Generate a cqlshrc File

Making connections to a Scylla cluster that uses SSL can be a tricky process, but it doesn’t diminish the importance of properly securing your client connections with SSL. This is espcially needed whtn you are connecting to your cluster via the Internet or an untrusted network.

Before You Begin

Install the Java Cryptography Extensions. You can download the extensions from Oracle. The extenstion must match your installed Java version. Once downloaded, extract the contents of the archive to the lib/security subdirectory of your JRE’s installation directory /usr/lib/jvm/java-8-oracle/jre/lib/security/14.

  1. Create a new cqlsh configuration file at ~/.scylla/cqlshrc, using the template below.

    [authentication]
    username = myusername
    password = mypassword
    [cql]
    ; Substitute for the version of Cassandra you are connecting to.
    version = 3.3.1
    [connection]
    hostname = 127.0.0.1
    port = 9042
    factory = cqlshlib.ssl.ssl_transport_factory
    [ssl]
    certfile = /etc/scylla/db.crt
    ; Note: If validate = true then the certificate name must match the machine's hostname
    validate = true
    ; If using client authentication (require_client_auth = true in cassandra.yaml) you'll also need to point to your userkey and usercert.
    ; SSL client authentication is only supported via cqlsh on C* 2.1 and greater.
    ; This is disabled by default on all Instaclustr-managed clusters.
    userkey = /etc/scylla/db.key
    usercert = /etc/scylla/db.crt
    
  2. Change the following parameters:

    Parameter name

    Description

    Acceptable Values / Notes

    username

    Your username

    This requires password authentication to be set and roles to be created.

    password

    The password that is associated with the username you specified.

    This requires password authentication to be set and roles to be created.

    version

    CQL version that the cluster you are connecting to is using

    If you are not sure run nodetool version

  3. Save your changes. Connect to the node using cqlsh --ssl. If the configuration settings were saved correctly, you will be able to connect.

  4. Run Cassandra Stress to generate required files and to connect to the SSL cluster. Supply the URL of the SSH node, and the path to your certificates. In addition supply the credentials associated with the certificate. The truststore file is the Java keystore containing the cluster’s SSL certificates. For example:

    $> cassandra-stress write -node 127.0.0.1 -transport truststore=/path/to/cluster/truststore.jks truststore-password=mytruststorepassword -mode native cql3 user=username password=mypassword
    

    Cassandra stress will generate some files, you will need these to configure client - node encryption in-transit.