Configuring a Cassandra cluster for external encryption
This content applies only to On-premises and Client-managed cloud environments
Establish a secure channel for data transfers between Pega Platform client machines and a Cassandra cluster by using client-to-server encryption.
- In the
prconfig.xml
file, enable client-to-server encryption by setting the dnode/cassandra_client_encryption property to true.For more information about theprconfig.xml
file, see Changing node settings by modifying the prconfig.xml file and Downloading and viewing the prconfig.xml file for a specific node.If you enable client-to-server encryption without updating the settings, the values of the corresponding node-to-node encryption properties are used for the missing client settings. In that case, configure node-to-node encryption regardless for all nodes, not only DDS. For more information, see Configuring a Cassandra cluster for internal encryption (deprecated). - Configure the remaining
prconfig.xml
settings.For more information about theprconfig.xml
properties for client-to-server encryption, see Prconfig properties for Cassandra cluster encryption. - In the
cassandra.yaml
file, add the following configuration for client-to-server encryption:client_encryption_options: { keystore_password: cassandra, require_client_auth: 'true', truststore_password: cassandra, keystore: /path/keystore.shared, truststore: /path/truststore.shared, store_type: JKS, enabled: 'true', algorithm: SunX509}
- Create Java keystores and truststores along with SSL certificates.For more information, see Creating Java keystores and truststores for Cassandra encryption.
- Copy the
keystore.shared
andtruststore.shared
files to the external Cassandra directory. - In the
prconfig.xml
andcassandra.yaml
files, update the configuration with the file paths and passwords to the certificates. - Restart Pega Platform for the changes to take effect.
Previous topic Creating Java keystores and truststores for Cassandra encryption Next topic Prconfig properties for Cassandra cluster encryption