Configuring a Cassandra cluster for external encryption
Version:
Establish a secure channel for data transfers between Pega client machines and a Cassandra cluster by using client-to-server encryption.
- Decision Data Store (DDS) nodes
- Adaptive Decision Manager (ADM) nodes
- Visual Business Director (VBD) nodes
- Dataflow nodes
- App tier nodes
- Decision Hub tier nodes
-
In the
prconfig.xml
file, enable node-to-node encryption by setting the dnode/cassandra_client_encryption property to true.For more information about theprconfig.xml
file, see Changing node settings by modifying the prconfig.xml file and Downloading a prconfig configuration file for a node.If you enable client-to-server encryption without updating the settings, the values of the corresponding node-to-node encryption properties are used for the missing client settings. In that case, configure node-to-node encryption regardless for all nodes, not only DDS. For more information, see Configuring a Cassandra cluster for internal encryption. -
Configure the remaining
prconfig.xml
settings.For more information about theprconfig.xml
properties for client-to-server encryption, see Prconfig properties for Cassandra cluster encryption. -
In the
cassandra.yaml
file, add the following configuration:- For client-to-server encryption, add:
client_encryption_options: { keystore_password: cassandra, require_client_auth: 'true', truststore_password: cassandra, keystore: /path/keystore.shared, truststore: /path/truststore.shared, store_type: JKS, enabled: 'true', algorithm: SunX509}
- For Cassandra node-to-node encryption, add:
server_encryption_options: { keystore_password: cassandra, require_client_auth: 'true', internode_encryption: all, truststore_password: cassandra, keystore: /path/keystore.shared, truststore: /path/truststore.shared, store_type: JKS}
- For client-to-server encryption, add:
-
Create Java keystores and truststores along with SSL certificates.
For more information, see Creating Java keystores and truststores for Cassandra encryption.If you do not create separate Java keystores and truststores for external encryption, Cassandra uses the keystores and trustores that you specified for internal encryption. -
Copy the
keystore.shared
andtruststore.shared
files to the external Cassandra directory. -
In the
prconfig.xml
andcassandra.yaml
files, update the configuration with the file paths and passwords to the certificates. -
Restart Pega Platform for the changes to take effect.
- Configuring a Cassandra cluster for internal encryption
Protect data that is transferred internally between Decision Data Store (DDS) nodes by using node-to-node encryption.
- Configuring compaction settings for SSTables
Maintain the good health of the Cassandra cluster by tuning compaction throughput for write-intensive workloads.
- Prconfig properties for Cassandra cluster encryption
Secure the data transfer between Cassandra nodes and between the client machines and the Cassandra cluster by customizing the prconfig.xml file properties.
- Creating Java keystores and truststores for Cassandra encryption
Enable internal and external Cassandra encryption by creating Java keystores and truststores along with SSL certificates.
- Configuring a Cassandra cluster for internal encryption
Protect data that is transferred internally between Decision Data Store (DDS) nodes by using node-to-node encryption.
- Configuring the Cassandra cluster
Pega Platform comes with an internal Cassandra cluster to which you can connect through a Decision Data Store data set. Before connecting to the cluster through Pega Platform, perform the following steps to achieve optimal performance and data consistency across the nodes in the cluster.