Jump to: navigation, search

Configure Cassandra Security

Security configuration for Cassandra enables a secure JMX connection between Feature Server (FS) and its embedded Cassandra.

Embedded Cassandra JMX Authentication


You can follow this procedure to activate the JMX anonymous authentication and view your FS Cassandra nodes status in the FS UI.

Important
This feature is not available for versions prior to 8.1.201.82.
  1. Edit the launcher.xml file and set the following parameters to true:
    -Dcom.sun.management.jmxremote.authenticate=true
  2. Edit the parameter as follows:
    -Dcom.sun.management.jmxremote.password.file=./etc/jmxremote.password
  3. Copy: jmxremote.password.template
    from: /jdk_install_location/jre/lib/management/
    to: <FS Installation directory>/etc/
    then rename it: jmxremote.password
  4. Edit the <FS Installation directory>/etc/jmxremote.password file to add the following username:
    fsadmin yourpassword
  5. Change the ownership of jmxremote.password to the user you run FS with and change permission to read only.
    For Linux,
    chown fsadmin:fsadmin <FS Installation directory>/etc/jmxremote.password
    chmod 400 <FS Installation directory>/etc/jmxremote.password
    For Windows, see the Oracle documentation.
  6. Enable read and write permission to the FS user in:
    /jdk_install_location/lib/management/jmxremote.access file by adding the following:
    fsadmin readwrite
  7. Edit your FS configuration and create the following options in the Options tab:
    Section jmx
    username=fsadmin
    password=yourpassword
    FS JMX Security password.png
  8. Start FS. You can see the status of the Cassandra nodes in:
    http://<FS_HOST>:<PORT>/fs/admin#system/cassandra
    FS JMX Security cluster.png

    Cassandra JMX TLS

    A Java Management Extensions (JMX) tool manages and monitors Cassandra. The JMX access must be protected to avoid any remote managing on the FS embedded Cassandra.

    1. To protect JMX access, edit the launcher.xml file and modify the parameters as follows:
        -Dcom.sun.management.jmxremote.port=9192
        -Dcom.sun.management.jmxremote.ssl=true
        -Dcom.sun.management.jmxremote.authenticate=true
        -Dcom.sun.management.jmxremote.registry.ssl=true
    2. Set up Transport Layer Security (TLS). For information on how to create a server certificate, see the Genesys Security Deployment Guide.
    3. Create a keystore in <FS Installation directory>/etc/ and upload the custom-generated server certificates to the keystore. See the Oracle documentation.
      Note: If FS HTTPS is already enabled with a server certificate, the same keystore and certificate can also be used to secure the embedded Cassandra JMX port.
    4. Edit and configure the following JVM options in launcher.xml.
      • javax.net.ssl.trustStore = ./etc/keystore [path of the trust store file]
      • javax.net.ssl.trustStorePassword = <trust store password>
      • javax.net.ssl.keyStore =./etc/keystore [path of the keystore file]
      • javax.net.ssl.keyStorePassword  = <keystore password>
    5. Restart the FS to enable a secure JMX connection with the embedded Cassandra.

Feedback

Comment on this article:

blog comments powered by Disqus
This page was last modified on February 5, 2018, at 03:29.