs12 -export \
-in /etc/cassandra/certs/node-cert.pem \
-inkey /etc/cassandra/certs/node-key.pem \
-out /etc/cassandra/certs/keystore.p12 \
-name cassandra \
-password pass:cassandra
# Reload certificates
nodetool reloadssl
Security Best Practices
1. Network Policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: cassandra-network-policy
namespace: cassandra
spec:
podSelector:
matchLabels:
app: cassandra
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
app: cassandra
ports:
- protocol: TCP
port: 7000 # Inter-node communication
- protocol: TCP
port: 7001 # Inter-node SSL
- from:
- podSelector:
matchLabels:
app: cassandra-client
- namespaceSelector:
matchLabels:
name: application
ports:
- protocol: TCP
port: 9042 # CQL
egress:
- to:
- podSelector:
matchLabels:
app: cassandra
ports:
- protocol: TCP
port: 7000
- protocol: TCP
port: 7001
2. RBAC Configuration
apiVersion: v1
kind: ServiceAccount
metadata:
name: cassandra
namespace: cassandra
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cassandra-role
namespace: cassandra
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["cassandra-node-tls"]
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cassandra-rolebinding
namespace: cassandra
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cassandra-role
subjects:
- kind: ServiceAccount
name: cassandra
namespace: cassandra
3. Pod Security Standards
apiVersion: v1
kind: Pod
metadata:
name: cassandra-secure
spec:
securityContext:
runAsNonRoot: true
runAsUser: 999
fsGroup: 999
seccompProfile:
type: RuntimeDefault
containers:
- name: cassandra
image: cassandra:5.0
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
volumeMounts:
- name: data
mountPath: /var/lib/cassandra
- name: tmp
mountPath: /tmp
- name: var-log
mountPath: /var/log/cassandra
Monitoring and Troubleshooting
Prometheus Metrics with SSL
apiVersion: v1
kind: ConfigMap
metadata:
name: prometheus-cassandra-config
data:
prometheus.yml: |
global:
scrape_interval: 15s
scrape_configs:
- job_name: 'cassandra'
scheme: https
tls_config:
ca_file: /etc/prometheus/certs/ca.crt
cert_file: /etc/prometheus/certs/tls.crt
key_file: /etc/prometheus/certs/tls.key
static_configs:
- targets:
- cassandra-0.cassandra:7070
- cassandra-1.cassandra:7070
- cassandra-2.cassandra:7070
SSL Debugging Commands
# Check certificate validity
openssl x509 -in /etc/cassandra/certs/node-cert.pem -text -noout
# Verify certificate chain
openssl verify -CAfile ca-cert.pem node-cert.pem
# Test SSL connection
openssl s_client -connect cassandra-0:9042 -tls1_3 -showcerts
# Check Cassandra SSL status
nodetool info | grep -i ssl
# View SSL handshake logs
nodetool setlogginglevel org.apache.cassandra.transport TRACE
# Monitor certificate expiration
kubectl get certificate -n cassandra -o jsonpath='{range .items[*]}{.metadata.name}{"\t"}{.status.notAfter}{"\n"}{end}'
# Check cipher suites in use
cqlsh --ssl --debug
Common SSL Issues and Solutions
-
Certificate Verification Failed
# Check DNS names in certificate openssl x509 -in cert.pem -text | grep -A1 "Subject Alternative Name" # Ensure hostname matches certificate hostname -f -
Handshake Failure
# Check supported protocols openssl s_client -connect host:9042 -tls1_3 # Verify cipher suites nmap --script ssl-enum-ciphers -p 9042 cassandra-host -
Performance Impact
# Enable native transport encryption offloading native_transport_flush_in_batches: true native_transport_max_concurrent_requests_in_bytes: 134217728
Performance Optimization
JVM SSL Tuning
# cassandra-env.sh additions
JVM_OPTS="$JVM_OPTS -Djdk.tls.server.protocols=TLSv1.3"
JVM_OPTS="$JVM_OPTS -Djdk.tls.client.protocols=TLSv1.3"
JVM_OPTS="$JVM_OPTS -Djdk.tls.ephemeralDHKeySize=2048"
JVM_OPTS="$JVM_OPTS -Dcom.sun.net.ssl.enableECC=true"
JVM_OPTS="$JVM_OPTS -Djsse.enableSNIExtension=true"
# Enable hardware acceleration if available
JVM_OPTS="$JVM_OPTS -XX:+UseAES -XX:+UseAESIntrinsics"
Connection Pooling
# Optimized Python client with connection pooling
from cassandra.cluster import Cluster
from cassandra.policies import DCAwareRoundRobinPolicy
from cassandra.connection import Connection
# Increase SSL handshake timeout
Connection.ssl_handshake_timeout = 10.0
cluster = Cluster(
contact_points=['cassandra-0.cassandra'],
ssl_context=ssl_context,
protocol_version=5,
load_balancing_policy=DCAwareRoundRobinPolicy(local_dc='dc1'),
# Connection pooling settings
connection_pool_size=10,
max_connection_attempts=3,
reconnection_policy=ConstantReconnectionPolicy(delay=1.0)
)
Conclusion
This guide has covered modern SSL/TLS setup for Cassandra 5.0 clusters with emphasis on:
- Security First: TLS 1.3, mTLS, and zero-trust principles
- Automation: Certificate management with cert-manager and Vault
- Cloud Native: Kubernetes deployment with proper RBAC and network policies
- Observability: Monitoring SSL metrics and debugging tools
- Performance: Optimized configurations for production workloads
Remember to regularly update certificates, monitor expiration dates, and keep Cassandra and SSL libraries up to date for optimal security.
References
- Apache Cassandra 5.0 Documentation
- cert-manager Documentation
- Kubernetes Security Best Practices
- TLS 1.3 RFC 8446
- NIST Cryptographic Standards
comments powered by Disqus
Apache Spark Training
Kafka Tutorial
Akka Consulting
Cassandra Training
AWS Cassandra Database Support
Kafka Support Pricing
Cassandra Database Support Pricing
Non-stop Cassandra
Watchdog
Advantages of using Cloudurable™
Cassandra Consulting
Cloudurable™| Guide to AWS Cassandra Deploy
Cloudurable™| AWS Cassandra Guidelines and Notes
Free guide to deploying Cassandra on AWS
Kafka Training
Kafka Consulting
DynamoDB Training
DynamoDB Consulting
Kinesis Training
Kinesis Consulting
Kafka Tutorial PDF
Kubernetes Security Training
Redis Consulting
Redis Training
ElasticSearch / ELK Consulting
ElasticSearch Training
InfluxDB/TICK Training TICK Consulting