[英]Cassandra: how to setup node-to-node encryption?
Cassandra supports both client-node encryption and node-node encryption. Cassandra支持客户端节点加密和节点 - 节点加密。 It seems like the client-node encryption is simple to setup. 似乎客户端节点加密很容易设置。
Now that i have finished setting up client-node, i was trying out the node-node encryption and am curious about a couple of things. 现在我已经完成了客户端节点的设置,我正在尝试节点 - 节点加密,并对一些事情感到好奇。
The example here ( http://www.datastax.com/docs/datastax_enterprise3.1/security/ssl_certs#ssl-certs ) uses different certificates for different nodes. 此处的示例( http://www.datastax.com/docs/datastax_enterprise3.1/security/ssl_certs#ssl-certs )对不同的节点使用不同的证书。 Is this compulsory? 这是强制性的吗?
Can I use the sample SSL certificate for every node rather than generating a new certificate for each node? 我是否可以为每个节点使用示例SSL证书,而不是为每个节点生成新证书?
The example here ( http://www.datastax.com/docs/datastax_enterprise3.1/security/ssl_certs#ssl-certs ) uses different certificates for different nodes. 此处的示例( http://www.datastax.com/docs/datastax_enterprise3.1/security/ssl_certs#ssl-certs )对不同的节点使用不同的证书。 Is this compulsory? 这是强制性的吗?
It is considered best practice to give each node it's own identifying certificate, but it is not required. 最佳做法是为每个节点提供自己的标识证书,但这不是必需的。
Can I use the sample SSL certificate for every node rather than generating a new certificate for each node? 我是否可以为每个节点使用示例SSL证书,而不是为每个节点生成新证书?
Yes you could, but what I would do is create your own Certificate Authority and then generate all of your certificates signed by that Authority (see this for how to do it using keytool). 是的,你可以,但我会做的是创建自己的证书颁发机构,然后生成所有由该机构签署的证书(见本关于如何使用密钥工具来做到这一点)。 This way you only have to trust the certificate authority on your cassandra nodes so you can add more nodes without having to update your trust stores on every cassandra node. 这样,您只需要信任cassandra节点上的证书颁发机构,这样就可以添加更多节点,而无需在每个cassandra节点上更新信任存储。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.