LoginSignup
7
7

More than 5 years have passed since last update.

@noralife(Tatsuya Nanjo)

Cassandraのノードとクライアント間の通信を暗号化する

Last updated at Posted at 2016-02-13

Cassandraにてノードとクライアント間の通信を暗号化する設定を行ったのでそのメモです。

環境

  • Vagrant 1.7.4
  • Ubuntu 14.04.3 LTS x 2
  • Cassandra 2.1.12
# -*- mode: ruby -*-
# vi: set ft=ruby :

VAGRANTFILE_API_VERSION = "2"

Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
  config.vm.box = "ubuntu/trusty64"
  config.vm.define "client" do |client|
    client.vm.hostname = "client"
    client.vm.network "private_network", ip: "192.168.12.10"
    client.vm.provision "shell", inline: <<-SHELL
      echo "127.0.0.1     localhost" >  /etc/hosts
      echo "192.168.12.10 client"    >> /etc/hosts
      echo "192.168.12.11 node"     >> /etc/hosts
    SHELL
  end
  config.vm.define "node" do |node|
    node.vm.hostname = "node"
    node.vm.network "private_network", ip: "192.168.12.11"
    node.vm.provision "shell", inline: <<-SHELL
      echo "127.0.0.1     localhost" >  /etc/hosts
      echo "192.168.12.10 client"    >> /etc/hosts
      echo "192.168.12.11 node"     >> /etc/hosts
    SHELL
  end
end

Cassandra のインストール(node/client両方)

記事と同様にCassandraをインストールします。node/client両方のマシンで行います。

$ vagrant ssh node
vagrant@node:~$ sudo add-apt-repository -y ppa:openjdk-r/ppa
vagrant@node:~$ sudo apt-get update
vagrant@node:~$ sudo apt-get install -y openjdk-8-jdk
vagrant@node:~$ echo 'JAVA_HOME="/usr/lib/jvm/java-8-openjdk-amd64"' | sudo tee -a /etc/environment
vagrant@node:~$ source /etc/environment
vagrant@node:~$ echo 'deb http://www.apache.org/dist/cassandra/debian 21x main' | sudo tee -a /etc/apt/sources.list.d/cassandra.list
vagrant@node:~$ echo 'deb-src http://www.apache.org/dist/cassandra/debian 21x main' | sudo tee -a /etc/apt/sources.list.d/cassandra.list
vagrant@node:~$ sudo apt-get update
vagrant@node:~$ gpg --keyserver pgp.mit.edu --recv-keys 749D6EEC0353B12C
vagrant@node:~$ gpg --export --armor 749D6EEC0353B12C | sudo apt-key add -
vagrant@node:~$ sudo apt-get update
vagrant@node:~$ sudo apt-get install -y cassandra

証明書と鍵の準備(nodeのみ)

暗号通信に用いる証明書や鍵を準備します。nodeサーバにログインし、下記のコマンドを実行します。

vagrant@node:~$ cd /etc/cassandra/
vagrant@node:/etc/cassandra$ sudo mkdir conf
vagrant@node:/etc/cassandra/conf$ sudo keytool -genkey -keyalg RSA -alias node -keystore .keystore -dname "CN=Testuser, OU=Private, O=Company, C=JP" -storepass cassandra -keypass cassandra
vagrant@node:/etc/cassandra/conf$ sudo keytool -export -alias node -file /tmp/node.cer -keystore .keystore -storepass cassandra -keypass cassandra
vagrant@node:/etc/cassandra/conf$ sudo keytool -import -v -trustcacerts -alias node -file /tmp/node.cer -keystore .truststore -storepass cassandra -keypass cassandra
vagrant@node:/etc/cassandra/conf$ sudo keytool -importkeystore -srckeystore .keystore -destkeystore client.p12 -deststoretype PKCS12
vagrant@node:/etc/cassandra/conf$ sudo openssl pkcs12 -in client.p12  -out /tmp/client.pem -nodes
vagrant@node:/etc/cassandra/conf$ scp /tmp/client.pem client:/home/vagrant/

Cassandraの設定(nodeのみ)

インストール後、設定を行っていきます。

vagrant@node:~$ sudo chmod 750 /var/run/cassandra
vagrant@node:~$ sudo sed -i 's/CMD_PATT=.*/CMD_PATT="cassandra"/' /etc/init.d/cassandra
vagrant@node:~$ sudo sed -i 's/^#HEAP_NEWSIZE=.*/HEAP_NEWSIZE="40M"/' /etc/cassandra/cassandra-env.sh  | grep HEAP_NEWSIZE
vagrant@node:~$ sudo sed -i 's/^#MAX_HEAP_SIZE=.*/MAX_HEAP_SIZE="100M"/' /etc/cassandra/cassandra-env.sh  | grep MAX_HEAP_SIZE
vagrant@node:~$ sudo sed -i 's/127.0.0.1/192.168.12.11/' /etc/cassandra/cassandra.yaml
vagrant@node:~$ sudo sed -i 's/localhost/192.168.12.11/' /etc/cassandra/cassandra.yaml

client_encryption_options を下記のように変更します。

# sudo vi /etc/cassandra/cassandra.yaml
client_encryption_options:
    enabled: true
    keystore: /etc/cassandra/conf/.keystore
    keystore_password: cassandra
    require_client_auth: false
    truststore: /etc/cassandra/conf/.truststore
    truststore_password: cassandra

必須ではありませんが、ユーザ認証をかけるため、authenticatorauthorizerを変更しました。

# sudo vi /etc/cassandra/cassandra.yaml
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer

動作確認

nodeにてCassandraを起動します。

vagrant@node:~$ sudo service cassandra start

クライアントにてログインできることを確認します。

vagrant@client:~$ SSL_CERTFILE=client.pem cqlsh node -ucassandra -pcassandra --ssl
Connected to Test Cluster at node:9042.
[cqlsh 5.0.1 | Cassandra 2.1.13 | CQL spec 3.2.1 | Native protocol v3]
Use HELP for help.
cassandra@cqlsh>
7
7
0

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
  3. You can use dark theme
What you can do with signing up
Sign upLogin
7
7