Skip to content

Security in Apache Cassandra#

Authentication with Cassandra#

Cassandra Configuration#

  1. Create an account and grant permissions on keyspace
CREATE ROLE thehive WITH PASSWORD = 'thehive1234' AND LOGIN = true;
GRANT ALL PERMISSIONS ON KEYSPACE thehive TO thehive;
  1. Configure TheHive with the account

Update /etc/thehive/application.conf accordingly:

db.janusgraph {
  storage {
    ## Cassandra configuration
    # More information at https://docs.janusgraph.org/basics/configuration-reference/#storagecql
    backend: cql
    hostname: ["xxx.xxx.xxx.xxx"]
    # Cassandra authentication (if configured)
    username: "thehive" 
    password: "thehive1234" 
    cql {
      cluster-name: thp
      keyspace: thehive
    }
  }

Securing Cassandra connection with TheHive#

This guide explains how to secure connection between Cassandra server and Cassandra clients (TheHive). This document doesn’t address communication between Cassandra servers, when a Cassandra cluster contains several nodes.

Requirements#

The setup requires a valid X509 certificate for the Cassandra service. It must have standard properties of server certificate:

  • key usage: Digital Signature, Non Repudiation, Key Encipherment, Key Agreement
  • Extended Key Usage: TLS Web Server Authentication
  • Cert Type: SSL Server

It also must have a "Subject Alternative Name" with the identifier (DNS name or/and IP address) of the Cassandra server seen by the client. The format of the certificate file is PKCS12 (file with extention p12).

Then create a truststore containing the certificate authority used to generate the certificate for Cassandra. The truststore must be in Java format (JKS). If you CA file is ca.crt, you can generate the truststore file with the following command:

keytool -import -file /path/to/ca.crt -alias CA -keystore ca.jks

This command ask a password for file integrity checking.

The command keytool is available in any JDK distribution.

Cassandra configuration#

The default location of the configuration file of Cassandra is /etc/cassandra/cassandra.yaml.

Locate the section client_encryption_options and set the following options:

client_encryption_options: 
    enabled: true 
    optional: false 
    keystore: /etc/cassandra/keystore.p12 
    keystore_password: cassandra 
    store_type: PKCS12 

The keystore value contains the location of the certificate file (in PKCS12 format). The keystore_password contains the password of the certificate file.

Then the service cassandra must be restarted.

TheHive configuration#

In application.conf file:

Specify the location of the trustore file:

db.janusgraph.storage { 
  backend: cql 
  hostname: ["127.0.0.1"] 
  cql.ssl { 
    enabled: true 
    truststore { 
      location: /path/to/ca.jks
      password: cassandra
    } 
  } 
}

The setting location define the location of the truststore file (generated by keytool command). The password is the one enter during truststore creation.


Last update: March 2, 2021 17:57:33