Documentation

gitHub

LDAP

If you require LDAP authentication, it is necessary, in order to connect to the DSE nodes via a secure connection, to select the SSL type.  A keystore contains client certificate and client key.  Whereas a truststore contains certificate authority (CA).

 

There are different ways to leverage the Java Keystore (JKS):

  1. Keystore info only: if the server doesn’t need truststore, the application assumes that client certificate is the certificate authority.  The application retrieves the client certificate and key from the keystore, and uses certificate as CA. 
  2. Truststore info only: if the server doesn’t require a keystore, but requires a truststore, then the application takes only the certificate authority from the truststore, and connects without client certificate and key
  3. Both keystore and truststore: if the server requires both a keystore and a truststore, then the application takes the certificate authority from the truststore, plus the client certificate and key from the keystore.

 

Alternatively, you may use certificates issued from the keystore.

 

The system assumes that users have installed Java JDK from here, and that the JAVA_HOME variable points at the folder where java was installed. It is recommended to use Java 8.


Our module for decrypting JKS uses the following logic to find java home:

  1. check for JAVA_HOME
  2. on Windows, query the Registry
  3. If neither of the previous methods worked, then scan the PATH for javac
  4. On mac, the parent directory of javac is checked for a java_home binary. If that binary exists then it is executed and the result is used
  5. The grandparent directory of javac is used. This is similar to $(dirname $(dirname $(readlink $(which javac))))

 

Accessing the keystore 

Specify the path and filename to keystore, the access password, and the alias name for the Cassandra instance.

 

Image

 

The Alias Name is mandatory.  If you don't know it, it can be found out by the following command:

 

keytool -v -list -keystore <jks file>

 

The alias can be found in the section “Alias name”.  If no alias was set, you should use the default "mykey".

 

Accessing the truststore

If necessary, you may also declare truststore parameters:

 

Image

 

You may consult this page for more info, as well as the full keytool specification.

 

Accessing both the keystore and the truststore

Enter the parameters according to both 1) and 2) above.

 

 

Convert the keystore and truststore into PEM keys

 

Assuming cassandra server config (cassandra.yaml):

 

 client_encryption_options:

  enabled: true

  keystore: keystore.jks

  keystore_password: *******

  truststore: truststore.jks

  truststore_password: ******

  require_client_auth: true

 

  1. Install java if you don't have it: https://www.java.com/en/download/
  2. Install openssl: https://wiki.openssl.org/index.php/Binaries
    1. Linux: sudo apt-get install openssl
    2. MacOS: brew install openssl
    3. Windows: https://slproweb.com/products/Win32OpenSSL.html
  3. Find out alias used by keystore

Run the following command to find out what alias is used by keystore:

> keytool -v -list -keystore keystore.jks

where keystore.jks is the java key store file granting access to the cassandra instance

alias will be in the section “Alias name”

  1. Generate PKS key

> keytool -importkeystore -srckeystore keystore.jks -destkeystore myapp.p12 -srcalias myapp-dev -srcstoretype jks -deststoretype pkcs12

keystore.jks - the java key store file granting access to the cassandra instance

myapp.p12 - intermediate PKS key

myapp-dev - alias used by keystore and determined in step 3 above

      5. Generate CA key

> keytool -importkeystore -srckeystore truststore.jks -destkeystore trust.p12 -srcalias myapp-dev -srcstoretype jks -deststoretype pkcs12

      6. Generate .pem key

> openssl pkcs12 -in myapp.p12 -nokeys -out myapp.pem

> openssl pkcs12 -in trust.p12 -nokeys -out ca.pem

> openssl pkcs12 -in myapp.p12 -nodes -nocerts -out myapp.key

 

      7. Use generated files in Hackolade:

“Certificate Authority”: ca.pem

“Client Certificate”: myapp.pem

“Client Private Key”: myapp.key

 

Image