Cassandra/ Elastic – migration to secure cluster – https/ ssl

Solved1.04K viewsCassandra Elastic encryption migration ssl
1
1 Comment

Hi,

I am doing Stage migration to the Cassandra/ Elastic clusters. Normally connection to clusters are secured by ssl.

Does any one had chance to use migration tool when there is secure communication ssl/https with cassandra/ elastic clusters?

I am not able to initialize migration in Migration Tool

but when I will turn off security (so no ssl, no https) initialization goes fine

I am not so familiar with certificates but in our cluster there is one - the same cert for each node:
so for all Cassandra nodes it is cert
CN: dma-cassandra.comp.local

for all elastic nodes it is cert:
CN: dma-elastic.comp.local

is it ok one cert for each node

or maybe it is not ok and I need to eg. add all nodes to "Subject Alternative Names" ?

so eg. for elastic cert:
DNS Name = dma-elastic-01.comp.local
DNS Name = dma-elastic-02.comp.local
DNS Name = dma-elastic-03.comp.local
DNS Name = dma-elastic-04.comp.local
etc

Piotr Borowski [DevOps Advocate] Selected answer as best 24th January 2023
Gellynck Jens [SLC] commented

Hi Piotr, which DataMiner version are you running? DataMiner can only connect to a TLS enabled Elasticsearch from 10.2.0 CU0 onwards and to a TLS 1.2 enabled Cassandra from 10.2.0 CU1 onwards.

2 Answers

2
2.71K 2 Comments

Hi Piotr,

I found an internal backlog item indicating the CassandraCluster migration tool does not support connecting to a TLS-enabled Cassandra, so I'm afraid this is not supported yet.

An insecure workaround could be to disable the TLS encryption during the migration and enable it again afterward, but I can understand if this is not allowed or a good alternative as this would be a big compromise on security.

Piotr Borowski [DevOps Advocate] Selected answer as best 24th January 2023
Piotr Borowski [DevOps Advocate] commented

Hi Jens,
so it is ok to make migration without encryption and later turn on encryption on elastic and cassandra?
Gellynck Jens [SLC] commented

Yes I think that should work
1
564 0 Comments

Hey Piotr,

Using the same certificate for different nodes shouldn't cause the migration tool to fail. Although, it's recommended to use individual certificates tied to each nodes DNS name/IP. This will allow strict hostname checking. More info here xpack.security.transport.ssl.verification_mode.

Failing initialization when security is enabled might be due to DataMiner not trusting the root CA that signed your certificates. Is the root CA  installed as a trusted root authority on each DataMiner server? See Configure clients (and DataMiner Systems) to access the cluster.

Jeremiah Allen [SLC] [DevOps Advocate] Edited answer 29th June 2022