Seattle C* Meetup: Hardening cassandra for compliance or paranoia

Z
HARDENING CASSANDRA
FOR COMPLIANCE
(OR PARANOIA)
Nate McCall
@zznate
Seattle Cassandra Users
Co-Founder & Sr.Technical Consultant
Licensed under a Creative Commons Attribution-NonCommercial 3.0 New Zealand License
AboutThe Last Pickle.
Work with clients to deliver and improve
Apache Cassandra based solutions.
Based in New Zealand,Australia & USA.
OVERVIEW
Encryption at Rest
Inter-node Communication
Client-Server Communication
Authentication and Authorization
Management andTooling
Overview:
Security is usually
necessitated by
Industry Guidelines
(depending on organization size)
Overview: Industry Guidelines
- Financial: PCI-DSS
- Healthcare: HIPAA
- Defense/Govt: FIPS
- TelCo: CPNI
Overview: Industry Guidelines
Their heart is in the right place...
(Do you really need node to node SSL if it never leaves a backplane?)
Overview:
However:
good security practices
can save you
Overview:
By necessity we abstract and encapsulate, making
it easier to have un-intended side effects
knife ssh -x ${knifeUser} 
-a hostname 
-E $chefEnv "role:${role}" "${executeCommand}"
Then eventually:
rm -rf /var/lib/cassandra/*
Overview:
Basic systems hardening
can also protect from
common operational errors
Overview: System Hardening
Limit account access
"sudo su -" = trouble
Overview: System Hardening
Limit filesystem access.
Only C* needs
/var/lib/cassandra
(configuration management does not need access
after initialization)
Overview: System Hardening
Networking
- Limit network access
- network segmentation and ACLs
- iptables, etc
Overview: System Hardening: Limit Network Access
C* only needs inbound on:
- 9042/9160 (clients)
- 7000/7001 (cluster)
- 7199 (JMX)
Encryption at Rest
Inter-node Communication
Client-Server Communication
Authentication and Authorization
Management andTooling
Encryption At Rest:
Why it's a good idea:
- Do you know how your cloud provider is actually
using storage under the hood?
- What does IT do with decommissioned disks? (Are
you sure?)
Encryption At Rest:
There are good
open source and
commercial options
for at-rest encryption.
But...
Encryption At Rest:
It's a distributed system.
Make sure you understand the HA Story
in context of your needs.
Otherwise you introduced an SPOF!
eg. "EBS snapshots of the key server"
Is this going to work for you?
Encryption At Rest:
File level
vs.
Block level
Encryption At Rest: Open Source
dmCrypt (block)
eCrypt-FS (file)
Major vendors
probably support both
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/ch29s02.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-efs.html
Encryption At Rest: Commercial
- Cloudera Gazzang!
-Vormetric
Encryption At Rest: Commercial
DataStax Enterprise*:
CREATETABLE users
...
WITH compression_parameters:sstable_compression = 'Encryptor'
and compression_parameters:cipher_algorithm = 'AES/ECB/PKCS5Padding'
and compression_parameters:secret_key_strength = 128;
*commit log not included! (eCrypt-fs to the rescue)
Encryption At Rest: Commercial-ish
EBS Encryption!
(a.k.a. "Not my problem.")
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Encryption at Rest
Inter-Node Communication
Client-Server Communication
Authentication and Authorization
Management andTooling
Inter-Node Communication: SSL
Inter-Node encryption can be rolled
out on production
with no downtime*
* Depending on client consistency levels
Inter-Node Communication: SSL
Why is it a good idea?
Inter-Node Communication: SSL:Why It's a Good Idea:
Every operation
is a
Message
on the wire
Inter-Node Communication: SSL:Why It's a Good Idea:
It takes one Message
to insert an admin account
into the system_auth table
from: http://icanhascheeseburger.com
Inter-Node Communication: SSL:Why It's a Good Idea:
-Dcassandra.write_survey=true
Inter-Node Communication: SSL
SSL Certificates:
a brief interlude
Inter-Node Communication: SSL: Certificates Done Right
Don't do this:
http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html <- BAD!
LOL!
Inter-Node Communication: SSL: Certificates Done Right
BYO Certificate Authority
A CA provides the root certificate which can be used to validate a
node's identity without needing direct knowledge of that node.
Inter-Node Communication: SSL: Certificates Done Right
What we should do:
1. create the CA with a "root" certificate
2. create certificates for each node
3. export each node's certificates to be signed by CA
4. sign each nodes certificate with the CA
5. add the CA root public certificate into each node's key store
5. add the signed result back into that node's key store
6. import CA root public certificate into each node's trust store (or build
one and copy it around)
Inter-Node Communication: SSL: Certificates Done Right
Creating your own CA
openssl req 
-config gen_ca_cert.conf 
-new -x509 
-keyout ca-key 
-out ca-cert 
-days 365
Inter-Node Communication: SSL: Certificates Done Right
'gen_ca_cert.conf'
[ req ]
distinguished_name = req_distinguished_name
prompt = no
output_password = mypass
default_bits = 2048
[ req_distinguished_name ]
C = US
ST = TX
L = Austin
O = TLP
OU = TestCluster
CN = TestClusterMasterCA
emailAddress = info@thelastpickl.com
Inter-Node Communication: SSL: Certificates Done Right
What we just did
- `req`:An OpenSSL sub-command saying that we are (in this case) creating a PKCS#10 X.509 Certificate (see
https://www.openssl.org/docs/manmaster/apps/req.html for full details)
The following parameters are all options of "-req"
`-config`: The path to the config file (avoids having to provide information on STDIN)
`-new`: This is a new signing request we are making
`-x509`: The output will be a self-signed certificate we can use as a root CA
`-keyout`: The filename to which we will write our key
`-out`: The filename to which we will write our certificate
`-days`: The number of days for which the generated certificate will be valid
Inter-Node Communication: SSL: Certificates Done Right
Per-Node Certificate Creation
keytool -genkeypair 
-keyalg RSA 
-alias node1 
-keystore node1-server-keystore.jks 
-storepass awesomekeypass 
-keypass awesomekeypass 
-validity 365 -keysize 2048 
-dname "CN=node1, OU=SSL-verification-cluster, O=TheLastPickle, C=US"
Inter-Node Communication: SSL: Certificates Done Right
What we just did
`-genkeypair`: the keytool command to generate a public/private key pair combination
`-keyalg`:The algorithm to use, RSA in this case*
`-alias`:An alias to use for this public/private key pair. It needs to identify the public key when imported into a
key store. I usually use some form of $hostname-cassandra
`-keystore`:The location of our key store (created if it does not already exist)
`-storepass`:The password for the key store
`-keypass`:The password for the key
`-validity`:The number of days for which this key pair will be valid
`-keysize`:The size of the key to generate
https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
Inter-Node Communication: SSL: Certificates Done Right
A note about "-dname":
CN=node1
Common Name: Best practice is to use hostname
OU=SSL-verification-cluster
Organizational Unit: I like to use the environment specific cluster name
O=TheLastPickle
Organization
C=US"
Country
Note: Hostname verification can be done against subjectAlternativeName
Add "-ext SAN=DNS:thelastpickle.com" to keytool invocation if desired.
Inter-Node Communication: SSL: Certificates Done Right
Exporting certificates
for signing by the CA
keytool 
-keystore node1-server-keystore.jks 
-alias node1 
-certreq 
-file node1_cert_sr 
-keypass awesomekeypass 
-storepass awesomekeypass
Inter-Node Communication: SSL: Certificates Done Right
Sign each node's
certificate with the CA
openssl x509
-req 
-CA ca-cert 
-CAkey ca-key 
-in node1_cert_sr 
-out node1_cert_signed 
-days 365 
-CAcreateserial 
-passin pass:mypass
Inter-Node Communication: SSL: Certificates Done Right
What did we just do:
- `x509` Use the display and signing subcommand (https://www.openssl.org/docs/manmaster/apps/
x509.html)
The following parameters are options of "x509"
- `-req` We are signing a certificate request as opposed to a certificate
- `-CA` The CA cert file created above
- `-CAKey` The CA key file created above
- `-in` The certificate request we are signing
- `-out` The newly-signed certificate file to create
- `-days` The number of days for which the signed certificate will be valid
- `-CAcreateserial` Create a serialnumber for this CSR
- `-passin` The keypassword source.The arguments to 'passin' have their own formatting instructions.
See 'Pass Phrase Arguments' on https://www.openssl.org/docs/manmaster/apps/openssl.html
Inter-Node Communication: SSL: Certificates Done Right
Add the CA's public key to the
node's key stores
keytool 
-keystore node1-server-keystore.jks 
-alias CARoot 
-import 
-file ca-cert 
-noprompt 
-keypass awesomekeypass 
-storepass awesomekeypass
Inter-Node Communication: SSL: Certificates Done Right
Import that node's signed certificate
back into it's trust store
keytool 
-keystore node1-server-keystore.jks 
-alias node1 
-import 
-file node1_cert_signed 
-keypass awesomekeypass 
-storepass awesomekeypass
Inter-Node Communication: SSL: Certificates Done Right
Build a trust store
from the CA's public certificate
(this can be shared among all nodes)
keytool 
-keystore generic-server-truststore.jks 
-alias CARoot -importcert 
-file ca-cert 
-keypass mypass -storepass 
truststorepass -noprompt
Inter-Node Communication: SSL: Certificates Done Right
OMG!
A Trust Chain!
Inter-Node Communication: SSL Done Right
server_encryption_options:
internode_encryption: all
keystore: conf/server-keystore.jks
keystore_password: awesomekeypass
truststore: conf/server-truststore.jks
truststore_password: truststorepass
protocol: TLS
algorithm: SunX509
store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
require_client_auth: true
Inter-Node Communication: SSL Done Right
server_encryption_options:
internode_encryption: all
keystore: conf/server-keystore.jks
keystore_password: awesomekeypass
truststore: conf/server-truststore.jks
truststore_password: truststorepass
protocol: TLS
algorithm: SunX509
store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
require_client_auth: true
If you don't set this to
true, you might as well
turn encryption off
Inter-Node Communication: SSL Done Right
Also: Key store password and key password
*must be the same*
server_encryption_options:
...
keystore_password: awesomekeypass
require_client_auth: true
...
keytool ... -keypass awesomekeypass ...
Inter-Node Communication: SSL Done Right
Export restrictions?
Use128 bit keys
cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA]
http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html
http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#importlimits
Inter-Node Communication: SSL: Certificates Done Right
Trouble?
-Djavax.net.debug=ssl
http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
Inter-Node Communication: SSL: Certificates Done Right
Netflix Lemur:
"x.509 Certificate Orchestration Framework"
http://techblog.netflix.com/2015/09/introducing-lemur.html
https://github.com/Netflix/lemur
Inter-Node Communication: SSL: Certificates Done Right
HashicorpVault
"secures, stores, and tightly controls access to
tokens, passwords, certificates,API keys, and
other secrets in modern computing. "
https://www.vaultproject.io/
Inter-Node Communication: SSL: Certificates Done Right
Service level certificate management
should have nothing to do with front-
end certificates
Inter-Node Communication
internode_authenticator:
Stronger node identity verification
Inter-Node Communication:Authenticator
Available commercially
in DSE
Inter-Node Communication:Authenticator
Pretty easy
to roll your own
Inter-Node Communication:Authenticator
o.a.c.auth.IInternodeAuthenticator
boolean authenticate(InetAddress remoteAddress, int remotePort);
void validateConfiguration() throws ConfigurationException;
Encryption at Rest
Inter-Node Communication
Client-Server Communication
Authentication and Authorization
Management andTooling
Client-Server Communication
Same CA setup
as Server-to-Server
(same limitations, too)
Client-Server Communication
client_encryption_options:
enabled: true
keystore: conf/client-keystore.jks
keystore_password: clientkeypass
truststore: conf/client-truststore.jks
truststore_password: clienttrustpass
protocol: TLS
algorithm: SunX509
store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
require_client_auth: true
Client-Server Communication
client_encryption_options:
enabled: false
keystore: conf/client-keystore.jks
keystore_password: clientkeypass
truststore: conf/client-truststore.jks
truststore_password: clienttrustpass
protocol: TLS
algorithm: SunX509
store_type: JKS
cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA]
require_client_auth: true
If you don't set this to
true, you might as well
turn encryption off
Encryption at Rest
Inter-Node Communication
Client-Server Communication
Authentication and Authorization
Management andTooling
Authentication and Authorization:
Best practices
are the same as for
RDBMS
Authentication and Authorization: Best Practices
Segment users:
- Admin
- Per-service CRUD
- CRUD (reporting)
Authentication and Authorization: Best Practices
Limit access to
tables
and keyspaces
Authentication and Authorization:
Role-based access control
(RBAC) in 2.2
Authentication and Authorization:Authentication
authenticator: PasswordAuthenticator
Tip: keep your read-only cqlsh credentials in
$HOME/.cassandra/cqlshrc
of the system's admin account
Authentication and Authorization:Authorization
authorizer: CassandraAuthorizer
TIP: turn permissions_validity_in_ms WAY UP
default is 2000 (2 seconds!!)
can use permissions_update_interval_in_ms
for async refresh if needed
Authentication and Authorization:Authorization
These tables have
default read permission
for every authenticated user:
system.schema_keyspace
system.schema_columns
system.schema_columnfamilies
system.local
system.peers
Authentication and Authorization:Authentication
IMPORTANT:
"Please increase system_auth keyspace
replication factor if you use this..."
RF=Number of Nodes
Encryption at Rest
Inter-Node Communication
Client-Server Communication
Authentication and Authorization
Management and Tooling
Mangement andTooling:
Securing JMX
Management andTooling: Securing JMX
Options as of 2.1.8
will look familiar:
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=<keystore-password>"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path/to/truststore"
JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=<truststore-password>"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher-
suites>"
Management andTooling: Securing JMX
Thus:
as of 2.1.8, nodetool can use SSL*
* https://issues.apache.org/jira/browse/CASSANDRA-9090
Management andTooling: Securing JMX
Configure authentication
for JMX*
Now you can do:
nodetool status -u monitor -pw monitorpass
* http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureJmxAuthentication.html
Management andTooling: Securing JMX
JMX user/password and role
configuration is flexible
For details, take a look at the defaults:
$JAVA_HOME/jre/lib/management/jmxremote.access
$JAVA_HOME/jre/lib/management/jmxremote.password.template
Thanks.
Nate McCall
@zznate
Co-Founder & Sr.Technical Consultant
www.thelastpickle.com
Seattle Cassandra Users
1 of 79

Recommended

Software Development with Apache Cassandra by
Software Development with Apache CassandraSoftware Development with Apache Cassandra
Software Development with Apache Cassandrazznate
893 views135 slides
Hardening cassandra q2_2016 by
Hardening cassandra q2_2016Hardening cassandra q2_2016
Hardening cassandra q2_2016zznate
871 views90 slides
Stampede con 2014 cassandra in the real world by
Stampede con 2014   cassandra in the real worldStampede con 2014   cassandra in the real world
Stampede con 2014 cassandra in the real worldzznate
1.1K views71 slides
Hardening cassandra for compliance or paranoia by
Hardening cassandra for compliance or paranoiaHardening cassandra for compliance or paranoia
Hardening cassandra for compliance or paranoiazznate
5.8K views78 slides
Meetup cassandra for_java_cql by
Meetup cassandra for_java_cqlMeetup cassandra for_java_cql
Meetup cassandra for_java_cqlzznate
1.4K views59 slides
Securing Cassandra The Right Way by
Securing Cassandra The Right WaySecuring Cassandra The Right Way
Securing Cassandra The Right WayDataStax Academy
10K views38 slides

More Related Content

What's hot

2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash... by
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...Andrey Devyatkin
2.8K views57 slides
Training Slides: 302 - Securing Your Cluster With SSL by
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
78 views32 slides
HashiCorp Vault Workshop:幫 Credentials 找個窩 by
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩smalltown
2.3K views109 slides
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise by
Cassandra Day London 2015: Securing Cassandra and DataStax EnterpriseCassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax EnterpriseDataStax Academy
3.2K views21 slides
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t... by
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...Andrey Devyatkin
783 views63 slides
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault by
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultJeff Horwitz
6.2K views53 slides

What's hot(17)

2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash... by Andrey Devyatkin
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
2020-02-20 - HashiTalks 2020 - HashiCorp Vault configuration as code via Hash...
Andrey Devyatkin2.8K views
Training Slides: 302 - Securing Your Cluster With SSL by Continuent
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent78 views
HashiCorp Vault Workshop:幫 Credentials 找個窩 by smalltown
HashiCorp Vault Workshop:幫 Credentials 找個窩HashiCorp Vault Workshop:幫 Credentials 找個窩
HashiCorp Vault Workshop:幫 Credentials 找個窩
smalltown 2.3K views
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise by DataStax Academy
Cassandra Day London 2015: Securing Cassandra and DataStax EnterpriseCassandra Day London 2015: Securing Cassandra and DataStax Enterprise
Cassandra Day London 2015: Securing Cassandra and DataStax Enterprise
DataStax Academy3.2K views
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t... by Andrey Devyatkin
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
HashiCorp Vault configuration as code via HashiCorp Terraform- stories from t...
Andrey Devyatkin783 views
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault by Jeff Horwitz
Chickens & Eggs: Managing secrets in AWS with Hashicorp VaultChickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Chickens & Eggs: Managing secrets in AWS with Hashicorp Vault
Jeff Horwitz6.2K views
Vault - Secret and Key Management by Anthony Ikeda
Vault - Secret and Key ManagementVault - Secret and Key Management
Vault - Secret and Key Management
Anthony Ikeda3.7K views
Things YouShould Be Doing When Using Cassandra Drivers by Rebecca Mills
Things YouShould Be Doing When Using Cassandra DriversThings YouShould Be Doing When Using Cassandra Drivers
Things YouShould Be Doing When Using Cassandra Drivers
Rebecca Mills815 views
Production Readiness Strategies in an Automated World by Sean Chittenden
Production Readiness Strategies in an Automated WorldProduction Readiness Strategies in an Automated World
Production Readiness Strategies in an Automated World
Sean Chittenden862 views
Using Vault to decouple MySQL Secrets by Derek Downey
Using Vault to decouple MySQL SecretsUsing Vault to decouple MySQL Secrets
Using Vault to decouple MySQL Secrets
Derek Downey2K views
In the Wake of Kerberoast by ken_kitahara
In the Wake of KerberoastIn the Wake of Kerberoast
In the Wake of Kerberoast
ken_kitahara829 views
DerbyCon 2019 - Kerberoasting Revisited by Will Schroeder
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
Will Schroeder10.4K views
Keybase Vault Auto-Unseal HashiTalks2020 by Bas Meijer
Keybase Vault Auto-Unseal HashiTalks2020Keybase Vault Auto-Unseal HashiTalks2020
Keybase Vault Auto-Unseal HashiTalks2020
Bas Meijer1.9K views
Containment without Containers: Running Windows Microservices on Nomad by Justen Walker
Containment without Containers: Running Windows Microservices on NomadContainment without Containers: Running Windows Microservices on Nomad
Containment without Containers: Running Windows Microservices on Nomad
Justen Walker6K views
Kafka security ssl by Heng-Xiu Xu
Kafka security sslKafka security ssl
Kafka security ssl
Heng-Xiu Xu130 views

Similar to Seattle C* Meetup: Hardening cassandra for compliance or paranoia

The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia). by
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).DataStax Academy
2K views78 slides
Open SSL and MS Crypto API EKON21 by
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21Max Kleiner
267 views25 slides
Java security by
Java securityJava security
Java securityBart Blommaerts
800 views50 slides
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation... by
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB
528 views33 slides
Best Practices of IoT in the Cloud by
Best Practices of IoT in the CloudBest Practices of IoT in the Cloud
Best Practices of IoT in the CloudAmazon Web Services
4.6K views69 slides
Best Practices for IoT Security in the Cloud by
Best Practices for IoT Security in the CloudBest Practices for IoT Security in the Cloud
Best Practices for IoT Security in the CloudAmazon Web Services
3.7K views69 slides

Similar to Seattle C* Meetup: Hardening cassandra for compliance or paranoia(20)

The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia). by DataStax Academy
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
The Last Pickle: Hardening Apache Cassandra for Compliance (or Paranoia).
DataStax Academy2K views
Open SSL and MS Crypto API EKON21 by Max Kleiner
Open SSL and MS Crypto API EKON21Open SSL and MS Crypto API EKON21
Open SSL and MS Crypto API EKON21
Max Kleiner267 views
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation... by MongoDB
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB World 2018: Low Hanging Fruit: Making Your Basic MongoDB Installation...
MongoDB528 views
SSL Implementation - IBM MQ - Secure Communications by nishchal29
SSL Implementation - IBM MQ - Secure Communications SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
nishchal292.5K views
SSL Certificates and Operations by Nisheed KM
SSL Certificates and OperationsSSL Certificates and Operations
SSL Certificates and Operations
Nisheed KM554 views
Cisco iso based CA (certificate authority) by Netwax Lab
Cisco iso based CA (certificate authority)Cisco iso based CA (certificate authority)
Cisco iso based CA (certificate authority)
Netwax Lab965 views
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure by MongoDB
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
MongoDB198 views
Types of ssl commands and keytool by CheapSSLsecurity
Types of ssl commands and keytoolTypes of ssl commands and keytool
Types of ssl commands and keytool
CheapSSLsecurity1.2K views
Issue certificates with PyOpenSSL by Pau Freixes
Issue certificates with PyOpenSSLIssue certificates with PyOpenSSL
Issue certificates with PyOpenSSL
Pau Freixes1.1K views
VisualWorks Security Reloaded - STIC 2012 by Martin Kobetic
VisualWorks Security Reloaded - STIC 2012VisualWorks Security Reloaded - STIC 2012
VisualWorks Security Reloaded - STIC 2012
Martin Kobetic801 views

More from zznate

Advanced Apache Cassandra Operations with JMX by
Advanced Apache Cassandra Operations with JMXAdvanced Apache Cassandra Operations with JMX
Advanced Apache Cassandra Operations with JMXzznate
4.9K views131 slides
Successful Software Development with Apache Cassandra by
Successful Software Development with Apache CassandraSuccessful Software Development with Apache Cassandra
Successful Software Development with Apache Cassandrazznate
2.3K views89 slides
An Introduction to the Vert.x framework by
An Introduction to the Vert.x frameworkAn Introduction to the Vert.x framework
An Introduction to the Vert.x frameworkzznate
2.9K views54 slides
Intravert atx meetup_condensed by
Intravert atx meetup_condensedIntravert atx meetup_condensed
Intravert atx meetup_condensedzznate
952 views54 slides
Apachecon cassandra transport by
Apachecon cassandra transportApachecon cassandra transport
Apachecon cassandra transportzznate
1.1K views96 slides
Oscon 2012 tdd_cassandra by
Oscon 2012 tdd_cassandraOscon 2012 tdd_cassandra
Oscon 2012 tdd_cassandrazznate
691 views94 slides

More from zznate(13)

Advanced Apache Cassandra Operations with JMX by zznate
Advanced Apache Cassandra Operations with JMXAdvanced Apache Cassandra Operations with JMX
Advanced Apache Cassandra Operations with JMX
zznate4.9K views
Successful Software Development with Apache Cassandra by zznate
Successful Software Development with Apache CassandraSuccessful Software Development with Apache Cassandra
Successful Software Development with Apache Cassandra
zznate2.3K views
An Introduction to the Vert.x framework by zznate
An Introduction to the Vert.x frameworkAn Introduction to the Vert.x framework
An Introduction to the Vert.x framework
zznate2.9K views
Intravert atx meetup_condensed by zznate
Intravert atx meetup_condensedIntravert atx meetup_condensed
Intravert atx meetup_condensed
zznate952 views
Apachecon cassandra transport by zznate
Apachecon cassandra transportApachecon cassandra transport
Apachecon cassandra transport
zznate1.1K views
Oscon 2012 tdd_cassandra by zznate
Oscon 2012 tdd_cassandraOscon 2012 tdd_cassandra
Oscon 2012 tdd_cassandra
zznate691 views
Strata west 2012_java_cassandra by zznate
Strata west 2012_java_cassandraStrata west 2012_java_cassandra
Strata west 2012_java_cassandra
zznate3.3K views
Nyc summit intro_to_cassandra by zznate
Nyc summit intro_to_cassandraNyc summit intro_to_cassandra
Nyc summit intro_to_cassandra
zznate1.6K views
Meetup cassandra sfo_jdbc by zznate
Meetup cassandra sfo_jdbcMeetup cassandra sfo_jdbc
Meetup cassandra sfo_jdbc
zznate1.3K views
Introduciton to Apache Cassandra for Java Developers (JavaOne) by zznate
Introduciton to Apache Cassandra for Java Developers (JavaOne)Introduciton to Apache Cassandra for Java Developers (JavaOne)
Introduciton to Apache Cassandra for Java Developers (JavaOne)
zznate6.4K views
Introduction to apache_cassandra_for_developers-lhg by zznate
Introduction to apache_cassandra_for_developers-lhgIntroduction to apache_cassandra_for_developers-lhg
Introduction to apache_cassandra_for_developers-lhg
zznate2.9K views
Introduction to apache_cassandra_for_develope by zznate
Introduction to apache_cassandra_for_developeIntroduction to apache_cassandra_for_develope
Introduction to apache_cassandra_for_develope
zznate3.1K views
Hector v2: The Second Version of the Popular High-Level Java Client for Apach... by zznate
Hector v2: The Second Version of the Popular High-Level Java Client for Apach...Hector v2: The Second Version of the Popular High-Level Java Client for Apach...
Hector v2: The Second Version of the Popular High-Level Java Client for Apach...
zznate1.5K views

Recently uploaded

apple.pptx by
apple.pptxapple.pptx
apple.pptxhoneybeeqwe
5 views15 slides
[DSC Europe 23][DigiHealth] Muthu Ramachandran AI and Blockchain Framework fo... by
[DSC Europe 23][DigiHealth] Muthu Ramachandran AI and Blockchain Framework fo...[DSC Europe 23][DigiHealth] Muthu Ramachandran AI and Blockchain Framework fo...
[DSC Europe 23][DigiHealth] Muthu Ramachandran AI and Blockchain Framework fo...DataScienceConferenc1
6 views77 slides
[DSC Europe 23][AI:CSI] Dragan Pleskonjic - AI Impact on Cybersecurity and P... by
[DSC Europe 23][AI:CSI]  Dragan Pleskonjic - AI Impact on Cybersecurity and P...[DSC Europe 23][AI:CSI]  Dragan Pleskonjic - AI Impact on Cybersecurity and P...
[DSC Europe 23][AI:CSI] Dragan Pleskonjic - AI Impact on Cybersecurity and P...DataScienceConferenc1
8 views36 slides
[DSC Europe 23] Predrag Ilic & Simeon Rilling - From Data Lakes to Data Mesh ... by
[DSC Europe 23] Predrag Ilic & Simeon Rilling - From Data Lakes to Data Mesh ...[DSC Europe 23] Predrag Ilic & Simeon Rilling - From Data Lakes to Data Mesh ...
[DSC Europe 23] Predrag Ilic & Simeon Rilling - From Data Lakes to Data Mesh ...DataScienceConferenc1
9 views18 slides
[DSC Europe 23][Cryptica] Martin_Summer_Digital_central_bank_money_Ideas_init... by
[DSC Europe 23][Cryptica] Martin_Summer_Digital_central_bank_money_Ideas_init...[DSC Europe 23][Cryptica] Martin_Summer_Digital_central_bank_money_Ideas_init...
[DSC Europe 23][Cryptica] Martin_Summer_Digital_central_bank_money_Ideas_init...DataScienceConferenc1
5 views18 slides
VoxelNet by
VoxelNetVoxelNet
VoxelNettaeseon ryu
16 views21 slides

Recently uploaded(20)

[DSC Europe 23][DigiHealth] Muthu Ramachandran AI and Blockchain Framework fo... by DataScienceConferenc1
[DSC Europe 23][DigiHealth] Muthu Ramachandran AI and Blockchain Framework fo...[DSC Europe 23][DigiHealth] Muthu Ramachandran AI and Blockchain Framework fo...
[DSC Europe 23][DigiHealth] Muthu Ramachandran AI and Blockchain Framework fo...
[DSC Europe 23][AI:CSI] Dragan Pleskonjic - AI Impact on Cybersecurity and P... by DataScienceConferenc1
[DSC Europe 23][AI:CSI]  Dragan Pleskonjic - AI Impact on Cybersecurity and P...[DSC Europe 23][AI:CSI]  Dragan Pleskonjic - AI Impact on Cybersecurity and P...
[DSC Europe 23][AI:CSI] Dragan Pleskonjic - AI Impact on Cybersecurity and P...
[DSC Europe 23] Predrag Ilic & Simeon Rilling - From Data Lakes to Data Mesh ... by DataScienceConferenc1
[DSC Europe 23] Predrag Ilic & Simeon Rilling - From Data Lakes to Data Mesh ...[DSC Europe 23] Predrag Ilic & Simeon Rilling - From Data Lakes to Data Mesh ...
[DSC Europe 23] Predrag Ilic & Simeon Rilling - From Data Lakes to Data Mesh ...
[DSC Europe 23][Cryptica] Martin_Summer_Digital_central_bank_money_Ideas_init... by DataScienceConferenc1
[DSC Europe 23][Cryptica] Martin_Summer_Digital_central_bank_money_Ideas_init...[DSC Europe 23][Cryptica] Martin_Summer_Digital_central_bank_money_Ideas_init...
[DSC Europe 23][Cryptica] Martin_Summer_Digital_central_bank_money_Ideas_init...
UNEP FI CRS Climate Risk Results.pptx by pekka28
UNEP FI CRS Climate Risk Results.pptxUNEP FI CRS Climate Risk Results.pptx
UNEP FI CRS Climate Risk Results.pptx
pekka2811 views
CRIJ4385_Death Penalty_F23.pptx by yvettemm100
CRIJ4385_Death Penalty_F23.pptxCRIJ4385_Death Penalty_F23.pptx
CRIJ4385_Death Penalty_F23.pptx
yvettemm1007 views
OECD-Persol Holdings Workshop on Advancing Employee Well-being in Business an... by StatsCommunications
OECD-Persol Holdings Workshop on Advancing Employee Well-being in Business an...OECD-Persol Holdings Workshop on Advancing Employee Well-being in Business an...
OECD-Persol Holdings Workshop on Advancing Employee Well-being in Business an...
[DSC Europe 23] Rania Wazir - Opening up the box: the complexity of human int... by DataScienceConferenc1
[DSC Europe 23] Rania Wazir - Opening up the box: the complexity of human int...[DSC Europe 23] Rania Wazir - Opening up the box: the complexity of human int...
[DSC Europe 23] Rania Wazir - Opening up the box: the complexity of human int...
Ukraine Infographic_22NOV2023_v2.pdf by AnastosiyaGurin
Ukraine Infographic_22NOV2023_v2.pdfUkraine Infographic_22NOV2023_v2.pdf
Ukraine Infographic_22NOV2023_v2.pdf
AnastosiyaGurin1.4K views
CRM stick or twist workshop by info828217
CRM stick or twist workshopCRM stick or twist workshop
CRM stick or twist workshop
info82821712 views
Chapter 3b- Process Communication (1) (1)(1) (1).pptx by ayeshabaig2004
Chapter 3b- Process Communication (1) (1)(1) (1).pptxChapter 3b- Process Communication (1) (1)(1) (1).pptx
Chapter 3b- Process Communication (1) (1)(1) (1).pptx
ayeshabaig20047 views
[DSC Europe 23] Stefan Mrsic_Goran Savic - Evolving Technology Excellence.pptx by DataScienceConferenc1
[DSC Europe 23] Stefan Mrsic_Goran Savic - Evolving Technology Excellence.pptx[DSC Europe 23] Stefan Mrsic_Goran Savic - Evolving Technology Excellence.pptx
[DSC Europe 23] Stefan Mrsic_Goran Savic - Evolving Technology Excellence.pptx
[DSC Europe 23] Danijela Horak - The Innovator’s Dilemma: to Build or Not to ... by DataScienceConferenc1
[DSC Europe 23] Danijela Horak - The Innovator’s Dilemma: to Build or Not to ...[DSC Europe 23] Danijela Horak - The Innovator’s Dilemma: to Build or Not to ...
[DSC Europe 23] Danijela Horak - The Innovator’s Dilemma: to Build or Not to ...
Organic Shopping in Google Analytics 4.pdf by GA4 Tutorials
Organic Shopping in Google Analytics 4.pdfOrganic Shopping in Google Analytics 4.pdf
Organic Shopping in Google Analytics 4.pdf
GA4 Tutorials16 views

Seattle C* Meetup: Hardening cassandra for compliance or paranoia

  • 1. HARDENING CASSANDRA FOR COMPLIANCE (OR PARANOIA) Nate McCall @zznate Seattle Cassandra Users Co-Founder & Sr.Technical Consultant Licensed under a Creative Commons Attribution-NonCommercial 3.0 New Zealand License
  • 2. AboutThe Last Pickle. Work with clients to deliver and improve Apache Cassandra based solutions. Based in New Zealand,Australia & USA.
  • 4. Encryption at Rest Inter-node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 5. Overview: Security is usually necessitated by Industry Guidelines (depending on organization size)
  • 6. Overview: Industry Guidelines - Financial: PCI-DSS - Healthcare: HIPAA - Defense/Govt: FIPS - TelCo: CPNI
  • 7. Overview: Industry Guidelines Their heart is in the right place... (Do you really need node to node SSL if it never leaves a backplane?)
  • 9. Overview: By necessity we abstract and encapsulate, making it easier to have un-intended side effects knife ssh -x ${knifeUser} -a hostname -E $chefEnv "role:${role}" "${executeCommand}" Then eventually: rm -rf /var/lib/cassandra/*
  • 10. Overview: Basic systems hardening can also protect from common operational errors
  • 11. Overview: System Hardening Limit account access "sudo su -" = trouble
  • 12. Overview: System Hardening Limit filesystem access. Only C* needs /var/lib/cassandra (configuration management does not need access after initialization)
  • 13. Overview: System Hardening Networking - Limit network access - network segmentation and ACLs - iptables, etc
  • 14. Overview: System Hardening: Limit Network Access C* only needs inbound on: - 9042/9160 (clients) - 7000/7001 (cluster) - 7199 (JMX)
  • 15. Encryption at Rest Inter-node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 16. Encryption At Rest: Why it's a good idea: - Do you know how your cloud provider is actually using storage under the hood? - What does IT do with decommissioned disks? (Are you sure?)
  • 17. Encryption At Rest: There are good open source and commercial options for at-rest encryption. But...
  • 18. Encryption At Rest: It's a distributed system. Make sure you understand the HA Story in context of your needs. Otherwise you introduced an SPOF! eg. "EBS snapshots of the key server" Is this going to work for you?
  • 19. Encryption At Rest: File level vs. Block level
  • 20. Encryption At Rest: Open Source dmCrypt (block) eCrypt-FS (file) Major vendors probably support both https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Installation_Guide/ch29s02.html https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Storage_Administration_Guide/ch-efs.html
  • 21. Encryption At Rest: Commercial - Cloudera Gazzang! -Vormetric
  • 22. Encryption At Rest: Commercial DataStax Enterprise*: CREATETABLE users ... WITH compression_parameters:sstable_compression = 'Encryptor' and compression_parameters:cipher_algorithm = 'AES/ECB/PKCS5Padding' and compression_parameters:secret_key_strength = 128; *commit log not included! (eCrypt-fs to the rescue)
  • 23. Encryption At Rest: Commercial-ish EBS Encryption! (a.k.a. "Not my problem.") http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
  • 24. Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 25. Inter-Node Communication: SSL Inter-Node encryption can be rolled out on production with no downtime* * Depending on client consistency levels
  • 26. Inter-Node Communication: SSL Why is it a good idea?
  • 27. Inter-Node Communication: SSL:Why It's a Good Idea: Every operation is a Message on the wire
  • 28. Inter-Node Communication: SSL:Why It's a Good Idea: It takes one Message to insert an admin account into the system_auth table from: http://icanhascheeseburger.com
  • 29. Inter-Node Communication: SSL:Why It's a Good Idea: -Dcassandra.write_survey=true
  • 30. Inter-Node Communication: SSL SSL Certificates: a brief interlude
  • 31. Inter-Node Communication: SSL: Certificates Done Right Don't do this: http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureSSLCertificates_t.html <- BAD! LOL!
  • 32. Inter-Node Communication: SSL: Certificates Done Right BYO Certificate Authority A CA provides the root certificate which can be used to validate a node's identity without needing direct knowledge of that node.
  • 33. Inter-Node Communication: SSL: Certificates Done Right What we should do: 1. create the CA with a "root" certificate 2. create certificates for each node 3. export each node's certificates to be signed by CA 4. sign each nodes certificate with the CA 5. add the CA root public certificate into each node's key store 5. add the signed result back into that node's key store 6. import CA root public certificate into each node's trust store (or build one and copy it around)
  • 34. Inter-Node Communication: SSL: Certificates Done Right Creating your own CA openssl req -config gen_ca_cert.conf -new -x509 -keyout ca-key -out ca-cert -days 365
  • 35. Inter-Node Communication: SSL: Certificates Done Right 'gen_ca_cert.conf' [ req ] distinguished_name = req_distinguished_name prompt = no output_password = mypass default_bits = 2048 [ req_distinguished_name ] C = US ST = TX L = Austin O = TLP OU = TestCluster CN = TestClusterMasterCA emailAddress = info@thelastpickl.com
  • 36. Inter-Node Communication: SSL: Certificates Done Right What we just did - `req`:An OpenSSL sub-command saying that we are (in this case) creating a PKCS#10 X.509 Certificate (see https://www.openssl.org/docs/manmaster/apps/req.html for full details) The following parameters are all options of "-req" `-config`: The path to the config file (avoids having to provide information on STDIN) `-new`: This is a new signing request we are making `-x509`: The output will be a self-signed certificate we can use as a root CA `-keyout`: The filename to which we will write our key `-out`: The filename to which we will write our certificate `-days`: The number of days for which the generated certificate will be valid
  • 37. Inter-Node Communication: SSL: Certificates Done Right Per-Node Certificate Creation keytool -genkeypair -keyalg RSA -alias node1 -keystore node1-server-keystore.jks -storepass awesomekeypass -keypass awesomekeypass -validity 365 -keysize 2048 -dname "CN=node1, OU=SSL-verification-cluster, O=TheLastPickle, C=US"
  • 38. Inter-Node Communication: SSL: Certificates Done Right What we just did `-genkeypair`: the keytool command to generate a public/private key pair combination `-keyalg`:The algorithm to use, RSA in this case* `-alias`:An alias to use for this public/private key pair. It needs to identify the public key when imported into a key store. I usually use some form of $hostname-cassandra `-keystore`:The location of our key store (created if it does not already exist) `-storepass`:The password for the key store `-keypass`:The password for the key `-validity`:The number of days for which this key pair will be valid `-keysize`:The size of the key to generate https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html
  • 39. Inter-Node Communication: SSL: Certificates Done Right A note about "-dname": CN=node1 Common Name: Best practice is to use hostname OU=SSL-verification-cluster Organizational Unit: I like to use the environment specific cluster name O=TheLastPickle Organization C=US" Country Note: Hostname verification can be done against subjectAlternativeName Add "-ext SAN=DNS:thelastpickle.com" to keytool invocation if desired.
  • 40. Inter-Node Communication: SSL: Certificates Done Right Exporting certificates for signing by the CA keytool -keystore node1-server-keystore.jks -alias node1 -certreq -file node1_cert_sr -keypass awesomekeypass -storepass awesomekeypass
  • 41. Inter-Node Communication: SSL: Certificates Done Right Sign each node's certificate with the CA openssl x509 -req -CA ca-cert -CAkey ca-key -in node1_cert_sr -out node1_cert_signed -days 365 -CAcreateserial -passin pass:mypass
  • 42. Inter-Node Communication: SSL: Certificates Done Right What did we just do: - `x509` Use the display and signing subcommand (https://www.openssl.org/docs/manmaster/apps/ x509.html) The following parameters are options of "x509" - `-req` We are signing a certificate request as opposed to a certificate - `-CA` The CA cert file created above - `-CAKey` The CA key file created above - `-in` The certificate request we are signing - `-out` The newly-signed certificate file to create - `-days` The number of days for which the signed certificate will be valid - `-CAcreateserial` Create a serialnumber for this CSR - `-passin` The keypassword source.The arguments to 'passin' have their own formatting instructions. See 'Pass Phrase Arguments' on https://www.openssl.org/docs/manmaster/apps/openssl.html
  • 43. Inter-Node Communication: SSL: Certificates Done Right Add the CA's public key to the node's key stores keytool -keystore node1-server-keystore.jks -alias CARoot -import -file ca-cert -noprompt -keypass awesomekeypass -storepass awesomekeypass
  • 44. Inter-Node Communication: SSL: Certificates Done Right Import that node's signed certificate back into it's trust store keytool -keystore node1-server-keystore.jks -alias node1 -import -file node1_cert_signed -keypass awesomekeypass -storepass awesomekeypass
  • 45. Inter-Node Communication: SSL: Certificates Done Right Build a trust store from the CA's public certificate (this can be shared among all nodes) keytool -keystore generic-server-truststore.jks -alias CARoot -importcert -file ca-cert -keypass mypass -storepass truststorepass -noprompt
  • 46. Inter-Node Communication: SSL: Certificates Done Right OMG! A Trust Chain!
  • 47. Inter-Node Communication: SSL Done Right server_encryption_options: internode_encryption: all keystore: conf/server-keystore.jks keystore_password: awesomekeypass truststore: conf/server-truststore.jks truststore_password: truststorepass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true
  • 48. Inter-Node Communication: SSL Done Right server_encryption_options: internode_encryption: all keystore: conf/server-keystore.jks keystore_password: awesomekeypass truststore: conf/server-truststore.jks truststore_password: truststorepass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true If you don't set this to true, you might as well turn encryption off
  • 49. Inter-Node Communication: SSL Done Right Also: Key store password and key password *must be the same* server_encryption_options: ... keystore_password: awesomekeypass require_client_auth: true ... keytool ... -keypass awesomekeypass ...
  • 50. Inter-Node Communication: SSL Done Right Export restrictions? Use128 bit keys cipher_suites: [TLS_RSA_WITH_AES_128_CBC_SHA] http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html http://docs.oracle.com/javase/8/docs/technotes/guides/security/SunProviders.html#importlimits
  • 51. Inter-Node Communication: SSL: Certificates Done Right Trouble? -Djavax.net.debug=ssl http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/ReadDebug.html
  • 52. Inter-Node Communication: SSL: Certificates Done Right Netflix Lemur: "x.509 Certificate Orchestration Framework" http://techblog.netflix.com/2015/09/introducing-lemur.html https://github.com/Netflix/lemur
  • 53. Inter-Node Communication: SSL: Certificates Done Right HashicorpVault "secures, stores, and tightly controls access to tokens, passwords, certificates,API keys, and other secrets in modern computing. " https://www.vaultproject.io/
  • 54. Inter-Node Communication: SSL: Certificates Done Right Service level certificate management should have nothing to do with front- end certificates
  • 58. Inter-Node Communication:Authenticator o.a.c.auth.IInternodeAuthenticator boolean authenticate(InetAddress remoteAddress, int remotePort); void validateConfiguration() throws ConfigurationException;
  • 59. Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 60. Client-Server Communication Same CA setup as Server-to-Server (same limitations, too)
  • 61. Client-Server Communication client_encryption_options: enabled: true keystore: conf/client-keystore.jks keystore_password: clientkeypass truststore: conf/client-truststore.jks truststore_password: clienttrustpass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true
  • 62. Client-Server Communication client_encryption_options: enabled: false keystore: conf/client-keystore.jks keystore_password: clientkeypass truststore: conf/client-truststore.jks truststore_password: clienttrustpass protocol: TLS algorithm: SunX509 store_type: JKS cipher_suites: [TLS_RSA_WITH_AES_256_CBC_SHA] require_client_auth: true If you don't set this to true, you might as well turn encryption off
  • 63. Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management andTooling
  • 64. Authentication and Authorization: Best practices are the same as for RDBMS
  • 65. Authentication and Authorization: Best Practices Segment users: - Admin - Per-service CRUD - CRUD (reporting)
  • 66. Authentication and Authorization: Best Practices Limit access to tables and keyspaces
  • 67. Authentication and Authorization: Role-based access control (RBAC) in 2.2
  • 68. Authentication and Authorization:Authentication authenticator: PasswordAuthenticator Tip: keep your read-only cqlsh credentials in $HOME/.cassandra/cqlshrc of the system's admin account
  • 69. Authentication and Authorization:Authorization authorizer: CassandraAuthorizer TIP: turn permissions_validity_in_ms WAY UP default is 2000 (2 seconds!!) can use permissions_update_interval_in_ms for async refresh if needed
  • 70. Authentication and Authorization:Authorization These tables have default read permission for every authenticated user: system.schema_keyspace system.schema_columns system.schema_columnfamilies system.local system.peers
  • 71. Authentication and Authorization:Authentication IMPORTANT: "Please increase system_auth keyspace replication factor if you use this..." RF=Number of Nodes
  • 72. Encryption at Rest Inter-Node Communication Client-Server Communication Authentication and Authorization Management and Tooling
  • 74. Management andTooling: Securing JMX Options as of 2.1.8 will look familiar: JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStore=/path/to/keystore" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.keyStorePassword=<keystore-password>" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStore=/path/to/truststore" JVM_OPTS="$JVM_OPTS -Djavax.net.ssl.trustStorePassword=<truststore-password>" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.need.client.auth=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.registry.ssl=true" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.protocols=<enabled-protocols>" JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.ssl.enabled.cipher.suites=<enabled-cipher- suites>"
  • 75. Management andTooling: Securing JMX Thus: as of 2.1.8, nodetool can use SSL* * https://issues.apache.org/jira/browse/CASSANDRA-9090
  • 76. Management andTooling: Securing JMX Configure authentication for JMX* Now you can do: nodetool status -u monitor -pw monitorpass * http://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureJmxAuthentication.html
  • 77. Management andTooling: Securing JMX JMX user/password and role configuration is flexible For details, take a look at the defaults: $JAVA_HOME/jre/lib/management/jmxremote.access $JAVA_HOME/jre/lib/management/jmxremote.password.template
  • 79. Nate McCall @zznate Co-Founder & Sr.Technical Consultant www.thelastpickle.com Seattle Cassandra Users