Configuring SSL Connections

Note: In this documentation, "SSL" indicates both TLS (Transport Layer Security) and SSL (Secure Sockets Layer). The connector supports industry-standard versions of TLS/SSL.

If you are connecting to a Cassandra server that has SSL enabled, you can configure the connector to connect to an SSL-enabled socket. When connecting to a server over SSL, the connector supports identity verification between the client (the connector itself) and the server.

If you are connecting to an Astra instance instead, then SSL encryption with identity verification between the client and the server is always required. Typically, the secure connection bundle that you use to authenticate your connection to Astra already includes the required SSL certificates, and the connector defaults to using those certificates when connecting to Astra, so you do not need to configure any additional SSL settings. However, you have the option of overriding the SSL certificates in the bundle by specifying other certificate information in your connection URL. For more information, see Configuring Two-Way SSL Authentication.

Configuring an SSL Connection without Identity Verification

You can configure a connection that uses SSL but does not verify the identity of the server or the connector.

You provide this information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

To configure an SSL connection without verification:

  1. Set the SSLMode property to 1.
  2. Set the UseSslIdentityCheck property to 0.

Configuring One-Way SSL Authentication

You can configure one-way SSL authentication so that the connector verifies the identity of the Cassandra server.

One-way authentication requires a TrustStore containing a signed, trusted SSL certificate for verifying the identity of the server. You can create a TrustStore and configure the connector to use it. If you do not configure the connector to use a specific TrustStore, then the connector uses the TrustStore named jssecacerts. If jssecacerts is not available, then the connector uses cacerts instead.

You provide this information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

To configure one-way SSL authentication:

  1. If you are not using one of the default Java TrustStores, then configure the connector to access your TrustStore:
    1. Set the SSLTruststorePath property to the full path of the TrustStore.
    2. Set the SSLTruststorePwd property to your password for accessing the TrustStore.
  2. Set the SSLMode property to 1.
  3. Set the UseSslIdentityCheck property to 1.

Configuring Two-Way SSL Authentication

When connecting to Cassandra, you can configure two-way SSL verification so that the connector and the server verify each other.

Two-way authentication requires a TrustStore containing a signed, trusted SSL certificate for verifying the identity of the server, and a KeyStore containing a similar certificate for verifying the identity of the connector. You can create a TrustStore and configure the connector to use it. If you do not configure the connector to use a specific TrustStore, then the connector uses the TrustStore named jssecacerts. If jssecacerts is not available, then the connector uses cacerts instead.

When connecting to Astra, two-way SSL verification is always enabled, and the required certificates are typically provided through the secure connection bundle. However, you can override the SSL certificates in the bundle by configuring the connector to use a TrustStore and KeyStore instead.

These settings are configured in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

To configure two-way SSL verification:

  1. If you are not using one of the default Java TrustStores, then configure the connector to access your TrustStore:
    1. Set the SSLTruststorePath property to the full path of the TrustStore.
    2. Set the SSLTruststorePwd property to your password for accessing the TrustStore.
  2. Configure the connector to access your KeyStore:
    1. Set the SSLKeystorePath property to the full path of the KeyStore.
    2. Set the SSLKeystorePwd property to your password for accessing the KeyStore.
  3. Set the SSLMode property to 2.
  4. If you are connecting to a Cassandra server, set the UseSslIdentityCheck property to 1.