When you enable the server and client communication with a Cassandra host over SSL, additional configuration of the host is required to enable the local command-line client for running Cassandra Query Language (cqlsh).

Repeat the following steps on every Cassandra node that you want to join to a cluster and want to use cqlsh on.

Procedure

  1. Import the Cassandra keystore into a new PKC12 keystore.
    keytool -importkeystore \
    -srckeystore /etc/cassandra/conf/.keystore \
    -srcstorepass source-keystore-password \
    -alias <cass-node-ip-address> \
    -destkeystore /tmp/keystore.p12 \
    -deststorepass destination-keystore-password \
    -deststoretype PKCS12
  2. Extract the certificate from the new PKC12 keystore.
    openssl pkcs12 \
    -in /tmp/keystore.p12 \
    -nokeys \
    -out /etc/cassandra/conf/CLIENT.cer.pem \
    -passin pass:keystore-password
  3. Extract the certificate key from the new PKC12 keystore.
    openssl pkcs12 \
    -in /tmp/keystore.p12 \
    -nodes \
    -nocerts \
    -out /etc/cassandra/conf/CLIENT.key.pem \
    -passin pass:keystore-password
  4. Create a ~/.cassandra/cqlshrc file with the following contents:
    [connection]
    hostname = <must be the same as cassandra.yaml listen_address>
    port = 9042
    factory = cqlshlib.ssl.ssl_transport_factory
    
    
    [ssl]
    certfile = /opt/cassandra/conf/certs/CLIENT.cer.pem
    validate = false
    userkey = /etc/cassandra/conf/CLIENT.key.pem
    usercert = /etc/cassandra/conf/CLIENT.cer.pem

Results

You can now run cqlsh operations on the Cassandra note.