Cassandra provides several security features to secure data in transit and at rest when using Cassandra in the cloud. These include:
1. Securing data in motion with SSL/TLS for internode communication and client-server communication, and supporting SSL with the Spark Cassandra connector.
2. Securing data at rest with transparent data encryption (TDE).
3. Authentication and authorization support.
4. Additional features like network security groups, CQLSH SSL connections, and data auditing.
The document outlines the steps to configure SSL for internode and client communication, including generating certificates, distributing keys, and configuring the cassandra.yaml file. It also discusses transparent data
In the rush to release a new product, a new version or simply trying to get things working, security can sometimes be an afterthought. In this talk, Ben Bromhead CTO of Instaclustr, will explore the various ways in which you can setup and secure Cassandra appropriately for your threat environmen
This document summarizes how to connect to and query a Cassandra database using the Java driver. It covers connecting to a Cassandra cluster, executing DDL and DML statements, performing synchronous and asynchronous queries, using prepared statements, the query builder, tracing queries, and configuring load balancing policies.
JavaFest. Nanne Baars. Web application security for developersFestGroup
Security is an important topic for developers however security is often an afterthought in a project. This presentation will focus on practices which developers need to be aware of, and make security fun again. This is an in depth talk about 10 topics not an overview for security best practices.
Training Slides: 302 - Securing Your Cluster With SSLContinuent
This document discusses securing a Tungsten cluster with SSL. It explains what SSL is and why it is used. It then covers deploying SSL for cluster communications and for the Tungsten connector. For the cluster, SSL is enabled in tungsten.ini and certificates are generated and distributed. For the connector in proxy mode, MySQL certificates must be imported into keystores and SSL configured from the connector to the database. SSL can also be configured from the application to the connector. Successful SSL encryption is verified using tcpdump and checking the Tungsten connection status. The next steps will cover the Tungsten dashboard.
Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates", because he/she knows how that works. But what if "that one colleague" is enjoying vacation and something goes wrong with the certificates?
In this session we'll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & trics, as well as demo's.
Attend this session to become "that one colleague"!
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
Los procedimientos relacionados con Respuesta a Incidentes y Análisis Forense son diferentes en la nube respecto a cuando se realizan en entornos tradicionales, locales. Veremos las diferencias entre el análisis forense digital tradicional y el relacionado con sistemas en la nube de AWS, Azure o Google Compute Platform. Cuando se trata de la nube y nos movemos en un entorno totalmente virtual nos enfrentamos a desafíos que son diferentes al mundo tradicional. Lo que antes era hardware, ahora es software. Con los proveedores de infraestructura en la nube trabajamos con APIs, creamos, eliminamos o modificamos cualquier recurso con una llamada a su API. Disponemos de balanceadores, servidores, routers, firewalls, bases de datos, WAFs, sistemas de cifrado y muchos recursos más a sin abrir una caja y sin tocar un cable. A golpe de comando. Es lo que conocemos como Infraestructura como código. Si lo puedes programar, lo puedes automatizar. ¿Como podemos aprovecharnos de ello desde el punto de vista de la respuesta a incidentes, análisis forense o incluso hardening automatizado?
This document discusses SSL/TLS and certificate authorities. It provides background on how public/private key encryption and digital signatures work. It describes the SSL/TLS handshake process and issues that can occur with validating certificates if they are not properly signed by a trusted certificate authority. It discusses the DigiNotar security breach in 2011 where unauthorized certificates were issued, compromising trust in that certificate authority. It provides tips on debugging SSL/TLS issues in Java applications and with openssl/curl.
In the rush to release a new product, a new version or simply trying to get things working, security can sometimes be an afterthought. In this talk, Ben Bromhead CTO of Instaclustr, will explore the various ways in which you can setup and secure Cassandra appropriately for your threat environmen
This document summarizes how to connect to and query a Cassandra database using the Java driver. It covers connecting to a Cassandra cluster, executing DDL and DML statements, performing synchronous and asynchronous queries, using prepared statements, the query builder, tracing queries, and configuring load balancing policies.
JavaFest. Nanne Baars. Web application security for developersFestGroup
Security is an important topic for developers however security is often an afterthought in a project. This presentation will focus on practices which developers need to be aware of, and make security fun again. This is an in depth talk about 10 topics not an overview for security best practices.
Training Slides: 302 - Securing Your Cluster With SSLContinuent
This document discusses securing a Tungsten cluster with SSL. It explains what SSL is and why it is used. It then covers deploying SSL for cluster communications and for the Tungsten connector. For the cluster, SSL is enabled in tungsten.ini and certificates are generated and distributed. For the connector in proxy mode, MySQL certificates must be imported into keystores and SSL configured from the connector to the database. SSL can also be configured from the application to the connector. Successful SSL encryption is verified using tcpdump and checking the Tungsten connection status. The next steps will cover the Tungsten dashboard.
Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates", because he/she knows how that works. But what if "that one colleague" is enjoying vacation and something goes wrong with the certificates?
In this session we'll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & trics, as well as demo's.
Attend this session to become "that one colleague"!
Toni de la Fuente - Automate or die! How to survive to an attack in the Cloud...RootedCON
Los procedimientos relacionados con Respuesta a Incidentes y Análisis Forense son diferentes en la nube respecto a cuando se realizan en entornos tradicionales, locales. Veremos las diferencias entre el análisis forense digital tradicional y el relacionado con sistemas en la nube de AWS, Azure o Google Compute Platform. Cuando se trata de la nube y nos movemos en un entorno totalmente virtual nos enfrentamos a desafíos que son diferentes al mundo tradicional. Lo que antes era hardware, ahora es software. Con los proveedores de infraestructura en la nube trabajamos con APIs, creamos, eliminamos o modificamos cualquier recurso con una llamada a su API. Disponemos de balanceadores, servidores, routers, firewalls, bases de datos, WAFs, sistemas de cifrado y muchos recursos más a sin abrir una caja y sin tocar un cable. A golpe de comando. Es lo que conocemos como Infraestructura como código. Si lo puedes programar, lo puedes automatizar. ¿Como podemos aprovecharnos de ello desde el punto de vista de la respuesta a incidentes, análisis forense o incluso hardening automatizado?
This document discusses SSL/TLS and certificate authorities. It provides background on how public/private key encryption and digital signatures work. It describes the SSL/TLS handshake process and issues that can occur with validating certificates if they are not properly signed by a trusted certificate authority. It discusses the DigiNotar security breach in 2011 where unauthorized certificates were issued, compromising trust in that certificate authority. It provides tips on debugging SSL/TLS issues in Java applications and with openssl/curl.
This document provides instructions for integrating FreeRadius with Novell eDirectory to enable wireless authentication. It describes installing and configuring Novell OES Linux, applying necessary patches, installing FreeRadius and the RADIUS plugin for iManager, extending the eDirectory schema, generating certificates, and configuring FreeRadius, eDirectory, and clients. The goal is to set up wireless authentication against an eDirectory user directory using FreeRadius as the RADIUS server.
BSides Portland - Attacking Azure Environments with PowerShellKarl Fosaaen
For a multitude of reasons, many organizations are moving their operations to the cloud. Along with this, many organizations are introducing old vulnerabilities in new ways. As one of the top cloud providers, Microsoft Azure has had significant adoption and continues to grow in market share. As part of this increase in adoption, there has also been an increase in demand for security testing of Azure environments. Given the blended nature of hosted services, PAAS, and virtual infrastructure, it can be difficult to get a handle on how to properly secure these environments. Reviewing Azure environments can also be time consuming given the lack of automated tools for dumping configuration information.
MicroBurst is a set of PowerShell tools that helps automate the processes of dumping and reviewing Microsoft Azure configurations. This talk will go over the ways that pen testers and defenders can use MicroBurst to dump out the configuration information for an Azure environment, and identify common configuration issues. Security testers will benefit from the speed of dumping environment credentials for pivoting, listing out publicly available services and files, and enumerating additional targets for phishing and password guessing attacks. As an added bonus, defenders can also use these tools to audit their environment for weak spots.
The document discusses the Web Crypto API which allows cryptographic operations like hashing, signatures, and encryption/decryption to be performed in web applications. It covers the SubtleCrypto interface which provides cryptographic algorithms and methods. Some key methods include importKey, deriveKey, encrypt, and decrypt. It also discusses concepts like symmetric keys, AES-GCM encryption, PBKDF2 key derivation, and storing encrypted data with salts and initialization vectors. An example is provided of encrypting and decrypting data with a password using these Web Crypto API methods.
This document provides instructions for a tutorial on installing and configuring MySQL Cluster 8.0 on a VirtualBox virtual machine. It describes importing a pre-configured VM appliance, then creating directory structures and configuration files to set up a MySQL Cluster with one management node, four data nodes, and three MySQL server nodes for testing high availability features.
Slides: Introducing the new ClusterControl 1.2.9 - with live demo Severalnines
Highlights of ClusterControl 1.2.9 include:
Support for PostgreSQL Servers
Advanced HAProxy Configurations and Built-in Stats
Hybrid Replication with Galera Clusters
Galera Replication Traffic Encryption
Encrypted Communication between ClusterControl and MySQL-based systems
Query Deadlock Detection in MySQL-based systems
Bootstrap Galera Cluster
Restore of Backups
New UI theme
RPC interface to ClusterControl
Chef Recipe and Puppet Manifest for ClusterControl
Zabbix Plugin for ClusterControl
This document is a project submission sheet for a cloud security project completed by students Gaurav Lakhani and Jitendra Kumar Sharma for their M.Sc in Cloud Computing program. It details their approach to securing a hybrid cloud infrastructure consisting of a VMware private cloud and an Amazon Web Services public cloud. Their security implementation involved securing the hypervisor, guest operating systems, network, and public cloud components. They used the AS/NZS 4360 risk management standard and performed various tests using tools like Nmap and Nikto to evaluate the security of the infrastructure and identify any vulnerabilities. Their outcome was a conclusion that both built-in platform security features and third-party tools are needed to fully secure a cloud environment.
This document describes a ransomware attack where all files on the victim's computer have been encrypted. To decrypt the files, the victim must obtain a private key from a secret server online within 30 days. The document provides instructions for accessing the server using Tor browser and entering a unique code to retrieve the private key and decryptor. It warns against using any third party decryptors that may further damage the encrypted files.
In a dynamic infrastructure world, let's stop pretending credentials aren't public knowledge in an organization and just assume that they have already been leaked, now what?
DataStax Enterprise clients, such as CQLSH or Hadoop and Spark based applications, can be precisely configured to achieve a desired behaviour. For a basic use case, we just run a dedicated DSE command and do not care about how all of those pieces are setup to work together, leveraging the goodness of DSE. However, understanding where and what we need to modify to achieve the expected change in the configuration is essential for using DSE efficiently. In this presentation we go through the basic and advanced settings for client applications, including security features and limitations or DSE patches introduced into integrated Spark. We show the new tools which significantly simplify the configuration of external DSE installations which are used just for accessing DSE cluster in client mode. Finally, we conclude with hints for configuring Spark driver from scratch in order to use it in a web application, when running the program through DSE scripts is not feasible.
About the Speaker
Jacek Lewandowski Software engineer, DataStax
Jacek Lewandowski is a software engineer with 13 years of experience. Initially a full stack developer, he was working as a consultant and a trainer for different companies. Since 2011 he started using Cassandra as an alternative to SQL in various applications. He is passionate about distributed algorithms, graphs and functional programming in Scala. Part time assistant professor popularizing Cassandra database among students and researchers. Working at DataStax Analytics team for over 2 years.
The document discusses securing Cassandra and DataStax Enterprise. It begins by defining security concepts like confidentiality, integrity, availability, authentication, and authorization. It then discusses specific security features of DataStax Enterprise like access controls, authentication, authorization, backups, auditing, encryption of data in transit and at rest, and the partnership with Vormetric for enhanced encryption capabilities. The document emphasizes that security is a process, not just implementing technical controls, and provides examples of major data breaches to emphasize the importance of security.
Space ship depots continue to come online, with launches to the Moon occurring daily. The moon bases
have been stabilized, and humans are beginning to settle in.
Not surprisingly, many island nations fared better than expected during the outbreak. Their isolation could
be very valuable if we face a third round of infection before the earth has been evacuated. We need to get
them back on the grid as soon as possible. Japan, Madagascar, and Iceland are first on the list for
building infrastructures. Local teams have managed to get some equipment, but all you’ll have to start
with is one repository and blank hardware. As we’ve learned while building the depots, travel is
dangerous and difficult. You will need to create your infrastructure in a lab first, to ensure it will be able to
be quickly deployed by a local team. Once the process has been deemed successful, we will establish a
satellite link to the islands to get everything we need to the local repositories
This procedure for archive-to-cloud builds on the techniques used for copy-to-tape. The difference is that it sends backups to cloud repositories for longer term storage. This procedure includes configuring a credential wallet to store TDE master keys, because backups are encrypted before they are archived to a cloud repository. The initial configuration tasks are performed in the Oracle Key Vault to prepare the wallet. At the end, a job template is created and run for archive-to-cloud.
List of Various OpenSSL Commands and KeyTool that are used to check/generate CSR, Self Sign Certificate, Private key, convert CSR, convert certificate, etc...
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
Presented to the Philly DevOps Meetup November 29, 2016.
Managing secrets is hard. It’s even harder in the cloud. At Jornaya (formerly LeadiD), we chose Hashicorp Vault to manage our secrets in AWS, and I’d like to share our experience with everyone.
The document summarizes an SSL demonstration done by the MaxQDPro team. It discusses using the keytool utility to generate certificates for secure communication between a client and server. It also describes running an SSL server with the generated keystore and running an SSL client with the truststore to validate the secure connection. The demonstration was developed in Eclipse IDE using JSSE, JCE, and Bouncy Castle libraries for PKI and certificate management.
The document discusses implementing security for an Elasticsearch cluster using X-Pack. It begins by describing the existing insecure state where all users can access all indices. It then covers installing and configuring X-Pack to enable authentication and role-based access control. Examples are provided of creating custom roles for specific users to restrict access to only certain indices, enforcing security. Auditing is also configured to log authentication and access events.
1. The document outlines a security strategy for an Elasticsearch cluster using X-Pack to implement role-based access control (RBAC).
2. It creates new roles ("filebeat_admin" and "logstash_admin") and users ("charan" and "vasu") with curl commands to restrict access to specific indices.
3. The results show that the new roles and users have the appropriate access levels to their designated indices while being restricted from other indices, demonstrating the implementation of the desired security state.
SSL Implementation - IBM MQ - Secure Communications nishchal29
Presenting the basics of SSL/TLS , usage of SSL protocol to secure the IBM MQ channels. Secure Communications between two Queue Managers and various test cases , between an application and Queue Manager , Errors , Certificate Renewal ..
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
Details how to secure Apache Cassandra clusters. Covers client to server and server to server encryption, securing management and tooling, using authentication and authorization, as well as options for encryption at rest.
This document provides instructions for integrating FreeRadius with Novell eDirectory to enable wireless authentication. It describes installing and configuring Novell OES Linux, applying necessary patches, installing FreeRadius and the RADIUS plugin for iManager, extending the eDirectory schema, generating certificates, and configuring FreeRadius, eDirectory, and clients. The goal is to set up wireless authentication against an eDirectory user directory using FreeRadius as the RADIUS server.
BSides Portland - Attacking Azure Environments with PowerShellKarl Fosaaen
For a multitude of reasons, many organizations are moving their operations to the cloud. Along with this, many organizations are introducing old vulnerabilities in new ways. As one of the top cloud providers, Microsoft Azure has had significant adoption and continues to grow in market share. As part of this increase in adoption, there has also been an increase in demand for security testing of Azure environments. Given the blended nature of hosted services, PAAS, and virtual infrastructure, it can be difficult to get a handle on how to properly secure these environments. Reviewing Azure environments can also be time consuming given the lack of automated tools for dumping configuration information.
MicroBurst is a set of PowerShell tools that helps automate the processes of dumping and reviewing Microsoft Azure configurations. This talk will go over the ways that pen testers and defenders can use MicroBurst to dump out the configuration information for an Azure environment, and identify common configuration issues. Security testers will benefit from the speed of dumping environment credentials for pivoting, listing out publicly available services and files, and enumerating additional targets for phishing and password guessing attacks. As an added bonus, defenders can also use these tools to audit their environment for weak spots.
The document discusses the Web Crypto API which allows cryptographic operations like hashing, signatures, and encryption/decryption to be performed in web applications. It covers the SubtleCrypto interface which provides cryptographic algorithms and methods. Some key methods include importKey, deriveKey, encrypt, and decrypt. It also discusses concepts like symmetric keys, AES-GCM encryption, PBKDF2 key derivation, and storing encrypted data with salts and initialization vectors. An example is provided of encrypting and decrypting data with a password using these Web Crypto API methods.
This document provides instructions for a tutorial on installing and configuring MySQL Cluster 8.0 on a VirtualBox virtual machine. It describes importing a pre-configured VM appliance, then creating directory structures and configuration files to set up a MySQL Cluster with one management node, four data nodes, and three MySQL server nodes for testing high availability features.
Slides: Introducing the new ClusterControl 1.2.9 - with live demo Severalnines
Highlights of ClusterControl 1.2.9 include:
Support for PostgreSQL Servers
Advanced HAProxy Configurations and Built-in Stats
Hybrid Replication with Galera Clusters
Galera Replication Traffic Encryption
Encrypted Communication between ClusterControl and MySQL-based systems
Query Deadlock Detection in MySQL-based systems
Bootstrap Galera Cluster
Restore of Backups
New UI theme
RPC interface to ClusterControl
Chef Recipe and Puppet Manifest for ClusterControl
Zabbix Plugin for ClusterControl
This document is a project submission sheet for a cloud security project completed by students Gaurav Lakhani and Jitendra Kumar Sharma for their M.Sc in Cloud Computing program. It details their approach to securing a hybrid cloud infrastructure consisting of a VMware private cloud and an Amazon Web Services public cloud. Their security implementation involved securing the hypervisor, guest operating systems, network, and public cloud components. They used the AS/NZS 4360 risk management standard and performed various tests using tools like Nmap and Nikto to evaluate the security of the infrastructure and identify any vulnerabilities. Their outcome was a conclusion that both built-in platform security features and third-party tools are needed to fully secure a cloud environment.
This document describes a ransomware attack where all files on the victim's computer have been encrypted. To decrypt the files, the victim must obtain a private key from a secret server online within 30 days. The document provides instructions for accessing the server using Tor browser and entering a unique code to retrieve the private key and decryptor. It warns against using any third party decryptors that may further damage the encrypted files.
In a dynamic infrastructure world, let's stop pretending credentials aren't public knowledge in an organization and just assume that they have already been leaked, now what?
DataStax Enterprise clients, such as CQLSH or Hadoop and Spark based applications, can be precisely configured to achieve a desired behaviour. For a basic use case, we just run a dedicated DSE command and do not care about how all of those pieces are setup to work together, leveraging the goodness of DSE. However, understanding where and what we need to modify to achieve the expected change in the configuration is essential for using DSE efficiently. In this presentation we go through the basic and advanced settings for client applications, including security features and limitations or DSE patches introduced into integrated Spark. We show the new tools which significantly simplify the configuration of external DSE installations which are used just for accessing DSE cluster in client mode. Finally, we conclude with hints for configuring Spark driver from scratch in order to use it in a web application, when running the program through DSE scripts is not feasible.
About the Speaker
Jacek Lewandowski Software engineer, DataStax
Jacek Lewandowski is a software engineer with 13 years of experience. Initially a full stack developer, he was working as a consultant and a trainer for different companies. Since 2011 he started using Cassandra as an alternative to SQL in various applications. He is passionate about distributed algorithms, graphs and functional programming in Scala. Part time assistant professor popularizing Cassandra database among students and researchers. Working at DataStax Analytics team for over 2 years.
The document discusses securing Cassandra and DataStax Enterprise. It begins by defining security concepts like confidentiality, integrity, availability, authentication, and authorization. It then discusses specific security features of DataStax Enterprise like access controls, authentication, authorization, backups, auditing, encryption of data in transit and at rest, and the partnership with Vormetric for enhanced encryption capabilities. The document emphasizes that security is a process, not just implementing technical controls, and provides examples of major data breaches to emphasize the importance of security.
Space ship depots continue to come online, with launches to the Moon occurring daily. The moon bases
have been stabilized, and humans are beginning to settle in.
Not surprisingly, many island nations fared better than expected during the outbreak. Their isolation could
be very valuable if we face a third round of infection before the earth has been evacuated. We need to get
them back on the grid as soon as possible. Japan, Madagascar, and Iceland are first on the list for
building infrastructures. Local teams have managed to get some equipment, but all you’ll have to start
with is one repository and blank hardware. As we’ve learned while building the depots, travel is
dangerous and difficult. You will need to create your infrastructure in a lab first, to ensure it will be able to
be quickly deployed by a local team. Once the process has been deemed successful, we will establish a
satellite link to the islands to get everything we need to the local repositories
This procedure for archive-to-cloud builds on the techniques used for copy-to-tape. The difference is that it sends backups to cloud repositories for longer term storage. This procedure includes configuring a credential wallet to store TDE master keys, because backups are encrypted before they are archived to a cloud repository. The initial configuration tasks are performed in the Oracle Key Vault to prepare the wallet. At the end, a job template is created and run for archive-to-cloud.
List of Various OpenSSL Commands and KeyTool that are used to check/generate CSR, Self Sign Certificate, Private key, convert CSR, convert certificate, etc...
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
Presented to the Philly DevOps Meetup November 29, 2016.
Managing secrets is hard. It’s even harder in the cloud. At Jornaya (formerly LeadiD), we chose Hashicorp Vault to manage our secrets in AWS, and I’d like to share our experience with everyone.
The document summarizes an SSL demonstration done by the MaxQDPro team. It discusses using the keytool utility to generate certificates for secure communication between a client and server. It also describes running an SSL server with the generated keystore and running an SSL client with the truststore to validate the secure connection. The demonstration was developed in Eclipse IDE using JSSE, JCE, and Bouncy Castle libraries for PKI and certificate management.
The document discusses implementing security for an Elasticsearch cluster using X-Pack. It begins by describing the existing insecure state where all users can access all indices. It then covers installing and configuring X-Pack to enable authentication and role-based access control. Examples are provided of creating custom roles for specific users to restrict access to only certain indices, enforcing security. Auditing is also configured to log authentication and access events.
1. The document outlines a security strategy for an Elasticsearch cluster using X-Pack to implement role-based access control (RBAC).
2. It creates new roles ("filebeat_admin" and "logstash_admin") and users ("charan" and "vasu") with curl commands to restrict access to specific indices.
3. The results show that the new roles and users have the appropriate access levels to their designated indices while being restricted from other indices, demonstrating the implementation of the desired security state.
SSL Implementation - IBM MQ - Secure Communications nishchal29
Presenting the basics of SSL/TLS , usage of SSL protocol to secure the IBM MQ channels. Secure Communications between two Queue Managers and various test cases , between an application and Queue Manager , Errors , Certificate Renewal ..
Seattle C* Meetup: Hardening cassandra for compliance or paranoiazznate
Details how to secure Apache Cassandra clusters. Covers client to server and server to server encryption, securing management and tooling, using authentication and authorization, as well as options for encryption at rest.
This document discusses securing Cassandra for compliance or paranoia. It covers encrypting data at rest and on the wire, authentication and authorization, and securing management tools like JMX. Encrypting data at rest can be done with options like dmcrypt, Vormetric, or DSE encryption. Node to node encryption and SSL is recommended to encrypt data on the wire. Role-based access control in Cassandra 2.2 allows for authentication and authorization. Securing JMX involves SSL and password-based authentication.
Describes in detail the security architecture of Apache Cassandra. We discuss encryption at rest, encryption on the wire, authentication and authorization and securing JMX and management tools
Hardening cassandra for compliance or paranoiazznate
Cassandra at rest encryption, inter-node communication encryption, client-server communication encryption, authentication, authorization, and securing JMX management were discussed. The document provided guidance on implementing encryption at rest using commercial and open source options, setting up SSL for inter-node and client-server communication using self-signed certificates, implementing authentication and authorization best practices from RBMS, and securing JMX access.
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).DataStax Academy
Security is always at odds with usability, particularly in the context of operations and development. More so when dealing with a distributed system such as Apache Cassandra. In this presentation, we'll walk through the steps required to completely secure a Cassandra cluster to meet most regulatory and compliance guidelines.
Topics will include:
- Encrypting cross-DC traffic
- Different types of at-rest disk encryption options available (and how to tune them)
- Configuring SSL for inter-cluster communication
- Configuring SSL between clients and the API
- Configuring and managing client authentication
Attendees will leave this presentation with the knowledge required to harden Cassandra to meet most guidelines imposed by regulations and compliance.
Pulsar Summit Asia - Running a secure pulsar clusterShivji Kumar Jha
This document provides an overview of securing Apache Pulsar. It discusses securing the different cluster components like Zookeeper, Bookkeeper and brokers. It describes how to enable TLS for securing communication between these components. It also covers setting up TLS, keystores and truststores for brokers and clients. The document references Pulsar and Zookeeper documentation for more details on configuring security.
This document provides an overview of using the Java Secure Socket Extension (JSSE) to enable secure socket communication in Java applications. It discusses key topics like the Java Cryptography Architecture (JCA), public-key cryptography, certificates, and the SSL/TLS handshake protocol. The goal of the tutorial is to provide instructions for configuring and using JSSE to encrypt client-server applications.
This document provides steps to enable SSL/HTTPS for an Elasticsearch server. It involves generating certificates, configuring Elasticsearch, and enabling TLS for both transport and HTTP layers. The process includes generating a CA certificate, creating node certificates signed by the CA, editing the Elasticsearch configuration file, and restarting Elasticsearch to enable HTTPS.
WebLogic in Practice: SSL ConfigurationSimon Haslam
The document provides an overview of SSL configuration in Oracle WebLogic Server. It discusses key SSL concepts like key pairs, certificates, and certificate authorities. It describes how WebLogic uses Java keystores for identity and trust, and the tools like keytool and orapki that can be used to manage keys and certificates. The document also covers best practices for SSL configuration in WebLogic like always enabling hostname verification and not using demo certificates in production.
Hashicorp Vault: Open Source Secrets Management at #OPEN18Kangaroot
HashiCorp Vault secures, stores, and tightly controls access to tokens, passwords, certificates, API keys, and other secrets in modern computing. We'll show how this works.
The document discusses SSL/TLS (Secure Sockets Layer/Transport Layer Security), which are cryptographic protocols that provide secure communication over the internet. It covers SSL/TLS concepts like handshaking, encryption, authentication. It also describes JSSE (Java Secure Socket Extension), the Java implementation of SSL/TLS, including its architecture, classes and configuration. The document provides references for further reading on SSL/TLS and JSSE.
From Java 17 to 21, the JDK made several security enhancements, including:
1) Using larger key sizes by default for cryptographic algorithms like AES, ECDSA, and DH to improve resilience against attacks.
2) Adding support for post-quantum cryptography algorithms like HSS/LMS signature verification.
3) Restricting or disabling weak algorithms like SHA-1, 3DES, and RC4 by default.
4) Improving security APIs and providing replacements for deprecated ones like the Security Manager and parts of JAAS.
How To Install and Configure Apache SSL on CentOS 7VCP Muthukrishna
This document provides instructions on how to install and configure Apache SSL on CentOS 7. It includes steps to install the httpd package and enable the service, create a self-signed SSL certificate, configure the SSL settings in the Apache configuration file including the certificate and key files, open firewall ports, and validate the SSL configuration. The goal is to securely serve HTTPS traffic from the Apache web server using the newly created SSL certificate.
The shield is a plugin for Elasticsearch that enables you to easily secure an elasticsearch cluster.
Kibana is an open source analytics and visualization platform designed to work with Elasticsearch
Conf2015 d waddle_defense_pointsecurity_deploying_splunksslbestpracticesBrentMatlock
This document provides best practices for securing Splunk configurations with SSL. It discusses Splunk's default SSL posture and the types of communication that can be encrypted with SSL. The document then provides recommendations for enabling SSL for various Splunk components like Splunkweb, forwarders, indexers, the deployment server, and more. It also discusses options for using a commercial or private certificate authority and provides an example SSL-enabled Splunk architecture.
Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates", because he/she knows how that works. But what if "that one colleague" is enjoying vacation and something goes wrong with the certificates?
In this session we'll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & trics, as well as demo's.
Attend this session to become "that one colleague"!
The document provides step-by-step instructions for securing an Apache web server with a thawte digital certificate. It covers generating a private key and certificate signing request, using a test certificate, requesting a trusted certificate from thawte, configuring SSL in Apache, and installing the certificate. The goal is to help users set up encryption and authentication on their website to build customer trust and address security issues.
Security is often an afterthought; configured and applied at the last minute before rolling out a new system. Instaclustr has deployed Cassandra for customers with many different requirements.
From deployments in Heroku requiring total public access through to private data centres, we will walk you through securing Cassandra the right way.
Securing Cassandra involves considering authentication, authorization, encryption, and availability. Authentication involves setting an authenticator like PasswordAuthentication and checking credentials. Authorization controls permissions through an authorizer like CassandraAuthorizer. Encryption can encrypt internode communication and data at rest. Availability requires considering things like resource throttling, system keyspace replication, and denial of service attacks.
The nzhw show command displays the hardware components of the Netezza TwinFin 12 appliance. It shows the key components like the SPUs, disks, disk enclosures, fans, power supplies, and management modules. It provides details on the component ID, location, role, and state. Monitoring these hardware components is important for the health and performance of the Netezza system.
This document describes a monitoring architecture and solution for Kubernetes, Kafka, Cassandra, IoT Hub and Event Hub. It includes:
- A monitoring architecture with agents to monitor the application and data planes, control plane, and collect metrics. Metrics are stored and visualized with Power BI.
- Monitoring of Kafka and Event Hub offset delays to detect issues with application/data services.
- Monitoring of Cassandra client requests, latency, and disk usage to ensure stability.
- Alerts configured for exceptions, Kafka/Event Hub delays, and abnormal resource usage. Alerts are sent by email, Slack, PagerDuty.
- Power BI is used to visualize metrics trends, aggregates and
IoT Device Intelligence & Real Time Anomaly DetectionBraja Krishna Das
-- Real Time Anomaly Detection
-- IoT Device Intelligence
-- Uni Variate and Multi Variate Anomaly Detection
-- Unsupervised Learning Classification from Anomaly Detection
Real Time IoT Device Intelligence & Anomaly detectionBraja Krishna Das
The document discusses real-time anomaly detection and IoT device intelligence. It defines total quality management as continuous improvement cycles and describes statistical process control and pattern recognition as methods for real-time anomaly detection. It also notes that data exploration, which takes up 70% of project time, is the foundation for predictive modeling and IoT device intelligence. Specific examples discussed include using sensor data from HVAC systems and unsupervised learning techniques like binary trees, decision trees, and association rules to classify observations.
This document discusses Azure Event Hub and provides code examples for using the Scala Event Hub API. It first covers Event Hub fundamentals like event producers, consumers, partitions, and capture. It then explains stream processing concepts like stream offsets and checkpointing. Finally, it shows how to use the Scala Event Hub library to publish and consume events, including instantiating clients, sending/receiving messages, and closing connections. Code samples demonstrate publishing messages to a partition and receiving events to write to Kafka.
This document discusses using the Scala API for Azure Service Bus queues. It begins with an overview of Service Bus fundamentals and queues. It then discusses the Scala library dependency for Service Bus and shows code for configuring SAS authentication. Additionally, it demonstrates sending messages to a queue and receiving messages from a queue using the Scala API. The code provided includes functions for configuring authentication, sending messages, and receiving messages in a loop until complete.
This document discusses using the Azure Service Bus Queue API for Scala. It provides an overview of Service Bus fundamentals and queues. It then demonstrates how to configure SAS authentication, send messages to a queue, and receive messages from a queue using the Scala API. Code examples are given to connect to a Service Bus namespace, send brokered messages asynchronously to a queue, and receive messages in a loop with options to delete or lock the messages.
This document discusses integrating a Scala application with Azure Key Vault. It provides 4 steps: 1) Authenticate with Azure Active Directory using client ID and secret, 2) Get an access token from Key Vault, 3) Create a Key Vault client with credentials, and 4) Get a secret value from Key Vault either by identifier or specifying vault URL, secret name, and version. Code examples are given for each step to handle authentication, token retrieval, client creation, and secret retrieval.
The document discusses the Netezza TwinFin 12 appliance hardware components and administration. It describes the key hardware components including snippet blades (SPUs), host servers, and storage arrays. It provides details on monitoring the status of hardware components like the hosts, SPUs, data slices, and disks. It also covers topics like hardware roles, states, storage design, high availability configuration, and system administration functions.
End-to-end pipeline agility - Berlin Buzzwords 2024Lars Albertsson
We describe how we achieve high change agility in data engineering by eliminating the fear of breaking downstream data pipelines through end-to-end pipeline testing, and by using schema metaprogramming to safely eliminate boilerplate involved in changes that affect whole pipelines.
A quick poll on agility in changing pipelines from end to end indicated a huge span in capabilities. For the question "How long time does it take for all downstream pipelines to be adapted to an upstream change," the median response was 6 months, but some respondents could do it in less than a day. When quantitative data engineering differences between the best and worst are measured, the span is often 100x-1000x, sometimes even more.
A long time ago, we suffered at Spotify from fear of changing pipelines due to not knowing what the impact might be downstream. We made plans for a technical solution to test pipelines end-to-end to mitigate that fear, but the effort failed for cultural reasons. We eventually solved this challenge, but in a different context. In this presentation we will describe how we test full pipelines effectively by manipulating workflow orchestration, which enables us to make changes in pipelines without fear of breaking downstream.
Making schema changes that affect many jobs also involves a lot of toil and boilerplate. Using schema-on-read mitigates some of it, but has drawbacks since it makes it more difficult to detect errors early. We will describe how we have rejected this tradeoff by applying schema metaprogramming, eliminating boilerplate but keeping the protection of static typing, thereby further improving agility to quickly modify data pipelines without fear.
Build applications with generative AI on Google CloudMárton Kodok
We will explore Vertex AI - Model Garden powered experiences, we are going to learn more about the integration of these generative AI APIs. We are going to see in action what the Gemini family of generative models are for developers to build and deploy AI-driven applications. Vertex AI includes a suite of foundation models, these are referred to as the PaLM and Gemini family of generative ai models, and they come in different versions. We are going to cover how to use via API to: - execute prompts in text and chat - cover multimodal use cases with image prompts. - finetune and distill to improve knowledge domains - run function calls with foundation models to optimize them for specific tasks. At the end of the session, developers will understand how to innovate with generative AI and develop apps using the generative ai industry trends.
4th Modern Marketing Reckoner by MMA Global India & Group M: 60+ experts on W...Social Samosa
The Modern Marketing Reckoner (MMR) is a comprehensive resource packed with POVs from 60+ industry leaders on how AI is transforming the 4 key pillars of marketing – product, place, price and promotions.
Orchestrating the Future: Navigating Today's Data Workflow Challenges with Ai...Kaxil Naik
Navigating today's data landscape isn't just about managing workflows; it's about strategically propelling your business forward. Apache Airflow has stood out as the benchmark in this arena, driving data orchestration forward since its early days. As we dive into the complexities of our current data-rich environment, where the sheer volume of information and its timely, accurate processing are crucial for AI and ML applications, the role of Airflow has never been more critical.
In my journey as the Senior Engineering Director and a pivotal member of Apache Airflow's Project Management Committee (PMC), I've witnessed Airflow transform data handling, making agility and insight the norm in an ever-evolving digital space. At Astronomer, our collaboration with leading AI & ML teams worldwide has not only tested but also proven Airflow's mettle in delivering data reliably and efficiently—data that now powers not just insights but core business functions.
This session is a deep dive into the essence of Airflow's success. We'll trace its evolution from a budding project to the backbone of data orchestration it is today, constantly adapting to meet the next wave of data challenges, including those brought on by Generative AI. It's this forward-thinking adaptability that keeps Airflow at the forefront of innovation, ready for whatever comes next.
The ever-growing demands of AI and ML applications have ushered in an era where sophisticated data management isn't a luxury—it's a necessity. Airflow's innate flexibility and scalability are what makes it indispensable in managing the intricate workflows of today, especially those involving Large Language Models (LLMs).
This talk isn't just a rundown of Airflow's features; it's about harnessing these capabilities to turn your data workflows into a strategic asset. Together, we'll explore how Airflow remains at the cutting edge of data orchestration, ensuring your organization is not just keeping pace but setting the pace in a data-driven future.
Session in https://budapestdata.hu/2024/04/kaxil-naik-astronomer-io/ | https://dataml24.sessionize.com/session/667627
The Ipsos - AI - Monitor 2024 Report.pdfSocial Samosa
According to Ipsos AI Monitor's 2024 report, 65% Indians said that products and services using AI have profoundly changed their daily life in the past 3-5 years.
DATA COMMS-NETWORKS YR2 lecture 08 NAT & CLOUD.docx
Cassandra Security Configuration
1. CASSANDRA SECURITY
Abstract
Cloud security is a must ask for any enterprise. When data stored in cloud, it is even critical to
ensure end to end security. This is an attempt to document security features for CASSANDRA in
cloud.
2. Cassandra Security Configuration 2
Table of Contents
Cassandra Security ...................................................................................................... 3
1.1 SSL .................................................................................................................................... 4
1.1.1 SSL Handshake ......................................................................................................... 4
1.2 RSA algorithm in SSL ................................................................................................ 4
1.3 Certificate Management Utility in Java ............................................................ 5
2.0 Secured Data in motion (SSL connection) ..................................................... 6
3.0 CQLSH SSL Connection .......................................................................................... 12
4.0 Spark Cassandra Connector for SSL ................................................................ 13
4.1 Cluster Builder Cassandra Driver Connector with SSL ................................ 16
5.0 Transparent Data Encryption (TDE) at Rest ................................................ 18
6.0 Authentication ........................................................................................................... 23
7.0 Authorization .............................................................................................................. 24
8.0 Data Auditing ............................................................................................................. 26
9.0 Network Security Group (NSG) ......................................................................... 27
3. Cassandra Security Configuration 3
Cassandra Security
To secure Cassandra, Enterprise internal guidelines must be met. At
minimum following needs to be ensured for securing Cassandra in cloud
environment.
1. Secured Data in motion (SSL connection)
a. Internode communication
b. Client-server communication
c. Spark Cassandra connector for SSL
2. Network Security Group (NSG)
3. Secured Data at rest
4. Authentication and Authorization
5. CQLSH SSL connection
4. Cassandra Security Configuration 4
1.1 SSL
SSL (Secure Sockets Layer) is a standard security technology for establishing
an encrypted link between a server and a client—typically a between two
servers in a cluster or a web browser (client) to a server. SSL is a protocol
that determines variables of the encryption for both the link and the data
being transmitted.
1.1.1 SSL Handshake
Three keys are used to set up SSL connection. Public, private and session
keys. Here are sequences of SSL handshake.
Fig 1: Sequence diagram -- SSL handshake
1.2 RSA algorithm in SSL
RSA algorithm involves four steps.
a. Key generation
b. Key distribution
c. Encryption
d. Decryption
5. Cassandra Security Configuration 5
1.3 Certificate Management Utility in Java
Java Keytool is a key and certificate management utility. It allows users to
manage their own public/private key pairs and certificates.
Java Keytool stores the keys and certificates in what is called a keystore. By
default, the Java keystore is implemented as a file.
Table 1.1: KeyStore and TrustStore in keytool
Subject Keystore Truststore
Context Keystore and truststore are used in context to setting up SSL
connection among clients and server.
Construct TrustStore and keyStore are very much similar in terms of
construct and structure as both are managed by keytool
command
Certificate
s
Keystore is used to store
public certificates for SSL
connection
TrustStore is used to store private
certificates for SSL connection
Handshak
ing
Keystore is used to
provide credentials for
handshaking
TrustStore is used to verify
credentials during handshake
Contains keyStore in Java stores
private key and
certificates corresponding
to their public keys and
require if SSL Server or
SSL requires client
authentication
TrustStore stores public key or
certificates from third party, Java
application communicate or
certificates signed by CA
(certificate authorities
like Verisign, Thawte, Geotrust or
GoDaddy) which can be used to
identify third party
Manager Is managed by
KeyManager in java
Is managed by TrustManager in
java and determines whether
remote connection is trusted or not.
Access
path in
api
Djavax.net.ssl.keyStore to
specify path for keyStore
Djavax.net.ssl.trustStore to specify
path for trustStore
Password
in api
Djavax.net.ssl.keyStorePa
ssword to specify path for
keyStorePass
Djavax.net.ssl.trustStorePassword
to specify path for trustStorePass
File
Managem
ent
For manageability and maintainability, it is good to manage
separate files for keystore and truststore. But it is possible to
combine into one file .
6. Cassandra Security Configuration 6
2.0 Secured Data in motion (SSL connection)
2.0.1 Internode Communication:
Cassandra cluster contains nodes and in its distributed architecture need to
Gossip and replicate data among nodes. SSL integration among Cassandra
nodes is a way for securing Internode communication.
In order to achieve SSL connectivity across all nodes in Cassandra cluster
following steps need to be performed.
1. For symmetric key encryption create certificate and public, private key
pair in one of the nodes using java keytool certificate management
utility.
2. Secured copy (scp) of public, private key pair in all the nodes for
symmetric key encryption.
3. Change cassandra.yaml file with properties related to
server_encryption_options in all the nodes
4. Restart all the nodes as root.
Fig 2: Activity Diagram - internode communication using SSL
7. Cassandra Security Configuration 7
Here are step by step processes and details for securing internode
communications using SSL connection.
Steps 1: Create ssl directory.
As root of each node create .ssl directory.
sudo -i
mkdir /etc/dse/cassandra/.ssl
Steps 2: Create certificate and public, private key pairs in one of the
nodes.
cd /etc/dse/cassandra/.ssl
a. Generate key and stores into .keystore
keytool -genkey -alias dc0vm0 -keyalg RSA -dname "CN=Braja Das,
OU=ABCCorp, O=BI, L=Seattle, C=US" -keystore .keystore -storepass
Pass123 -keypass Pass123
b. Export certificate from keystore and store into certificate file.
keytool -export -alias dc0vm0 -file dc0vm0.cer -keystore .keystore -
storepass Pass123 -keypass Pass123
c. Import public key from certificates and stores into .truststore.
keytool -import -v -trustcacerts -alias dc0vm0 -file dc0vm0.cer -keystore
.truststore -storepass Pass123 -keypass Pass123 --noprompt
set appropriate permission for ssh user.
sudo -i
chown datastax:datastax *.cer
chown datastax:datastax .keystore
chown datastax:datastax .truststore
chown datastax:datastax /etc/dse/cassandra/.ssl
chmod 700 /etc/dse/cassandra/.ssl
8. Cassandra Security Configuration 8
Steps 3: Distribute public and private key among all the nodes.
From dc0vm0 node to dc0vm1 and other nodes (remote) use following to
distribute. keystore and. truststore. Here are steps in dc0vm0.
scp /etc/dse/cassandra/.ssl/.truststore /etc/dse/cassandra/.ssl/
scp /etc/dse/cassandra/.ssl/.keystore /etc/dse/cassandra/.ssl/
Steps 4: Set permissions
As root, use following to set permissions among all nodes.
sudo -i
chown cassandra:cassandra *.cer
chown cassandra:cassandra .keystore
chown cassandra:cassandra .truststore
chown cassandra:cassandra /etc/dse/cassandra/.ssl
chmod 700 /etc/dse/cassandra/.ssl
Steps 5: Change cassandra.yaml file in server_encryption_options
change followings in cassandra.yaml file
server_encryption_options:
internode_encryption: all
keystore: /etc/dse/cassandra/.ssl/.keystore
keystore_password: Pass123
truststore: /etc/dse/cassandra/.ssl/.truststore
truststore_password: Pass123
# More advanced defaults below:
protocol: TLS
algorithm: SunX509
store_type: JKS
cipher_suites:
[TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
require_client_auth: true
Steps 6: Restart all the nodes as root
As root on each node use following commands to restart nodes.
nodetool -h localhost drain
sudo service dse stop
sudo service dse start
9. Cassandra Security Configuration 9
2.1.1 Secured Client Server Communication
In order to achieve SSL connectivity between client applications and
cassandra cluster, following steps need to be performed.
1. For symmetric key encryption create certificate and public, private key
pair in one of the nodes using java keytool certificate management
utility.
2. Secured copy (scp) of public, private key pair in all the nodes for
symmetric key encryption.
3. Change cassandra.yaml file with properties related to
client_encryption_options in all the nodes
4. Restart all the nodes as root.
Step1 and steps 2 are similar to secured internode communication. Here
different names can be maintained as keystore_client and truststore_client.
Step: Change in client_encryption_options in cassandra.yaml
Change followings in client_encryption_options.
client_encryption_options:
enabled: true
# If enabled and optional is set to true encrypted and unencrypted
connections are handled.
#optional: false
keystore: /etc/dse/cassandra/.ssl/.keystore
keystore_password: Pass123
require_client_auth: false
# Set trustore and truststore_password if require_client_auth is true
truststore: /etc/dse/cassandra/.ssl/.truststore
truststore_password: Pass123
# More advanced defaults below:
protocol: TLS
algorithm: SunX509
store_type: JKS
cipher_suites:
[TLS_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_
SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
10. Cassandra Security Configuration 10
2.1.1.1 OPEN SSL and PEM File
OpenSSL is the de-facto tool for SSL. It providers both the library for
creating SSL sockets, and a set of powerful tools for administrating an SSL
enabled website.
2.1.1.2 PEM File:
PEM files are standard format for openSSL and many other SSL tools. This
format is designed to be safe for inclusion in ascii or even rich-text documents.
This means that you can simple copy and paste the content of a pem file to
another document and back.
Following is a sample PEM file containing a private key and a certificate. A few
rules apply when copying a certificate around:
• A single key or certiciate must start with the appropriate header, such
as "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----".
Always copy the certificate with the header and footer notes.
• The number of dashs ("-----") is meaningful, and must be correct.
A single PEM file can contain a number of certificates and a key, for example,
a single file with:
• Public certificate
• Intermidiate Certificate
• Root certificate
• Private key
12. Cassandra Security Configuration 12
3.0 CQLSH SSL Connection
Following steps need to be performed for CQLSH SSL connection.
Step 1: Exporting Private key from keytool keytool’s proprietary format (JKS
format) to PKCS12 format.
keytool -importkeystore –srckeystore .keystore_client -destkeystore
local_user.p12 -deststoretype PKCS12
Step 2: Export unencrypted private key and certificate using open SSL:
openssl pkcs12 -in local_user.p12 -out CQLSHcassandra1.pem -nodes
Step 3: Set up permissions for CQLSHcassandra1.pem
chown cassandra:cassandra local_user.p12
chmod 400 local_user.p12
chown cassandra:cassandra CQLSHcassandra1.pem
chmod 444 CQLSHcassandra1.pem
chmod 755 /etc/dse/cassandra/.ssl
Step 4: Change cqlshrc file to use PEM file on host nodes.
As root or datastax admin (cassandra) create cqlshrc file in /.cassandra.
Append following contents in cqlshrc file.
[ssl]
validate = false
certfile = /etc/dse/cassandra/.ssl/CQLSHcassandra1.pem
Step 5: Connect cqlsh using following.
cqlsh –ssl
13. Cassandra Security Configuration 13
4.0 Spark Cassandra Connector for SSL
https://github.com/datastax/spark-cassandra-
connector/blob/master/doc/reference.md
Cassandra SSL Connection Options
Here is an option in datastax spark Cassandra connector for SSL integration.
Property Name Default Description
connection.ssl.
clientAuth.enabled
false Enable 2-way
secure
connection to
Cassandra
cluster
connection.ssl.enabled false
Enable secure
connection to
Cassandra
cluster
connection.ssl.enabledAlgorithms
Set (TLS_RSA_WITH
_AES_128_CBC_SHA,
TLS_RSA_WITH
_AES_256_CBC_SHA)
SSL cipher
suites
connection.ssl.keyStore.password None
Key store
password
connection.ssl.keyStore.path None
Path for the
key store
being used
connection.ssl.keyStore.type JKS
Key store
type
connection.ssl.protocol TLS SSL protocol
connection.ssl.trustStore.password None
Trust store
password
14. Cassandra Security Configuration 14
All parameters should be prefixed with spark.cassandra.
4.0.1 Spark Cassandra Connector code
def sparkConfCassandraSSL(appName: String, host: String, userName:
String, password: String, trustStorePwd: String, trustStorePath: String) :
SparkConf = {
val basicConf = sparkConfCassandra(appName, host, userName,
password)
val conf: SparkConf = basicConf
.set("spark.cassandra.connection.ssl.enabled", "true")
.set("spark.cassandra.connection.ssl.trustStore.password",
trustStorePwd)
.set("spark.cassandra.connection.ssl.trustStore.path",trustStorePath)
.set("spark.cassandra.connection.ssl.trustStore.type", "JKS")
conf
}
In spark Cassandra connector, following properties are mandatory and
important for SSL connection from client application to server(node).
a. Host name
b. User name
c. Password
d. trustStore password
e. trustStorePath
f. trustStoreType
g. sslEnabled = true
connection.ssl.trustStore.path None
Path for the
trust store
being used
connection.ssl.trustStore.type JKS
Trust store
type
15. Cassandra Security Configuration 15
trustStorePath in Spark Cassandra connector points to trustStoreClient file. In
container orchestration framework truststorePath can point to a location inside
a container. Here are options of setting up trustStore files inside a container.
1. Fixed trustStorePath in a container and trustStoreClient file can be
pushed as part of CD (continuous deployment).
2. Reading trustStore file from secured source (BLOB storage) and
download into container directory during runtime and connect to
Cassandra server
3. Key vault integration: Generate key from key vault and download into
both Cassandra server and containers and connecting application to
Cassandra server.
16. Cassandra Security Configuration 16
4.1 Cluster Builder Cassandra Driver Connector
with SSL
https://docs.datastax.com/en/drivers/java/2.0/com/datastax/driver/core/Cl
uster.Builder.html
Here are API steps to be followed in order to establish secured SSL
connection from client using cluster builder.
1. Get trustmanager from keystore
2. Create SSLContext from trustManager
3. Build SSLOptions.from sslcontext
4. Build secured cluster using SSLOptions, Cassandra credentials.
Here are snippets of code.
getTrustManagerFromKeyStore
def getTrustManagerFromKeyStore (truststorePath: String,
truststorePassword: String): Array[TrustManager] = {
val ks = KeyStore.getInstance("JKS")
val trustStore = new FileInputStream(truststorePath)
ks.load(trustStore, truststorePassword.toCharArray())
val tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm(
))
tmf.init(ks)
val tm: Array[TrustManager] = tmf.getTrustManagers()
tm
}
getSSlContext
def getSSlContext(tm: Array[TrustManager]): SSLContext = {
val sslcontext: SSLContext = SSLContext.getInstance("TLS");
sslcontext.init(null, tm, null)
sslcontext
18. Cassandra Security Configuration 18
}
5.0 Transparent Data Encryption (TDE) at Rest
Following steps have to be performed to ensure data encryption at rest.
1. Create system key in one of the node /etc/dse/conf/ directory.
2. Copy system key to all the nodes.
3. Set ownership of keys.
4. Bounce the cluster.
1. Create system key in one of the node /etc/dse/conf/ directory.
As root on one node run following.
dsetool createsystemkey 'AES/ECB/PKCS5Padding' 128 system_key
copy system key into /etc/dse/conf/
2. Copy system key on each node
As root on each node copy system key to /etc/dse/conf. create
directory if doesn’t exist.
scp /etc/dse/conf/system_key datastax@dc0vm1:/etc/dse/conf/
3. Set ownership of keys
As root on each node do followings.
cd /etc/dse/
chown –R Cassandra:Cassandra /etc/dse/conf
chmod 755 /et/dse/conf/
chmod 600 /etc/dse/conf/system_key
4. Bounce the cluster
As root on each node run followings.
19. Cassandra Security Configuration 19
nodetool –h localhost drain
sudo service dse stop
sudo service dse start
5.0.1 Create and Encrypted Table
As datastaxadmin on any node run followings.
CREATE table pos.agg_store_qtrhr_netsales (
storeid text,
eventdate text,
daypart text,
hour int,
qtrhr text,
areaid text,
dayofweek int,
dayofyear int,
districtid text,
divisionid text,
enterpriseid text,
eventtime text,
inserttime text,
kpiname text,
kpivalue text,
period text,
PRIMARY KEY ((storeid, storedrivethrough), eventdate, daypart, hour,
qtrhr)
)
WITH CLUSTERING ORDER BY (eventdate DESC, daypart DESC, hour DESC,
qtrhr DESC)
AND compression = {'sstable_compression':
'EncryptingSnappyCompressor',
'cipher_algorithm': 'AES/ECB/PKCS5Padding',
'secret_key_strength': 128,
'chunk_length_kb': 128,
'system_key_file': 'system_key'}
;
22. Cassandra Security Configuration 22
5.0.3 Rewrite SStables as Encrypted
For tables that already exists, alter tables to perform rewrite of all SSTables.
nodetool upgradesstables –include-all-sstables.
5.0.4 Verify system_key exists on each node
As admin run following.
cqlsh -u cassandra –p cassandra –ssl
cassandra@cqlsh> select * from dse_system.encrypted_keys;
key_file | cipher | strength | key_id | key
------------+--------+----------+--------------------------------------+----------
------------------------------------
system_key | AES | 128 | 2c1081d0-ff98-11e6-b8ea-
612efc0c5c21 |
cIInbehkM+9oyYNN5M5qJgVhFMxtTFVFzmGQmBlLRkI=
23. Cassandra Security Configuration 23
6.0 Authentication
Following steps need to be performed for password authentication.
1. As root on each node, modify cassandra.yaml.
vi /etc/dse/cassandra/cassandra.yaml
Comment out AllowAllAuthenticator and enable PasswordAuthenticator
# dhc authenticator: AllowAllAuthenticator
authenticator: PasswordAuthenticator
2. Bounce the server.
As root on each node run followings.
nodetool –h localhost drain
sudo service dse stop
sudo service dse start
24. Cassandra Security Configuration 24
7.0 Authorization
In Role based access control (RBAC), permissions have been granted to a role
as they were granted to a user. Roles can be also granted to each other.
CREATE ROLE supervisor;
GRANT MODIFY ON pos.divisionloc TO supervisor;
GRANT SELECT ON pos.divisionloc TO supervisor;
For granting a role to database user, use followings.
CREATE ROLE divisionmgr with PASSWORD ='div' and LOGIN =true;
GRANT SUPERVISOR to divisionmgr;
To list permissions of supervisor use followings.
cassandra@cqlsh:pos> LIST ALL PERMISSIONS OF supervisor;
role | username | resource | permission
------------+------------+-------------------------+------------
supervisor | supervisor | <table pos.divisionloc> | SELECT
supervisor | supervisor | <table pos.divisionloc> | MODIFY
cassandra@cqlsh:pos> LIST ALL PERMISSIONS OF divisionmgr;
role | username | resource | permission
------------+------------+-------------------------+------------
supervisor | supervisor | <table pos.divisionloc> | SELECT
supervisor | supervisor | <table pos.divisionloc> | MODIFY
cqlsh -u appuser -p Wh236t75n?1d --ssl
cqlsh -u devopsuser -p zLX49md6isMXJg --ssl
cqlsh -u admin -p k4MyUcvK71456y --ssl
CREATE ROLE appuser with PASSWORD ='Wh236t75n?1d' and LOGIN =true;
CREATE ROLE devopsuser with PASSWORD ='zLX49md6isMXJg' and LOGIN
=true;
25. Cassandra Security Configuration 25
CREATE ROLE admin with PASSWORD ='k4MyUcvK71456y' and LOGIN =true
and superuser=true;
GRANT EXECUTE on INTERNAL SCHEME to appuser;
GRANT EXECUTE on INTERNAL SCHEME to devopsuser;
GRANT EXECUTE on INTERNAL SCHEME to admin;
GRANT ALL PERMISSIONS ON ALL KEYSPACES to admin;
GRANT CREATE ON KEYSPACE IOT to appuser; // grant create table
privilege on IOT keyspace;
GRANT ALTER ON KEYSPACE IOT to appuser;
GRANT DROP ON KEYSPACE IOT to appuser;
GRANT SELECT ON KEYSPACE IOT to appuser;
GRANT MODIFY ON KEYSPACE IOT to appuser;
GRANT CREATE ON KEYSPACE IOT to devopsuser; // grant create table
privilege on IOT keyspace;
GRANT ALTER ON KEYSPACE IOT to devopsuser;
GRANT DROP ON KEYSPACE IOT to devopsuser;
GRANT SELECT ON KEYSPACE IOT to devopsuser;
GRANT MODIFY ON KEYSPACE IOT to devopsuser;
GRANT AUTHORIZE ON KEYSPACE IOT to devopsuser;
26. Cassandra Security Configuration 26
8.0 Data Auditing
Audit logger logs information on the node sets up for logging. Node 0 can be
turned on for auditing but node 1 does not. Issuing updates and other
commands on node 1 doesn’t usually show up on node 0’s audit log. To get
maximum information from data auditing, turn on data auditing from every
node.
Audit-logs can be written to filesystem log files using log4j, or to a Cassandra
table. Default logger for auditing is to log into log4j filesystem log files. Each
node’s log files are local to the machine, making it difficult to find out what is
happening across the cluster.
Logging audit data to Cassandra table helps querying like any other table,
making analysis easier and custom audit reports possible.
Here are steps to be followed in order to enable audit_logging_options in
Cassandra.Modify following from dse.yaml file.
audit_logging_options:
enabled: true
logger: CassandraAuditWriter
cassandra_audit_writer_options:
mode: async
dropped_event_log: /var/log/cassandra/dropped_audit_events.log
Other optional setting contains included_categoeries or exclude_categories
but not both.
Here are settings can be included.
Setting Logging
ADMIN Logs describe schema versions, cluster name,
version, ring, and other administration events.
AUTH Logs login events
DML Logs insert, update, delete and other DML events
DDL Logs object and user create, alter, drop, and other
DDL events
DCL Logs grant, revoke, create user, drop user, and list
users events
27. Cassandra Security Configuration 27
9.0 Network Security Group (NSG)
Following Inbound Network Security Rules can be applied in NSG.
Prio
rity
Name Port Protocol Source Destination Action
100 SSH 22 TCP Virtual
Network
Virtual
Network
Allow
400 Cassandra
Client
9042 TCP Virtual
Network
Virtual
Network
Allow
500 Cassandra
Inter Node
7000 TCP Virtual
Network
Virtual
Network
Allow
600 Cassandra
Inter Node
SSL
7001 TCP Virtual
Network
Virtual
Network
Allow
700 Cassandra
JMX
7199 TCP Virtual
Network
Virtual
Network
Allow
800 Internode
Message
8609 TCP Virtual
Network
Virtual
Network
Allow
900 DSEThirft 9060 TCP Virtual
Network
Virtual
Network
Allow
4096 DenyVnet Any TCP Virtual
Network
Virtual
Network
Deny
65000 Allow
VnetInbound
Any TCP Virtual
Network
Virtual
Network
ALLOW
65001 Allow
LoadBalancer
Inbound
Any Any Load
Balancer
Virtual
Network
Allow
65500 Deny All
Inbound
Any Any Any Any Deny