I have a Cassandra cluster with client-node encryption enabled. I am trying to add this cluster to an instance of OpsCenter 5.1.0, but it is not able to connect to the cluster. The log file seems to complain about not being able to verify the SSL certificate:
`
INFO: Starting factory opscenterd.ThriftService.NoReconnectCassandraClientFactory instance at 0x7f2ce05c8638>
2015-06-10 15:09:46+0000 [] WARN: Unable to verify ssl certificate.
2015-06-10 15:09:46+0000 [] Unhandled Error
Traceback (most recent call last):
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/python/log.py", line 84, in callWithLogger
return callWithContext({"system": lp}, func, *args, **kw)
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/python/log.py", line 69, in callWithContext
return context.call({ILogContext: newCtx}, func, *args, **kw)
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/python/context.py", line 59, in callWithContext
return self.currentContext().callWithContext(ctx, func, *args, **kw)
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/python/context.py", line 37, in callWithContext
return func(*args,**kw)
--- exception caught here ---
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/internet/epollreactor.py", line 217, in _doReadOrWrite
why = selectable.doRead()
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/internet/tcp.py", line 137, in doRead
return Connection.doRead(self)
File "/opt/opscenter-5.1.0/lib/py-debian/2.7/amd64/twisted/internet/tcp.py", line 452, in doRead
data = self.socket.recv(self.bufferSize)
File "build/lib/python2.7/site-packages/opscenterd/SslUtils.py", line 12, in ssl_simple_verifyCB
opscenterd.Utils.SSLVerifyException: SSL certificate invalid
My question is: what are the step-by-step instructions for being able to add a client-node encrypted cluster to opscenter? Which .pem and .keystore files are needed exactly, how do I get hold of them?
The DataStax documentation on that topic is not detailed enough and therefore not really helpful. I assume some people out there must have managed to set this up successfully and I am sure that a detailed explanation / instructions would be appreciated by many.
One thing to note here, although the docs do mention generating a key per node, in practice this isn't very scalable. In most systems it is common to create the one keystore with the required keys and certificate(s) and then use this across all the nodes in your cluster and your client applications as needed. You export the certificate from this keystore and use this for OpsCenter. OpsCenter is (as far as SSL is concerned) a SSL client like any other client.
So you have to export your key from your java keystore, convert it to .pem format and use that for the opscenterd process. The agents are java based so they can use the java keystore. The DS docs are there but its a bit fragmented so its a question of looking in the right places :-)
I'm going to use the OpsCenter latest docs here as a reference. I'm assuming you are only using SSL between OpsCenter and Cassandra and OpsCenter Agents and Cassandra
Prepping the server certificates:
https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html
Configuring client to node SSL:
https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLClientToNode_t.html
using cqlsh with SSL (optional):
https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureCqlshSSL_t.html
To convert the key to a pem format see step 7 here:
https://docs.datastax.com/en/latest-opsc/opsc/online_help/opscAddingCluster_t.html
Examples
Note all these examples assume 1-way SSL. You generated a key in a file called
/etc/dse/keystore
and the certificate in a file called/etc/dse/truststore
To be honest I've never really had a lot of luck in adding SSL enabled clusters directly in the OpsCenter UI. I've always found creating the cluster.conf file and agent address.yaml files by hand far quicker and easier.
Note the SSL files like truststore, key.pem etc need to be on all the local machines that need them.
Example agent
/var/lib/datastax-agent/conf/address.yaml
file (note theuse_ssl
is for the opscenter <> agents SSL which we're not using here)Example opscenter
/etc/opscenter/clusters/<cluster_name>.conf
fileOther tips etc
I always find if Im troubleshooting SSL connections in DSE / Cassandra. I'll strip out all the SSL and get the cluster working nomrmally first, then I'll configure SSL one step at a time, like turning on node to node SSL, then client to node, then OpsCenter and so on. Debugging all the SSL errors is not for the feint hearted!
Links
Other doc links you might find useful:
https://docs.datastax.com/en/opscenter/5.2/opsc/configure/opscConnectionConfig_r.html
https://docs.datastax.com/en/opscenter/5.2/opsc/configure/agentAddressConfiguration.html