Datastax Enterprise

Datastax Enterprise provides a NoSQL solution built on top of Apache Cassandraâ„¢. It can be integrated with CORE to provide the encryption keys.

Prerequisites

This integration requires the following:

  • Datastax Enterprise 6.8.4
  • CORE (UKC) 2004 or later

CORE Integration

To integrate CORE with Datastax Enterprise, use the following procedure.

  1. On the CORE Entry Points:
    1. Edit the /etc/init.d/ekm file.
    2. In the JAVA_OPTS section, define:

      3. -Denable.kmip.tls1=true

    3. Restart the CORE service.

      4. sudo service ekm restart

    4. Create the root CA certificate.

      5. ucl root_ca -o server.pem

    5. Create the CORE client.

      6. ucl client create -n datastax -p cassandra -m FULL --pfx_password <PFX-PASSWORD> -o ./datastax.pfx

    6. Copy the server.pem and datastax.pfx files to the Database server.
  2. On the Datastax server. See the Datastax documentation for more information.
    1. Create a keystore from a key/certificate in PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#12 format. First, create separate key and certificate files.

      2. openssl pkcs12 -in datastax.pfx -out kmip-key.pem -nocerts -nodes
      openssl pkcs12 -in datastax.pfx -out kmip-cert.pem -clcerts -nokeys

      Note
      When you run these commands, OpenSSL asks you for the PFXClosedAn archive file format for storing cryptography objects using Base64 encoding-PASSWORD that was define when the client was created (see step 1).

    2. Create the PKCSClosedPublic-Key Cryptography Standards - Industry-standard cryptography specifications.#12 file.

      3. openssl pkcs12 -export -out kmip_keystore.p12 -inkey kmip-key.pem -in kmip-cert.pem

    3. Create the keystore.

      4. keytool -importkeystore -destkeystore kmip_keystore.jks -srcstoretype PKCS12 -srckeystore kmip_keystore.p12

    4. Create a keystore for the root CA.

      5. keytool -import -alias kmipCA -file server.pem -keystore kmip_truststore.jks

    5. Copy the keystore files to the Datastax directory.

      6. sudo cp kmip_keystore.jks kmip_truststore.jks /etc/dse/

  3. Update the Datastax options on the Datastax server.
    1. Edit the options file: /etc/dse/dse.yaml
    2. Locate the KMIPClosedKey Management Interoperability Protocol - an extensible communication protocol that defines message formats for the manipulation of cryptographic keys on a key management server hosts options section.
    3. Uncomment the kmip_hosts: line. Note that you must remove all spaces at the beginning of the line.
    4. Add a unique name for CORE. For example:
         ukc:

      5. Note
      The spaces, such as those before ukc, are important in this file.

    5. Update the keystore and truststore parameters: keystore_path, keystore_type, keystore_password, truststore_path, truststore_type, and truststore_password.

      6. The following is an example of the dse.yaml file :

      # KMIP hosts options

      KMIP protocol
      kmip_hosts:
         ukc:

      # Comma-separated list of KMIP hosts host[:port]
      # Hosts are tried in the order they appear, so add
      # KMIP hosts in the intended failover sequence.
      # Format: hosts: FQDN[, FQDN , ...]
         hosts: ep1.sampleco.com, ep2.sampleco.com

      # Keystore/truststore info
         keystore_path: /etc/dse/kmip_keystore.jks
         keystore_type: jks
         keystore_password: <PASSWORD>

         truststore_path: /etc/dse/kmip_truststore.jks
         truststore_type: jks
         truststore_password: <PASSWORD>

    6. Start the Datastax (dse) service.

      7. sudo service dse start

      The following is a sample CORE log (ekm.log) after starting the DSE process.

      2020-10-04 07:50:19,621 INFO /172.31.39.83:46162 user@cassandra datastax@cassandra 215419db[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/172.31.39.83,port=46162,localport=5696]] cassandra Query N/A 0 0 0 OK
      2020-10-04 07:50:19,632 INFO /172.31.39.83:46162 user@cassandra datastax@cassandra 215419db[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/172.31.39.83,port=46162,localport=5696]] cassandra Locate N/A 0 0 2 OK
      2020-10-04 07:50:19,804 INFO /172.31.39.83:46162 user@cassandra datastax@cassandra 215419db[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/172.31.39.83,port=46162,localport=5696]] cassandra Create 0x00d635e5fc5aae6133 0 0 167 OK
      2020-10-04 07:50:20,056 INFO /172.31.39.83:46162 user@cassandra datastax@cassandra 215419db[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/172.31.39.83,port=46162,localport=5696]] cassandra Activate 0x00d635e5fc5aae6133 0 0 249 OK
      2020-10-04 07:50:20,085 INFO /172.31.39.83:46162 user@cassandra datastax@cassandra 215419db[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/172.31.39.83,port=46162,localport=5696]] cassandra Get 0x00d635e5fc5aae6133 0 0 19 OK
      2020-10-04 07:50:20,087 INFO /172.31.39.83:46162 user@cassandra datastax@cassandra 215419db[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/172.31.39.83,port=46162,localport=5696]] cassandra GetAttributes 0x00d635e5fc5aae6133 0 0 1 OK
      2020-10-04 07:50:20,301 INFO /172.31.39.83:46166 user@cassandra datastax@cassandra 5585fe52[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/172.31.39.83,port=46166,localport=5696]] cassandra Query N/A 0 0 0 OK
      2020-10-04 07:50:20,306 INFO /172.31.39.83:46166 user@cassandra datastax@cassandra 5585fe52[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/172.31.39.83,port=46166,localport=5696]] cassandra Locate N/A 0 0 2 OK
      2020-10-04 07:50:20,403 INFO /172.31.39.83:46166 user@cassandra datastax@cassandra 5585fe52[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/172.31.39.83,port=46166,localport=5696]] cassandra Create 0x0045b5154ea91f2126 0 0 95 OK
      2020-10-04 07:50:20,451 INFO /172.31.39.83:46166 user@cassandra datastax@cassandra 5585fe52[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/172.31.39.83,port=46166,localport=5696]] cassandra Activate 0x0045b5154ea91f2126 0 0 45 OK
      2020-10-04 07:50:20,458 INFO /172.31.39.83:46166 user@cassandra datastax@cassandra 5585fe52[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/172.31.39.83,port=46166,localport=5696]] cassandra Get 0x0045b5154ea91f2126 0 0 4 OK
      2020-10-04 07:50:20,460 INFO /172.31.39.83:46166 user@cassandra datastax@cassandra 5585fe52[TLS_RSA_WITH_AES_128_CBC_SHA: Socket[addr=/172.31.39.83,port=46166,localport=5696]] cassandra GetAttributes 0x0045b5154ea91f2126 0 0 1 OK

  4. Test the setup.
    1. Check the connection by running:

      2. dsetool managekmip list ukc

      Sample response:

      Keys on ukc:
      ID                    Name                 Cipher       State  Activation Date              Creation Date   Protect Stop Date Namespace
      0x008eb7f011692195a4 0x008eb7f011692195a4 AES/ECB/PKCS5 Active Fri Oct 02 16:00:35 UTC 2020 Fri Oct 02 16:00:35 UTC 2020 n/a cassandra

    2. Test the setup by creating a key.

      3. dsetool createsystemkey 'AES/ECB/PKCS5' 128 -k ukc

      Sample response:

      Successfully created key kmip://ukc/0x0029ef58e573953a50

You can now create an encrypted table. Instructions can be found in the Datastax documentation.