Unable to start Cassandra cluster after configure SSL configuration

Question

I configured client-node encryption using reference http://cloudurable.com/blog/cassandra-ssl-cluster-setup/index.html

cassandra version 2.1.16
java version jdk1.8.0_131
JCE version JAVA 8
netty-all-4.0.23.Final
Python version Python 2.7.5

some one please help me, which step is wrong ? and these versions are compatible ?

SSL on cassandra.yaml

server_encryption_options:
    internode_encryption: all
    keystore: /home/cassandra/resources/opt/cassandra/conf/certs/cassandra.keystore
    keystore_password: cassandra
    truststore: /home/cassandra/resources/opt/cassandra/conf/certs/cassandra.truststore
    truststore_password: cassandra
    # More advanced defaults below:
    protocol: TLS
    # algorithm: SunX509
    # store_type: JKS
    cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
    # require_client_auth: false

# enable or disable client/server encryption.
client_encryption_options:
    enabled: true
    # If enabled and optional is set to true encrypted and unencrypted connections are handled.
    optional: false
    keystore: /home/cassandra/resources/opt/cassandra/conf/certs/cassandra.keystore
    keystore_password: cassandra
    require_client_auth: true
    # Set trustore and truststore_password if require_client_auth is true
    truststore: /home/cassandra/resources/opt/cassandra/conf/certs/cassandra.truststore
    truststore_password: cassandra
    # More advanced defaults below:
    protocol: TLS
    # algorithm: SunX509
    # store_type: JKS
    cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
==========

System.log errors:

INFO  [main] 2018-04-17 18:10:14,110 StorageService.java:1715 - Node /192.168.0.6 state jump to NORMAL
INFO  [main] 2018-04-17 18:10:14,121 CassandraDaemon.java:613 - Waiting for gossip to settle before accepting client requests...
INFO  [main] 2018-04-17 18:10:22,123 CassandraDaemon.java:645 - No gossip backlog; proceeding
INFO  [main] 2018-04-17 18:10:22,225 Server.java:155 - Netty using native Epoll event loop
INFO  [main] 2018-04-17 18:10:22,252 Server.java:183 - Enabling encrypted CQL connections between client and server
INFO  [main] 2018-04-17 18:10:22,273 Server.java:193 - Using Netty Version: [netty-buffer=netty-buffer-4.0.23.Final.208198c, netty-codec=netty-codec-4.0.23.Final.208198c, netty-codec-http=netty-codec-http-4.0.23.Final.208198c, netty-codec-socks=netty-codec-socks-4.0.23.Final.208198c, netty-common=netty-common-4.0.23.Final.208198c, netty-handler=netty-handler-4.0.23.Final.208198c, netty-transport=netty-transport-4.0.23.Final.208198c, netty-transport-rxtx=netty-transport-rxtx-4.0.23.Final.208198c, netty-transport-sctp=netty-transport-sctp-4.0.23.Final.208198c, netty-transport-udt=netty-transport-udt-4.0.23.Final.208198c]
INFO  [main] 2018-04-17 18:10:22,273 Server.java:194 - Starting listening for CQL clients on /192.168.0.6:9042...
INFO  [main] 2018-04-17 18:10:22,361 ThriftServer.java:119 - Binding thrift service to /192.168.0.6:9160
INFO  [main] 2018-04-17 18:10:22,368 CustomTThreadPoolServer.java:250 - enabling encrypted thrift connections between client and server
INFO  [Thread-15] 2018-04-17 18:10:22,378 ThriftServer.java:136 - Listening for thrift clients...
INFO  [SharedPool-Worker-1] 2018-04-17 18:10:22,542 Message.java:532 - Unexpected exception during request; channel = [id: 0xf1dc0a76, /192.168.0.6:47506 => /192.168.0.6:9042]
io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 0300000001000000160001000b43514c5f56455253494f4e0005332e302e30
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:860) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:249) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:149) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:333) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:319) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:787) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.epoll.EpollSocketChannel$EpollSocketUnsafe.epollInReady(EpollSocketChannel.java:722) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:326) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:264) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:116) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137) ~[netty-all-4.0.23.Final.jar:4.0.23.Final]
        at java.lang.Thread.run(Thread.java:748) [na:1.8.0_131]

score 0 · Answer 1 · answered Apr 18 '18 at 13:17

Are your seeds are also SSL-enabled? Because it looks like that they are still using "plain text" native protocol. You may need to check following option in their config: native_transport_port_ssl - it could be set to value 9142 - then SSL should happen via this port. Check comment in the cassandra.yaml around this option.

Unable to start Cassandra cluster after configure SSL configuration

1 Answers1