Details how to secure Apache Cassandra clusters. Covers client to server and server to server encryption, securing management and tooling, using authentication and authorization, as well as options for encryption at rest.
Start to finish overview of tools, tips and techniques for developing software for Apache Cassandra. Includes code and configuration examples, build systems and container support.
Describes in detail the security architecture of Apache Cassandra. We discuss encryption at rest, encryption on the wire, authentication and authorization and securing JMX and management tools
Hardening cassandra for compliance or paranoiazznate
How to secure a cassandra cluster. Includes details on configuring SSL, setting up a certificate authority and creating certificates and trust chains for the JVM.
In the rush to release a new product, a new version or simply trying to get things working, security can sometimes be an afterthought. In this talk, Ben Bromhead CTO of Instaclustr, will explore the various ways in which you can setup and secure Cassandra appropriately for your threat environmen
Security is often an afterthought; configured and applied at the last minute before rolling out a new system. Instaclustr has deployed Cassandra for customers with many different requirements.
From deployments in Heroku requiring total public access through to private data centres, we will walk you through securing Cassandra the right way.
In a dynamic infrastructure world, let's stop pretending credentials aren't public knowledge in an organization and just assume that they have already been leaked, now what?
Start to finish overview of tools, tips and techniques for developing software for Apache Cassandra. Includes code and configuration examples, build systems and container support.
Describes in detail the security architecture of Apache Cassandra. We discuss encryption at rest, encryption on the wire, authentication and authorization and securing JMX and management tools
Hardening cassandra for compliance or paranoiazznate
How to secure a cassandra cluster. Includes details on configuring SSL, setting up a certificate authority and creating certificates and trust chains for the JVM.
In the rush to release a new product, a new version or simply trying to get things working, security can sometimes be an afterthought. In this talk, Ben Bromhead CTO of Instaclustr, will explore the various ways in which you can setup and secure Cassandra appropriately for your threat environmen
Security is often an afterthought; configured and applied at the last minute before rolling out a new system. Instaclustr has deployed Cassandra for customers with many different requirements.
From deployments in Heroku requiring total public access through to private data centres, we will walk you through securing Cassandra the right way.
In a dynamic infrastructure world, let's stop pretending credentials aren't public knowledge in an organization and just assume that they have already been leaked, now what?
Training Slides: 302 - Securing Your Cluster With SSLContinuent
Watch this 41min training session on how to secure your Tungsten Cluster with SSL, looking at internal cluster communications as well as how to deploy SSL for the Tungsten Connector. It all starts off with some background information on what SSL is all about.
TOPICS COVERED
- What is SSL?
- Deploying SSL for Cluster communications
- Deploying SSL for Tungsten Connector
Cassandra Day London 2015: Securing Cassandra and DataStax EnterpriseDataStax Academy
Speaker(s): Johnny Miller, Cassandra Solutions Architect at DataStax
This talk will introduce the various options around securing Cassandra and DataStax Enterprise. Attendees will gain an understanding of the various features and options available for protecting systems using Cassandra, OpsCenter and DataStax Enterprise.
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
Presented to the Philly DevOps Meetup November 29, 2016.
Managing secrets is hard. It’s even harder in the cloud. At Jornaya (formerly LeadiD), we chose Hashicorp Vault to manage our secrets in AWS, and I’d like to share our experience with everyone.
Things YouShould Be Doing When Using Cassandra DriversRebecca Mills
Did you know there are some things you should doing when writing your data driven application using Apache Cassandra? Let’s talk about that. There are features in almost every driver that will keep your application online and running fast. You should know what they are. Even if you know these features, I’m going to tell why they work and why they’re a good idea. This will not be language specific; I will be using multiple languages and drivers. This talk should appeal to programmers in general.
Production Readiness Strategies in an Automated WorldSean Chittenden
Production Ready. What does it mean? And to whom? Does that term factor in post-launch concerns such as debugability and ownership? What are the lifecycle phases for moving an idea into a hardened production system?
As the world continues its furious adoption of automation, Foo-as-a-Service, and ever changing tools, what are the baseline assumptions, risks, checklists, and processes required to support the evolving landscape of "production ready." In this talk we will deploy a sample application and build both a checklist and scorecard to evaluate the readiness of a system and an organization's practices.
PerconaLive 2016 Santa Clara presentation on Hashicorp Vault with CTO Armon Dadger
https://www.percona.com/live/data-performance-conference-2016/sessions/using-vault-decouple-secrets-applications
Get an overview of HashiCorp's Vault concepts.
Learn how to start a Vault server.
Learn how to use the Vault's postgresql backend.
See an overview of the Vault's SSH backend integration.
This presentation was held on the DigitalOcean Meetup in Berlin. Find more details here: https://www.meetup.com/DigitalOceanBerlin/events/237123195/
Automatically unseal Vault clusters as a Keybase team. We want to automate the unseal of our on-premise Vault clusters. How can we securely distribute Shamir unseal keys to the team so we can unseal our Vault when we are on-call? How did we initialize our production system in a such way that 2 out 4 people are needed to "unseal the Vault"?
We are using Keybase.io, and automated Vault on Consul cluster, with an Ansible/Vagrant environment to teach and practice.
- Vagrant (tested on Mac)
- Consul OSS
- Vault OSS
- Keybase (vault operator init, vault unseal, KBFS)
- Ansible (Brian Shumate's roles, custom roles)
- Packer (hardened Centos 7)
@bbaassssiiee
https://github.com/dockpack/keybase_unseal
https://github.com/dockpack/vault_dojo
Containment without Containers: Running Windows Microservices on NomadJusten Walker
The world is rapidly moving towards containerizing everything, mostly by using linux cgroups and namespaces. But, Windows has kind of been a second-class citizen in this ecosystem. While great progress has been made in the Windows Container space, it has only recently become generally available. In 2016, when we started our migration to Nomad as our Microservice scheduler, Windows containers were in still their infancy, and the only Nomad driver able to run .Net was raw_exec. In short, running and scheduling .NET Framework microservices isn't easy.
In this talk, you'll learn:
- A little more about Windows Containers and their limitations.
- How we at Jet constrain our Windows raw executables running on Nomad without Container support.
- A little bit about the Windows 32 API and how you can hook into it in your Go programs without resorting to cgo.
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).DataStax Academy
Security is always at odds with usability, particularly in the context of operations and development. More so when dealing with a distributed system such as Apache Cassandra. In this presentation, we'll walk through the steps required to completely secure a Cassandra cluster to meet most regulatory and compliance guidelines.
Topics will include:
- Encrypting cross-DC traffic
- Different types of at-rest disk encryption options available (and how to tune them)
- Configuring SSL for inter-cluster communication
- Configuring SSL between clients and the API
- Configuring and managing client authentication
Attendees will leave this presentation with the knowledge required to harden Cassandra to meet most guidelines imposed by regulations and compliance.
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers.
Most certificates in common use are based on the X.509 v3 certificate standard. First I open the shell with the openssl.exe and MS SDK tools.
A pragmatic approach to using public / private certificates in keystores in Java.
Presentation starts with a technical, but simplified explanation of security, certificates and keystores. Then it introduces best practices regarding use and maintainance of these resources.
Afterwards practical howtos (eg. making certificates, keystores, ..) and a demo-application, using 2-way SSL are shown. The presentation ends with some tips and tricks regarding troubleshooting.
Training Slides: 302 - Securing Your Cluster With SSLContinuent
Watch this 41min training session on how to secure your Tungsten Cluster with SSL, looking at internal cluster communications as well as how to deploy SSL for the Tungsten Connector. It all starts off with some background information on what SSL is all about.
TOPICS COVERED
- What is SSL?
- Deploying SSL for Cluster communications
- Deploying SSL for Tungsten Connector
Cassandra Day London 2015: Securing Cassandra and DataStax EnterpriseDataStax Academy
Speaker(s): Johnny Miller, Cassandra Solutions Architect at DataStax
This talk will introduce the various options around securing Cassandra and DataStax Enterprise. Attendees will gain an understanding of the various features and options available for protecting systems using Cassandra, OpsCenter and DataStax Enterprise.
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
Presented to the Philly DevOps Meetup November 29, 2016.
Managing secrets is hard. It’s even harder in the cloud. At Jornaya (formerly LeadiD), we chose Hashicorp Vault to manage our secrets in AWS, and I’d like to share our experience with everyone.
Things YouShould Be Doing When Using Cassandra DriversRebecca Mills
Did you know there are some things you should doing when writing your data driven application using Apache Cassandra? Let’s talk about that. There are features in almost every driver that will keep your application online and running fast. You should know what they are. Even if you know these features, I’m going to tell why they work and why they’re a good idea. This will not be language specific; I will be using multiple languages and drivers. This talk should appeal to programmers in general.
Production Readiness Strategies in an Automated WorldSean Chittenden
Production Ready. What does it mean? And to whom? Does that term factor in post-launch concerns such as debugability and ownership? What are the lifecycle phases for moving an idea into a hardened production system?
As the world continues its furious adoption of automation, Foo-as-a-Service, and ever changing tools, what are the baseline assumptions, risks, checklists, and processes required to support the evolving landscape of "production ready." In this talk we will deploy a sample application and build both a checklist and scorecard to evaluate the readiness of a system and an organization's practices.
PerconaLive 2016 Santa Clara presentation on Hashicorp Vault with CTO Armon Dadger
https://www.percona.com/live/data-performance-conference-2016/sessions/using-vault-decouple-secrets-applications
Get an overview of HashiCorp's Vault concepts.
Learn how to start a Vault server.
Learn how to use the Vault's postgresql backend.
See an overview of the Vault's SSH backend integration.
This presentation was held on the DigitalOcean Meetup in Berlin. Find more details here: https://www.meetup.com/DigitalOceanBerlin/events/237123195/
Automatically unseal Vault clusters as a Keybase team. We want to automate the unseal of our on-premise Vault clusters. How can we securely distribute Shamir unseal keys to the team so we can unseal our Vault when we are on-call? How did we initialize our production system in a such way that 2 out 4 people are needed to "unseal the Vault"?
We are using Keybase.io, and automated Vault on Consul cluster, with an Ansible/Vagrant environment to teach and practice.
- Vagrant (tested on Mac)
- Consul OSS
- Vault OSS
- Keybase (vault operator init, vault unseal, KBFS)
- Ansible (Brian Shumate's roles, custom roles)
- Packer (hardened Centos 7)
@bbaassssiiee
https://github.com/dockpack/keybase_unseal
https://github.com/dockpack/vault_dojo
Containment without Containers: Running Windows Microservices on NomadJusten Walker
The world is rapidly moving towards containerizing everything, mostly by using linux cgroups and namespaces. But, Windows has kind of been a second-class citizen in this ecosystem. While great progress has been made in the Windows Container space, it has only recently become generally available. In 2016, when we started our migration to Nomad as our Microservice scheduler, Windows containers were in still their infancy, and the only Nomad driver able to run .Net was raw_exec. In short, running and scheduling .NET Framework microservices isn't easy.
In this talk, you'll learn:
- A little more about Windows Containers and their limitations.
- How we at Jet constrain our Windows raw executables running on Nomad without Container support.
- A little bit about the Windows 32 API and how you can hook into it in your Go programs without resorting to cgo.
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).DataStax Academy
Security is always at odds with usability, particularly in the context of operations and development. More so when dealing with a distributed system such as Apache Cassandra. In this presentation, we'll walk through the steps required to completely secure a Cassandra cluster to meet most regulatory and compliance guidelines.
Topics will include:
- Encrypting cross-DC traffic
- Different types of at-rest disk encryption options available (and how to tune them)
- Configuring SSL for inter-cluster communication
- Configuring SSL between clients and the API
- Configuring and managing client authentication
Attendees will leave this presentation with the knowledge required to harden Cassandra to meet most guidelines imposed by regulations and compliance.
The Secure Socket Layer protocol was created by Netscape to ensure secure transactions between web servers and browsers.
Most certificates in common use are based on the X.509 v3 certificate standard. First I open the shell with the openssl.exe and MS SDK tools.
A pragmatic approach to using public / private certificates in keystores in Java.
Presentation starts with a technical, but simplified explanation of security, certificates and keystores. Then it introduces best practices regarding use and maintainance of these resources.
Afterwards practical howtos (eg. making certificates, keystores, ..) and a demo-application, using 2-way SSL are shown. The presentation ends with some tips and tricks regarding troubleshooting.
AWS IoT is a managed cloud platform that lets connected devices easily and securely interact with cloud applications and other devices. This webinar will introduce the best practices for IoT Security in the cloud and the access control mechanisms used by AWS IoT. These mechanisms can be used to not only securely build and provision devices, as well as integrate devices with other AWS services to create secure solutions.
Learning Objectives:
• Common IoT Thing Management Issues
• Learn about AWS IoT Security and Access Control Mechanisms
• Build Secure interactions with the AWS Cloud
Who Should Attend:
• Technical Decision Makers, Developers, Makers
SSL Implementation - IBM MQ - Secure Communications nishchal29
Presenting the basics of SSL/TLS , usage of SSL protocol to secure the IBM MQ channels. Secure Communications between two Queue Managers and various test cases , between an application and Queue Manager , Errors , Certificate Renewal ..
Cisco iso based CA (certificate authority)Netwax Lab
IOS CA is short for Certificate Authority on IOS. It's a simple, yet very powerful tool to deploy certificates
in environments where PKI is needed for security reasons.
In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital
certificates. A digital certificate certifies the ownership of a public key by the named subject of the
certificate. This allows others (relying parties) to rely upon signatures or on assertions made by the
private key that corresponds to the certified public key. In this model of trust relationships, a CA is a
trusted third party - trusted both by the subject (owner) of the certificate and by the party relying upon
the certificate.
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
Your MongoDB Community Edition database can probably be a lot more secure than it is today, since Community Edition provides a wide range of capabilities for securing your system, and you are probably not using them all. If you are worried about cyber-threats, take action reduce your anxiety!
Using SSL/TLS the right way is often a big hurdle for developers. We prefer to have that one colleague perform "something with certificates", because he/she knows how that works. But what if "that one colleague" is enjoying vacation and something goes wrong with the certificates?
In this session we'll take a close look at secure communication at the transport level. Starting with what exactly SSL and TLS is, we'll dive into public/private keys, and signing. We'll also learn what all this has to do with an unfortunate Dutch notary. Of course, there'll be plenty of practical tips & trics, as well as demo's.
Attend this session to become "that one colleague"!
When Securing Access to Data is About Life and DeathHostedbyConfluent
"The Norwegian health care sectors success is dependent on the security and availability of enormous amounts of critical data. The state of affairs is that data does not flow. At Norsk helsenett we have recently started using Kafka to secure this flow.
Our critical data is your critical data, and a matter of life and death. This I how we do that:
- Redundancy to us starts with the number 3, creating the infrastructure and using it to manage ""always available"" services and data, working towards zero downtime and data loss.
- Security is paramount, how did we implement mTLS?
- How do we monitor and support usage of data we cannot look at using the benefits of .Net and SignalR in Blazor together with Kafka."
If you think they are easy, you are (probably) doing them wrong. A presentation about issues with TLS and X.509 certificates for Tampere security people (TreSec, @TreSecCommunity) meetup on 21st of March 2018.
Similar to Seattle C* Meetup: Hardening cassandra for compliance or paranoia (20)
Successful Software Development with Apache Cassandrazznate
Adding a new technology to your development process can be challenging, and the distributed nature of Apache Cassandra can make it daunting. However, recent improvements in drivers, utilities and tooling have simplified the process making it easier than ever before to develop software with Apache Cassandra.
In this presentation, we cover essential knowledge for all developers wanting to efficiently create reliable Apache Cassandra based solutions. Topics include:
- Language and Driver selection
- Optimizing Driver configuration
- Productive Developer environments using ccm, Vagrant and DataStax DevCenter
- Creating appropriate test data
- Unit testing
- Automated integration testing
- Test optimization with profiles
New and existing users will come away from this presentation with the necessary knowledge to make their next Apache Cassandra project a success.
Vert.x is a new JVM based application framework with an event driven, asynchronous programming model. With APIs available in Java, JavaScript, Ruby, Python and Groovy, developers are given complete freedom to implement their application in the language of their choice.
Starting with the core Vert.x concepts, this presentation will walk attendees through the components of a simple vert.x based application. Through this process, attendees will gain an understanding of how Vert.x:
- provides for a way to use several different languages in the same application
- takes advantage of JVMs excellent multi-core capabilities
- uses a module-based framework for packaging and hot-deployment
- communicates with other processes via a distributed event bus
- exposes an asynchronous programming model with very simple concurrency
With this presentation, viewers should gain a deep-enough understanding of Vert.x to be able to evaluate the platform for their own projects.
Introduciton to Apache Cassandra for Java Developers (JavaOne)zznate
The database industry has been abuzz over the past year about NoSQL databases. Apache Cassandra, which has quickly emerged as a best-of-breed solution in this space, is used at many companies to achieve unprecedented scale while maintaining streamlined operations.
This presentation goes beyond the hype, buzzwords, and rehashed slides and actually presents the attendees with a hands-on, step-by-step tutorial on how to write a Java application on top of Apache Cassandra. It focuses on concepts such as idempotence, tunable consistency, and shared-nothing clusters to help attendees get started with Apache Cassandra quickly while avoiding common pitfalls.
Introduction to apache_cassandra_for_developezznate
A presentation for Data Day Austin on January 29th, 2011
Introduces how to effectively use Apache Cassandra for Java developers using the Hector Java client: http://github.com/rantav/hector
Hector v2: The Second Version of the Popular High-Level Java Client for Apach...zznate
This presentation will provide a preview of our new high-level API designed around community feedback and built on the solid foundation of Hector client internals currently in use by a number of production systems. A brief introduction to the existing Hector client will be included to accomadate new users.
Chatty Kathy - UNC Bootcamp Final Project Presentation - Final Version - 5.23...John Andrews
SlideShare Description for "Chatty Kathy - UNC Bootcamp Final Project Presentation"
Title: Chatty Kathy: Enhancing Physical Activity Among Older Adults
Description:
Discover how Chatty Kathy, an innovative project developed at the UNC Bootcamp, aims to tackle the challenge of low physical activity among older adults. Our AI-driven solution uses peer interaction to boost and sustain exercise levels, significantly improving health outcomes. This presentation covers our problem statement, the rationale behind Chatty Kathy, synthetic data and persona creation, model performance metrics, a visual demonstration of the project, and potential future developments. Join us for an insightful Q&A session to explore the potential of this groundbreaking project.
Project Team: Jay Requarth, Jana Avery, John Andrews, Dr. Dick Davis II, Nee Buntoum, Nam Yeongjin & Mat Nicholas
Explore our comprehensive data analysis project presentation on predicting product ad campaign performance. Learn how data-driven insights can optimize your marketing strategies and enhance campaign effectiveness. Perfect for professionals and students looking to understand the power of data analysis in advertising. for more details visit: https://bostoninstituteofanalytics.org/data-science-and-artificial-intelligence/
Techniques to optimize the pagerank algorithm usually fall in two categories. One is to try reducing the work per iteration, and the other is to try reducing the number of iterations. These goals are often at odds with one another. Skipping computation on vertices which have already converged has the potential to save iteration time. Skipping in-identical vertices, with the same in-links, helps reduce duplicate computations and thus could help reduce iteration time. Road networks often have chains which can be short-circuited before pagerank computation to improve performance. Final ranks of chain nodes can be easily calculated. This could reduce both the iteration time, and the number of iterations. If a graph has no dangling nodes, pagerank of each strongly connected component can be computed in topological order. This could help reduce the iteration time, no. of iterations, and also enable multi-iteration concurrency in pagerank computation. The combination of all of the above methods is the STICD algorithm. [sticd] For dynamic graphs, unchanged components whose ranks are unaffected can be skipped altogether.
Adjusting primitives for graph : SHORT REPORT / NOTESSubhajit Sahu
Graph algorithms, like PageRank Compressed Sparse Row (CSR) is an adjacency-list based graph representation that is
Multiply with different modes (map)
1. Performance of sequential execution based vs OpenMP based vector multiply.
2. Comparing various launch configs for CUDA based vector multiply.
Sum with different storage types (reduce)
1. Performance of vector element sum using float vs bfloat16 as the storage type.
Sum with different modes (reduce)
1. Performance of sequential execution based vs OpenMP based vector element sum.
2. Performance of memcpy vs in-place based CUDA based vector element sum.
3. Comparing various launch configs for CUDA based vector element sum (memcpy).
4. Comparing various launch configs for CUDA based vector element sum (in-place).
Sum with in-place strategies of CUDA mode (reduce)
1. Comparing various launch configs for CUDA based vector element sum (in-place).
9. Overview:
By necessity we abstract and encapsulate, making
it easier to have un-intended side effects
knife ssh -x ${knifeUser}
-a hostname
-E $chefEnv "role:${role}" "${executeCommand}"
Then eventually:
rm -rf /var/lib/cassandra/*
12. Overview: System Hardening
Limit filesystem access.
Only C* needs
/var/lib/cassandra
(configuration management does not need access
after initialization)
14. Overview: System Hardening: Limit Network Access
C* only needs inbound on:
- 9042/9160 (clients)
- 7000/7001 (cluster)
- 7199 (JMX)
15. Encryption at Rest
Inter-node Communication
Client-Server Communication
Authentication and Authorization
Management andTooling
16. Encryption At Rest:
Why it's a good idea:
- Do you know how your cloud provider is actually
using storage under the hood?
- What does IT do with decommissioned disks? (Are
you sure?)
17. Encryption At Rest:
There are good
open source and
commercial options
for at-rest encryption.
But...
18. Encryption At Rest:
It's a distributed system.
Make sure you understand the HA Story
in context of your needs.
Otherwise you introduced an SPOF!
eg. "EBS snapshots of the key server"
Is this going to work for you?
20. Encryption At Rest: Open Source
dmCrypt (block)
eCrypt-FS (file)
Major vendors
probably support both
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/ch29s02.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-efs.html
22. Encryption At Rest: Commercial
DataStax Enterprise*:
CREATETABLE users
...
WITH compression_parameters:sstable_compression = 'Encryptor'
and compression_parameters:cipher_algorithm = 'AES/ECB/PKCS5Padding'
and compression_parameters:secret_key_strength = 128;
*commit log not included! (eCrypt-fs to the rescue)
23. Encryption At Rest: Commercial-ish
EBS Encryption!
(a.k.a. "Not my problem.")
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
24. Encryption at Rest
Inter-Node Communication
Client-Server Communication
Authentication and Authorization
Management andTooling
28. Inter-Node Communication: SSL:Why It's a Good Idea:
It takes one Message
to insert an admin account
into the system_auth table
from: http://icanhascheeseburger.com
31. Inter-Node Communication: SSL: Certificates Done Right
Don't do this:
http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html <- BAD!
LOL!
32. Inter-Node Communication: SSL: Certificates Done Right
BYO Certificate Authority
A CA provides the root certificate which can be used to validate a
node's identity without needing direct knowledge of that node.
33. Inter-Node Communication: SSL: Certificates Done Right
What we should do:
1. create the CA with a "root" certificate
2. create certificates for each node
3. export each node's certificates to be signed by CA
4. sign each nodes certificate with the CA
5. add the CA root public certificate into each node's key store
5. add the signed result back into that node's key store
6. import CA root public certificate into each node's trust store (or build
one and copy it around)
34. Inter-Node Communication: SSL: Certificates Done Right
Creating your own CA
openssl req
-config gen_ca_cert.conf
-new -x509
-keyout ca-key
-out ca-cert
-days 365
35. Inter-Node Communication: SSL: Certificates Done Right
'gen_ca_cert.conf'
[ req ]
distinguished_name = req_distinguished_name
prompt = no
output_password = mypass
default_bits = 2048
[ req_distinguished_name ]
C = US
ST = TX
L = Austin
O = TLP
OU = TestCluster
CN = TestClusterMasterCA
emailAddress = info@thelastpickl.com
36. Inter-Node Communication: SSL: Certificates Done Right
What we just did
- `req`:An OpenSSL sub-command saying that we are (in this case) creating a PKCS#10 X.509 Certificate (see
https://www.openssl.org/docs/manmaster/apps/req.html for full details)
The following parameters are all options of "-req"
`-config`: The path to the config file (avoids having to provide information on STDIN)
`-new`: This is a new signing request we are making
`-x509`: The output will be a self-signed certificate we can use as a root CA
`-keyout`: The filename to which we will write our key
`-out`: The filename to which we will write our certificate
`-days`: The number of days for which the generated certificate will be valid
38. Inter-Node Communication: SSL: Certificates Done Right
What we just did
`-genkeypair`: the keytool command to generate a public/private key pair combination
`-keyalg`:The algorithm to use, RSA in this case*
`-alias`:An alias to use for this public/private key pair. It needs to identify the public key when imported into a
key store. I usually use some form of $hostname-cassandra
`-keystore`:The location of our key store (created if it does not already exist)
`-storepass`:The password for the key store
`-keypass`:The password for the key
`-validity`:The number of days for which this key pair will be valid
`-keysize`:The size of the key to generate
https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
39. Inter-Node Communication: SSL: Certificates Done Right
A note about "-dname":
CN=node1
Common Name: Best practice is to use hostname
OU=SSL-verification-cluster
Organizational Unit: I like to use the environment specific cluster name
O=TheLastPickle
Organization
C=US"
Country
Note: Hostname verification can be done against subjectAlternativeName
Add "-ext SAN=DNS:thelastpickle.com" to keytool invocation if desired.
40. Inter-Node Communication: SSL: Certificates Done Right
Exporting certificates
for signing by the CA
keytool
-keystore node1-server-keystore.jks
-alias node1
-certreq
-file node1_cert_sr
-keypass awesomekeypass
-storepass awesomekeypass
41. Inter-Node Communication: SSL: Certificates Done Right
Sign each node's
certificate with the CA
openssl x509
-req
-CA ca-cert
-CAkey ca-key
-in node1_cert_sr
-out node1_cert_signed
-days 365
-CAcreateserial
-passin pass:mypass
42. Inter-Node Communication: SSL: Certificates Done Right
What did we just do:
- `x509` Use the display and signing subcommand (https://www.openssl.org/docs/manmaster/apps/
x509.html)
The following parameters are options of "x509"
- `-req` We are signing a certificate request as opposed to a certificate
- `-CA` The CA cert file created above
- `-CAKey` The CA key file created above
- `-in` The certificate request we are signing
- `-out` The newly-signed certificate file to create
- `-days` The number of days for which the signed certificate will be valid
- `-CAcreateserial` Create a serialnumber for this CSR
- `-passin` The keypassword source.The arguments to 'passin' have their own formatting instructions.
See 'Pass Phrase Arguments' on https://www.openssl.org/docs/manmaster/apps/openssl.html
43. Inter-Node Communication: SSL: Certificates Done Right
Add the CA's public key to the
node's key stores
keytool
-keystore node1-server-keystore.jks
-alias CARoot
-import
-file ca-cert
-noprompt
-keypass awesomekeypass
-storepass awesomekeypass
44. Inter-Node Communication: SSL: Certificates Done Right
Import that node's signed certificate
back into it's trust store
keytool
-keystore node1-server-keystore.jks
-alias node1
-import
-file node1_cert_signed
-keypass awesomekeypass
-storepass awesomekeypass
45. Inter-Node Communication: SSL: Certificates Done Right
Build a trust store
from the CA's public certificate
(this can be shared among all nodes)
keytool
-keystore generic-server-truststore.jks
-alias CARoot -importcert
-file ca-cert
-keypass mypass -storepass
truststorepass -noprompt
48. Inter-Node Communication: SSL Done Right
server_encryption_options:
internode_encryption: all
keystore: conf/server-keystore.jks
keystore_password: awesomekeypass
truststore: conf/server-truststore.jks
truststore_password: truststorepass
protocol: TLS
algorithm: SunX509
store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
require_client_auth: true
If you don't set this to
true, you might as well
turn encryption off
49. Inter-Node Communication: SSL Done Right
Also: Key store password and key password
*must be the same*
server_encryption_options:
...
keystore_password: awesomekeypass
require_client_auth: true
...
keytool ... -keypass awesomekeypass ...
50. Inter-Node Communication: SSL Done Right
Export restrictions?
Use128 bit keys
cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#importlimits
51. Inter-Node Communication: SSL: Certificates Done Right
Trouble?
-Djavax.net.debug=ssl
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
53. Inter-Node Communication: SSL: Certificates Done Right
HashicorpVault
"secures, stores, and tightly controls access to
tokens, passwords, certificates,API keys, and
other secrets in modern computing. "
https://www.vaultproject.io/
54. Inter-Node Communication: SSL: Certificates Done Right
Service level certificate management
should have nothing to do with front-
end certificates
62. Client-Server Communication
client_encryption_options:
enabled: false
keystore: conf/client-keystore.jks
keystore_password: clientkeypass
truststore: conf/client-truststore.jks
truststore_password: clienttrustpass
protocol: TLS
algorithm: SunX509
store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
require_client_auth: true
If you don't set this to
true, you might as well
turn encryption off
63. Encryption at Rest
Inter-Node Communication
Client-Server Communication
Authentication and Authorization
Management andTooling
70. Authentication and Authorization:Authorization
These tables have
default read permission
for every authenticated user:
system.schema_keyspace
system.schema_columns
system.schema_columnfamilies
system.local
system.peers
74. Management andTooling: Securing JMX
Options as of 2.1.8
will look familiar:
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=<keystore-password>"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path/to/truststore"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=<truststore-password>"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-
suites>"
75. Management andTooling: Securing JMX
Thus:
as of 2.1.8, nodetool can use SSL*
* https://issues.apache.org/jira/browse/CASSANDRA-9090
76. Management andTooling: Securing JMX
Configure authentication
for JMX*
Now you can do:
nodetool status -u monitor -pw monitorpass
* http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureJmxAuthentication.html
77. Management andTooling: Securing JMX
JMX user/password and role
configuration is flexible
For details, take a look at the defaults:
$JAVA_HOME/jre/lib/management/jmxremote.access
$JAVA_HOME/jre/lib/management/jmxremote.password.template