---
id: 988c94de-6481-11ee-8c99-0242ac120002
---

# Enabling Internode Encryption in Apache Cassandra
---

Enabling internode encryption in Apache Cassandra involves configuring the communication between nodes in a Cassandra cluster to be encrypted. This is done to ensure the confidentiality and integrity of data being transmitted between nodes in the cluster. The process of enabling internode encryption can involve updating configuration files, generating and distributing SSL/TLS certificates, and restarting services. This incident type may arise due to a security audit or a compliance requirement that mandates communication between nodes in a Cassandra cluster to be encrypted.

### Parameters
```shell
export PATH_TO_CASSANDRA="PLACEHOLDER"

export PATH_TO_KEYSTORE_FILE="PLACEHOLDER"

export PATH_TO_JAVA="PLACEHOLDER"

export KEYSTORE_PASSWORD="PLACEHOLDER"

export VERSION="PLACEHOLDER"
```

## Debug

### Check if Java is installed
```shell
java -version
```

### Check Cassandra version
```shell
${PATH_TO_CASSANDRA}/bin/nodetool version
```

### Check if internode encryption is enabled
```shell
${PATH_TO_CASSANDRA}/bin/nodetool getsslinfo
```

### Check if SSL encryption is enabled in Cassandra configuration
```shell
grep -i "server_encryption_options" ${PATH_TO_CASSANDRA}/conf/cassandra.yaml
```

### Check if the keystore file exists and has the correct permissions
```shell
ls -l ${PATH_TO_KEYSTORE_FILE}
```

### Check if the keystore password is correct
```shell
${PATH_TO_JAVA}/bin/keytool -list -v -keystore ${PATH_TO_KEYSTORE_FILE} -storepass ${KEYSTORE_PASSWORD}
```


### Check the Cassandra logs for any errors related to internode encryption
```shell
tail -f ${PATH_TO_CASSANDRA}/logs/system.log | grep "internode encryption"
```

## Repair

### Verify that the cluster is running a version of Apache Cassandra that supports internode encryption, and if not, upgrade to a version that does.
```shell


#!/bin/bash



# Set the desired Cassandra version here

desired_version=${VERSION}



# Check if Cassandra is already installed and what version is running

installed_version=$(cassandra -v | grep 'Cassandra' | cut -d ' ' -f 3)

if [ -z "$installed_version" ]; then

  echo "Cassandra is not installed."

  exit 1

fi



echo "Cassandra version $installed_version is currently installed."



# Check if the installed version supports internode encryption

if [[ "$installed_version" != *"-beta"* ]] && [[ "$installed_version" < "4.0" ]]; then

  echo "Cassandra version $installed_version does not support internode encryption."

  echo "Upgrading to version $desired_version..."



  # Download the desired Cassandra version

  wget https://downloads.apache.org/cassandra/$desired_version/apache-cassandra-$desired_version-bin.tar.gz



  # Extract the downloaded Cassandra version

  tar -xzf apache-cassandra-$desired_version-bin.tar.gz



  # Stop the currently running Cassandra instance

  sudo service cassandra stop



  # Replace the Cassandra installation directory with the new version

  sudo mv apache-cassandra-$desired_version /usr/share/cassandra



  # Start the new Cassandra instance

  sudo service cassandra start



  # Verify that the new version is running

  installed_version=$(cassandra -v | grep 'Cassandra' | cut -d ' ' -f 3)

  if [[ "$installed_version" != *"$desired_version"* ]]; then

    echo "Failed to upgrade to Cassandra version $desired_version."

    exit 1

  fi



  echo "Successfully upgraded to Cassandra version $desired_version."

else

  echo "Cassandra version $installed_version already supports internode encryption."

fi



exit 0


```


Enabling internode encryption in Apache Cassandra involves configuring the communication between nodes in a Cassandra cluster to be encrypted. This is done to ensure the confidentiality and integrity of data being transmitted between nodes in the cluster. The process of enabling internode encryption can involve updating configuration files, generating and distributing SSL/TLS certificates, and restarting services. This incident type may arise due to a security audit or a compliance requirement that mandates communication between nodes in a Cassandra cluster to be encrypted.


```shell
export PATH_TO_CASSANDRA="PLACEHOLDER"

export PATH_TO_KEYSTORE_FILE="PLACEHOLDER"

export PATH_TO_JAVA="PLACEHOLDER"

export KEYSTORE_PASSWORD="PLACEHOLDER"

export VERSION="PLACEHOLDER"
```


### Check if Java is installed

```shell
java -version
```

### Check Cassandra version

```shell
${PATH_TO_CASSANDRA}/bin/nodetool version
```

### Check if internode encryption is enabled

```shell
${PATH_TO_CASSANDRA}/bin/nodetool getsslinfo
```

### Check if SSL encryption is enabled in Cassandra configuration

```shell
grep -i "server_encryption_options" ${PATH_TO_CASSANDRA}/conf/cassandra.yaml
```

### Check if the keystore file exists and has the correct permissions

```shell
ls -l ${PATH_TO_KEYSTORE_FILE}
```

### Check if the keystore password is correct

```shell
${PATH_TO_JAVA}/bin/keytool -list -v -keystore ${PATH_TO_KEYSTORE_FILE} -storepass ${KEYSTORE_PASSWORD}
```

### Check the Cassandra logs for any errors related to internode encryption

```shell
tail -f ${PATH_TO_CASSANDRA}/logs/system.log | grep "internode encryption"
```


### Verify that the cluster is running a version of Apache Cassandra that supports internode encryption, and if not, upgrade to a version that does.

```shell


#!/bin/bash



# Set the desired Cassandra version here

desired_version=${VERSION}



# Check if Cassandra is already installed and what version is running

installed_version=$(cassandra -v | grep 'Cassandra' | cut -d ' ' -f 3)

if [ -z "$installed_version" ]; then

  echo "Cassandra is not installed."

  exit 1

fi



echo "Cassandra version $installed_version is currently installed."



# Check if the installed version supports internode encryption

if [[ "$installed_version" != *"-beta"* ]] && [[ "$installed_version" < "4.0" ]]; then

  echo "Cassandra version $installed_version does not support internode encryption."

  echo "Upgrading to version $desired_version..."



  # Download the desired Cassandra version

  wget https://downloads.apache.org/cassandra/$desired_version/apache-cassandra-$desired_version-bin.tar.gz



  # Extract the downloaded Cassandra version

  tar -xzf apache-cassandra-$desired_version-bin.tar.gz



  # Stop the currently running Cassandra instance

  sudo service cassandra stop



  # Replace the Cassandra installation directory with the new version

  sudo mv apache-cassandra-$desired_version /usr/share/cassandra



  # Start the new Cassandra instance

  sudo service cassandra start



  # Verify that the new version is running

  installed_version=$(cassandra -v | grep 'Cassandra' | cut -d ' ' -f 3)

  if [[ "$installed_version" != *"$desired_version"* ]]; then

    echo "Failed to upgrade to Cassandra version $desired_version."

    exit 1

  fi



  echo "Successfully upgraded to Cassandra version $desired_version."

else

  echo "Cassandra version $installed_version already supports internode encryption."

fi



exit 0


```


Enabling Internode Encryption in Apache Cassandra

Overview

Parameters

Debug

Check if Java is installed

Check Cassandra version

Check if internode encryption is enabled

Check if SSL encryption is enabled in Cassandra configuration

Check if the keystore file exists and has the correct permissions

Check if the keystore password is correct

Repair

Verify that the cluster is running a version of Apache Cassandra that supports internode encryption, and if not, upgrade to a version that does.

Learn more

Related Runbooks

Support