Hi Shaurya, On Tue, Nov 9, 2021 at 11:57 PM Shaurya Gupta <shaurya.n...@gmail.com> wrote:
> Hi, > > We want to enable node-to-node SSL on a live cluster. Could it be done > without any down time ? > Yup, this is definitely doable for both internode and client connections. You will have to bounce your cassandra nodes, but you should be able to achieve this operation without any downtime. See server_encryption_options in cassandra.yaml ( https://cassandra.apache.org/doc/4.0/cassandra/configuration/cass_yaml_file.html#server_encryption_options ) > Would the nodes which have been restarted be able to communicate with the > nodes which have not yet come up and vice versa ? > The idea would be to: 1. Set optional to true in server_encryption_options and bounce the cluster safely into it. As nodes come up, they will first attempt to connect to other nodes via ssl, and fallback on the unencrypted storage_port. 2. Once you have bounced the entire cluster once, switch optional to false and then bounce the cluster again. Before 4.0, a separate port (ssl_storage_port) was used for connecting with internode via ssl. In 4.0, storage_port can be used for both unencrypted and encrypted connections, and enable_legacy_ssl_storage port can be used to maintain ssl_storage_port. Once the entire cluster is on 4.0 you can set this option to false so storage_port is used over ssl_storage_port. One important thing to point out is that prior to C* 4.0, Cassandra does not hot reload keystore changes, so whenever you update the certificates in your keystores (e.g. to avoid your certificates expiring) you would need to bounce your cassandra instances. See: https://cassandra.apache.org/doc/4.0/cassandra/operating/security.html#ssl-certificate-hot-reloading for explanation on how that works. Thanks, Andy > > Regards > -- > Shaurya Gupta > > >
