在ssl中使用cqlsh [英] Using cqlsh with ssl

问题描述

我已经在cassandra节点中启用了ssl加密，并且试图找出如何使用带有ssl的cqlsh连接到我的节点：

I have enabled ssl encryption in my cassandra node and I am trying to figure out how to connect to my node using cqlsh with ssl:

当我运行 ./ cqlsh --ssl 我收到以下错误：

When I run ./cqlsh --ssl I get the following error:

Validation is enabled; SSL transport factory requires a valid certfile to be specified. Please provide path to the certfile in [ssl] section as 'certfile' option in /root/.cassandra/cqlshrc (or use [certfiles] section) or set SSL_CERTFILE environment variable.

我点击了 https://docs.datastax.com/en/cassandra/2.1/cassandra/security/secureCqlshSSL_t.html ：

[authentication]
username = fred
password = !!bang!!$

我保留在根文件夹中，以便任何用户都可以登录并可以访问公用文件夹（而不是在我的用户目录中）。但是，在这种情况下，密码是什么？我需要输入密码吗？！

I am keeping in the root folder so that any user can login and can access the common folder (rather than in my user directory). However what would be the password in this case? Do I need to put my password?!

certfile = ~/keys/node0.cer.pem

我是否需要将此证书文件添加到cassandra的信任库中，还是可以仅添加cassandra节点证书本身？

Will I need to add this certfile to the cassandra's truststore, or can I just add cassandra nodes certificate itself?

我正在使用Cassandra 2.2.7。

I am using Cassandra 2.2.7.

推荐答案

使这项工作：

但是在这种情况下密码是什么？我需要输入密码吗？！

However what would be the password in this case? Do I need to put my password?!

在您的cqlshrc文件中，这是指用于身份验证/授权的用户名和密码。您真的不需要在这里添加它。如果不这样做，请记住在cqlsh命令行上指定 -u用户名-p password 标志。

Inside your cqlshrc file, this refers to the username and password for authentication/authorization. You don't really need to add it here. If you do not, remember to specify the -u username -p password flags on the cqlsh command line.

我需要将此证书文件添加到cassandra的信任库中，还是可以仅添加cassandra节点证书本身。

Will I need to add this certfile to the cassandra's truststore, or can I just add cassandra nodes certificate itself.

对于客户端到节点SSL，您实际上并不需要使用信任库。

For client-to-node SSL, you don't really need to use the truststore.

如果按照上述文档中的步骤进行操作，则您应该已经拥有密钥库文件中证书的私钥部分。然后，您将已将该证书的公共部分导出到文件中。然后，您应该将该文件转换为PKCS12文件，以与cqlsh一起使用。从上面使用的文件名来看，好像已经完成了。

If you followed the steps in that doc above, you should already have the private key part of the certificate in your keystore file. Then, you would have exported the public part of that cert to a file. You would have then converted that file to a PKCS12 file for use with cqlsh. Judging by the filenames you are using above, it looks like you have done that.

作为示例，下面是一个示例cqlshrc文件，该文件应连接到2.2.x群集：

As an example, here is an example cqlshrc file that should connect to a 2.2.x clusters:

[connection]
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = ~/certs/dev-cluster1.cer.pem
validate = false

[authentication]
username = cassuser
password = 12345

请确保您设置了 ssl_transport_factory

这篇关于在ssl中使用cqlsh的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！