Configure ScyllaDB SSL encryption and authentication

Secure your ScyllaDB cluster with comprehensive SSL/TLS encryption for client connections and inter-node communication. This tutorial covers certificate generation, authentication setup, and production security hardening.

Prerequisites

Root access to ScyllaDB servers
Basic knowledge of SSL/TLS concepts
Understanding of ScyllaDB cluster topology
Network access between cluster nodes

What this solves

ScyllaDB clusters need SSL encryption to protect data in transit and authentication to control access. This tutorial sets up comprehensive security including client-server SSL, inter-node encryption, certificate management, and role-based authentication. You'll secure both external client connections and internal cluster communication.

Step-by-step configuration

Install ScyllaDB and SSL tools

First install ScyllaDB and the SSL certificate tools needed for encryption.

sudo apt update
wget -qO - https://downloads.scylladb.com/deb/ubuntu/scylla-6.0-key.asc | sudo gpg --dearmor -o /etc/apt/keyrings/scylladb.gpg
echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/scylladb.gpg] https://downloads.scylladb.com/deb/ubuntu/ $(lsb_release -sc) scylla-6.0" | sudo tee /etc/apt/sources.list.d/scylladb.list
sudo apt update
sudo apt install -y scylla openssl

sudo dnf update -y
sudo rpm --import https://downloads.scylladb.com/rpm/scylladb-6.0-key.asc
sudo curl -o /etc/yum.repos.d/scylladb-6.0.repo https://downloads.scylladb.com/rpm/centos/scylladb-6.0.repo
sudo dnf install -y scylla openssl

Create SSL certificate directory structure

Set up directories for SSL certificates with proper ownership and permissions.

sudo mkdir -p /etc/scylla/ssl/ca
sudo mkdir -p /etc/scylla/ssl/server
sudo mkdir -p /etc/scylla/ssl/client
sudo chown -R scylla:scylla /etc/scylla/ssl
sudo chmod -R 750 /etc/scylla/ssl

Generate Certificate Authority (CA)

Create a private CA to sign all ScyllaDB certificates. This CA will be used for both client and server certificates.

cd /etc/scylla/ssl/ca
sudo openssl genrsa -out ca-key.pem 4096
sudo openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 3650 -subj "/C=US/ST=CA/L=San Francisco/O=ScyllaDB/OU=Database/CN=ScyllaDB-CA"
sudo chown scylla:scylla ca-*.pem
sudo chmod 600 ca-key.pem
sudo chmod 644 ca-cert.pem

Generate server certificates

Create SSL certificates for ScyllaDB servers. Replace the IP addresses with your actual server IPs.

cd /etc/scylla/ssl/server
sudo openssl genrsa -out server-key.pem 2048
sudo openssl req -new -key server-key.pem -out server.csr -subj "/C=US/ST=CA/L=San Francisco/O=ScyllaDB/OU=Database/CN=scylla-server"

Create server certificate extensions
sudo tee server-ext.cnf > /dev/null << 'EOF'
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = scylla-server
IP.1 = 127.0.0.1
IP.2 = 203.0.113.10
IP.3 = 203.0.113.11
IP.4 = 203.0.113.12
EOF

sudo openssl x509 -req -in server.csr -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem -out server-cert.pem -days 365 -extensions v3_req -extfile server-ext.cnf
sudo chown scylla:scylla server-*.pem
sudo chmod 600 server-key.pem
sudo chmod 644 server-cert.pem
sudo rm server.csr server-ext.cnf

Generate client certificates

Create certificates for client authentication. Each client application should have its own certificate.

cd /etc/scylla/ssl/client
sudo openssl genrsa -out client-key.pem 2048
sudo openssl req -new -key client-key.pem -out client.csr -subj "/C=US/ST=CA/L=San Francisco/O=ScyllaDB/OU=Client/CN=scylla-client"
sudo openssl x509 -req -in client.csr -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem -out client-cert.pem -days 365
sudo chown scylla:scylla client-*.pem
sudo chmod 600 client-key.pem
sudo chmod 644 client-cert.pem
sudo rm client.csr

Configure ScyllaDB SSL encryption

Enable SSL encryption for both client connections and inter-node communication.

# Client-server SSL configuration
client_encryption_options:
    enabled: true
    optional: false
    certificate: /etc/scylla/ssl/server/server-cert.pem
    keyfile: /etc/scylla/ssl/server/server-key.pem
    truststore: /etc/scylla/ssl/ca/ca-cert.pem
    require_client_auth: true
    protocol: TLSv1.2

Inter-node SSL configuration
server_encryption_options:
    internode_encryption: all
    certificate: /etc/scylla/ssl/server/server-cert.pem
    keyfile: /etc/scylla/ssl/server/server-key.pem
    truststore: /etc/scylla/ssl/ca/ca-cert.pem
    require_client_auth: true
    protocol: TLSv1.2

Enable password authentication

Configure ScyllaDB to use password-based authentication for additional security.

# Authentication configuration
authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
role_manager: CassandraRoleManager

Increase authentication cache to improve performance
authentication_cache_size_mb: 128
authentication_cache_update_interval_in_ms: 2000
permissions_cache_max_entries: 1000
permissions_validity_in_ms: 10000

Configure network and security settings

Set additional security parameters for production deployment.

# Network configuration
listen_address: 203.0.113.10
rpc_address: 203.0.113.10
broadcast_address: 203.0.113.10
broadcast_rpc_address: 203.0.113.10

Security hardening
enable_user_defined_functions: false
enable_scripted_user_defined_functions: false
enable_materialized_views: false

Connection limits
native_transport_max_concurrent_connections: 1024
native_transport_max_concurrent_connections_per_ip: 256

Request timeouts
request_timeout_in_ms: 10000
read_request_timeout_in_ms: 5000
write_request_timeout_in_ms: 2000

Start ScyllaDB with SSL

Enable and start ScyllaDB with the new SSL configuration.

sudo systemctl enable scylla-server
sudo systemctl start scylla-server
sudo systemctl status scylla-server

Create administrative user

Connect to ScyllaDB and create a secure administrative user to replace the default cassandra user.

# Connect using default credentials initially
cqlsh 203.0.113.10 9042 -u cassandra -p cassandra --ssl

In the CQL shell, create a new admin user and remove default access:

CREATE ROLE scylladb_admin WITH LOGIN = true AND SUPERUSER = true AND PASSWORD = 'SecureAdminPass123!';
ALTER ROLE cassandra WITH PASSWORD = 'RandomSecurePassword456!' AND SUPERUSER = false;
LIST ROLES;

Configure SSL client connection

Create a client configuration file for SSL connections.

[connection]
hostname = 203.0.113.10
port = 9042
username = scylladb_admin
password = SecureAdminPass123!

[ssl]
certfile = /etc/scylla/ssl/client/client-cert.pem
validate = true
userkey = /etc/scylla/ssl/client/client-key.pem
usercert = /etc/scylla/ssl/client/client-cert.pem
version = TLSv1_2

mkdir -p ~/.cassandra
sudo cp /etc/scylla/ssl/client/client-*.pem ~/.cassandra/
sudo cp /etc/scylla/ssl/ca/ca-cert.pem ~/.cassandra/
sudo chown $USER:$USER ~/.cassandra/*

Create application-specific roles

Set up role-based access control for different applications and users.

cqlsh --ssl

# Create keyspace for application
CREATE KEYSPACE IF NOT EXISTS app_data 
WITH REPLICATION = {'class': 'SimpleStrategy', 'replication_factor': 3};

Create application user with limited permissions
CREATE ROLE app_user WITH LOGIN = true AND PASSWORD = 'AppUserSecure789!';
GRANT SELECT, INSERT, UPDATE, DELETE ON KEYSPACE app_data TO app_user;

Create read-only analytics user
CREATE ROLE analytics_user WITH LOGIN = true AND PASSWORD = 'AnalyticsRead456!';
GRANT SELECT ON KEYSPACE app_data TO analytics_user;

Create backup user
CREATE ROLE backup_user WITH LOGIN = true AND PASSWORD = 'BackupSecure123!';
GRANT SELECT ON ALL KEYSPACES TO backup_user;

Configure audit logging

Enable audit logging for security compliance and monitoring.

# Audit logging configuration
audit_logging_options:
    enabled: true
    logger: BinAuditLogger
    audit_logs_dir: /var/lib/scylla/audit
    included_keyspaces: "system_auth,app_data"
    included_categories: "QUERY,DML,DDL,DCL,AUTH"
    included_users: "scylladb_admin,app_user"

sudo mkdir -p /var/lib/scylla/audit
sudo chown scylla:scylla /var/lib/scylla/audit
sudo chmod 750 /var/lib/scylla/audit
sudo systemctl restart scylla-server

Verify your setup

Test SSL connections and authentication to ensure everything works correctly.

# Test SSL connection with admin user
cqlsh 203.0.113.10 9042 -u scylladb_admin -p 'SecureAdminPass123!' --ssl

Verify SSL encryption is active
netstat -tlnp | grep :9042

Check certificate validity
openssl x509 -in /etc/scylla/ssl/server/server-cert.pem -text -noout | grep -A 2 "Validity"

Test application user permissions
cqlsh 203.0.113.10 9042 -u app_user -p 'AppUserSecure789!' --ssl -e "USE app_data; DESCRIBE KEYSPACE app_data;"

Check audit logs
sudo ls -la /var/lib/scylla/audit/
sudo tail -f /var/lib/scylla/audit/*.log

SSL certificate management

Set up certificate renewal

Create automated certificate renewal to prevent expiration issues.

#!/bin/bash
set -euo pipefail

ScyllaDB SSL Certificate Renewal Script
SSL_DIR="/etc/scylla/ssl"
BACKUP_DIR="/var/backups/scylla-ssl-$(date +%Y%m%d)"
LOG_FILE="/var/log/scylla-cert-renewal.log"

echo "$(date): Starting certificate renewal" >> $LOG_FILE

Create backup
mkdir -p $BACKUP_DIR
cp -r $SSL_DIR/* $BACKUP_DIR/

Check certificate expiry (renew if < 30 days)
if openssl x509 -checkend 2592000 -noout -in $SSL_DIR/server/server-cert.pem; then
    echo "$(date): Certificate valid for 30+ days, skipping renewal" >> $LOG_FILE
    exit 0
fi

echo "$(date): Certificate expires soon, renewing..." >> $LOG_FILE

Generate new server certificate
cd $SSL_DIR/server
openssl genrsa -out server-key-new.pem 2048
openssl req -new -key server-key-new.pem -out server-new.csr -subj "/C=US/ST=CA/L=San Francisco/O=ScyllaDB/OU=Database/CN=scylla-server"

Create extensions file
cat > server-ext.cnf << EOF
subjectAltName = @alt_names
[alt_names]
DNS.1 = localhost
DNS.2 = scylla-server
IP.1 = 127.0.0.1
IP.2 = 203.0.113.10
IP.3 = 203.0.113.11
IP.4 = 203.0.113.12
EOF

openssl x509 -req -in server-new.csr -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem -out server-cert-new.pem -days 365 -extensions v3_req -extfile server-ext.cnf

Replace old certificates
mv server-key.pem server-key-old.pem
mv server-cert.pem server-cert-old.pem
mv server-key-new.pem server-key.pem
mv server-cert-new.pem server-cert.pem

chown scylla:scylla server-*.pem
chmod 600 server-key.pem
chmod 644 server-cert.pem

Clean up
rm server-new.csr server-ext.cnf

echo "$(date): Certificate renewal completed" >> $LOG_FILE
echo "$(date): Restarting ScyllaDB..." >> $LOG_FILE

Restart ScyllaDB
systemctl restart scylla-server

if systemctl is-active --quiet scylla-server; then
    echo "$(date): ScyllaDB restarted successfully" >> $LOG_FILE
else
    echo "$(date): ERROR - ScyllaDB failed to restart" >> $LOG_FILE
    # Rollback certificates
    mv server-key.pem server-key-failed.pem
    mv server-cert.pem server-cert-failed.pem
    mv server-key-old.pem server-key.pem
    mv server-cert-old.pem server-cert.pem
    systemctl start scylla-server
    exit 1
fi

sudo chmod +x /usr/local/bin/scylla-cert-renewal.sh
sudo chown root:root /usr/local/bin/scylla-cert-renewal.sh

Schedule certificate monitoring

Set up automated monitoring and renewal using systemd timers.

[Unit]
Description=ScyllaDB SSL Certificate Check
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/scylla-cert-renewal.sh
User=root
Group=root

[Unit]
Description=Run ScyllaDB certificate check weekly
Requires=scylla-cert-check.service

[Timer]
OnCalendar=weekly
Persistent=true

[Install]
WantedBy=timers.target

sudo systemctl daemon-reload
sudo systemctl enable scylla-cert-check.timer
sudo systemctl start scylla-cert-check.timer
sudo systemctl list-timers scylla-cert-check.timer

Security hardening

Configure firewall rules

Restrict network access to only necessary ports and IP addresses.

# Allow ScyllaDB ports for specific IP ranges
sudo ufw allow from 203.0.113.0/24 to any port 9042 comment 'ScyllaDB CQL SSL'
sudo ufw allow from 203.0.113.0/24 to any port 7001 comment 'ScyllaDB Inter-node SSL'
sudo ufw allow from 203.0.113.0/24 to any port 7199 comment 'ScyllaDB JMX'

Allow monitoring from management network
sudo ufw allow from 203.0.113.100/32 to any port 9180 comment 'ScyllaDB Prometheus'

Enable firewall
sudo ufw --force enable
sudo ufw status numbered

# Create ScyllaDB service for firewalld
sudo firewall-cmd --permanent --new-service=scylladb-ssl
sudo firewall-cmd --permanent --service=scylladb-ssl --add-port=9042/tcp
sudo firewall-cmd --permanent --service=scylladb-ssl --add-port=7001/tcp
sudo firewall-cmd --permanent --service=scylladb-ssl --add-port=7199/tcp
sudo firewall-cmd --permanent --service=scylladb-ssl --add-port=9180/tcp

Apply rules to trusted zone with specific sources
sudo firewall-cmd --permanent --zone=trusted --add-source=203.0.113.0/24
sudo firewall-cmd --permanent --zone=trusted --add-service=scylladb-ssl

Reload firewall
sudo firewall-cmd --reload
sudo firewall-cmd --list-all-zones

Enable system audit logging

Configure system-level auditing for ScyllaDB processes and files.

# Monitor ScyllaDB configuration changes
-w /etc/scylla/scylla.yaml -p wa -k scylladb_config
-w /etc/scylla/ssl/ -p wa -k scylladb_ssl

Monitor ScyllaDB data directory
-w /var/lib/scylla/ -p wa -k scylladb_data

Monitor ScyllaDB process execution
-w /usr/bin/scylla -p x -k scylladb_exec

Monitor authentication attempts
-w /var/lib/scylla/audit/ -p wa -k scylladb_auth

sudo systemctl enable auditd
sudo systemctl restart auditd
sudo auditctl -l

Set up log monitoring

Configure centralized logging for security events and SSL certificate monitoring.

# ScyllaDB logging
if $programname == 'scylla' then {
    /var/log/scylladb/scylla.log
    stop
}

SSL certificate events
if $msg contains 'SSL' or $msg contains 'certificate' then {
    /var/log/scylladb/ssl.log
    stop
}

Authentication events
if $msg contains 'authentication' or $msg contains 'login' then {
    /var/log/scylladb/auth.log
    stop
}

sudo mkdir -p /var/log/scylladb
sudo chown scylla:scylla /var/log/scylladb
sudo systemctl restart rsyslog
sudo logrotate -d /etc/logrotate.conf

Common issues

Symptom	Cause	Fix
SSL handshake failure	Certificate hostname mismatch	Add server IP/hostname to certificate SAN field
Client authentication failed	Client certificate not trusted	Verify client cert is signed by same CA: `openssl verify -CAfile /etc/scylla/ssl/ca/ca-cert.pem /etc/scylla/ssl/client/client-cert.pem`
Inter-node SSL errors	Clock skew between nodes	Sync time with NTP: `sudo systemctl enable --now ntp`
Certificate expired	Certificate past validity period	Check expiry: `openssl x509 -enddate -noout -in cert.pem` and renew
Permission denied on key files	Incorrect file ownership	`sudo chown scylla:scylla /etc/scylla/ssl/server/server-key.pem && sudo chmod 600`
Connection timeout with SSL	Firewall blocking encrypted port	Open port 9042 for CQL SSL and 7001 for inter-node SSL
High SSL CPU usage	Weak cipher suites	Use stronger ciphers in scylla.yaml: `cipher_suites: [TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384]`
Authentication cache misses	Cache too small for user load	Increase `authentication_cache_size_mb` in config

Next steps

Running this in production?

Want this handled for you? Running this at scale adds a second layer of work: capacity planning, failover drills, cost control, and on-call. See how we run infrastructure like this for European teams.

Automated install script

Run this to automate the entire setup

install.sh

#!/usr/bin/env bash

set -euo pipefail

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

# Configuration
CLUSTER_IPS="${1:-127.0.0.1}"
DOMAIN="${2:-localhost}"
SSL_DIR="/etc/scylla/ssl"
LOG_FILE="/var/log/scylla-ssl-setup.log"
BACKUP_DIR="/etc/scylla/ssl/backup-$(date +%Y%m%d-%H%M%S)"

usage() {
    echo "Usage: $0 [cluster_ips] [domain]"
    echo "  cluster_ips: Comma-separated list of cluster IPs (default: 127.0.0.1)"
    echo "  domain:      Domain name for certificates (default: localhost)"
    echo ""
    echo "Example: $0 \"10.0.1.10,10.0.1.11,10.0.1.12\" \"scylla.example.com\""
    exit 1
}

log() {
    echo "$(date): $1" | tee -a "$LOG_FILE"
}

error() {
    echo -e "${RED}ERROR: $1${NC}" >&2
    log "ERROR: $1"
}

success() {
    echo -e "${GREEN}$1${NC}"
    log "SUCCESS: $1"
}

warning() {
    echo -e "${YELLOW}WARNING: $1${NC}"
    log "WARNING: $1"
}

info() {
    echo -e "${BLUE}$1${NC}"
    log "INFO: $1"
}

cleanup() {
    local exit_code=$?
    if [ $exit_code -ne 0 ]; then
        error "Script failed. Check logs at $LOG_FILE"
        if [ -d "$BACKUP_DIR" ]; then
            warning "Backup available at: $BACKUP_DIR"
        fi
    fi
    exit $exit_code
}

trap cleanup ERR

detect_distro() {
    if [ ! -f /etc/os-release ]; then
        error "Cannot detect Linux distribution"
        exit 1
    fi
    
    . /etc/os-release
    case "$ID" in
        ubuntu|debian)
            PKG_MGR="apt"
            PKG_UPDATE="apt update"
            PKG_INSTALL="apt install -y"
            ;;
        almalinux|rocky|centos|rhel|ol|fedora)
            PKG_MGR="dnf"
            PKG_UPDATE="dnf update -y"
            PKG_INSTALL="dnf install -y"
            ;;
        amzn)
            PKG_MGR="yum"
            PKG_UPDATE="yum update -y"
            PKG_INSTALL="yum install -y"
            ;;
        *)
            error "Unsupported distribution: $ID"
            exit 1
            ;;
    esac
    
    info "Detected distribution: $PRETTY_NAME"
}

check_prerequisites() {
    if [ "$EUID" -ne 0 ]; then
        error "This script must be run as root"
        exit 1
    fi
    
    if ! command -v wget >/dev/null 2>&1; then
        $PKG_INSTALL wget curl
    fi
}

install_scylladb() {
    info "[1/8] Installing ScyllaDB and SSL tools..."
    
    case "$PKG_MGR" in
        apt)
            $PKG_UPDATE
            wget -qO - https://downloads.scylladb.com/deb/ubuntu/scylla-6.0-key.asc | gpg --dearmor -o /etc/apt/keyrings/scylladb.gpg
            echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/scylladb.gpg] https://downloads.scylladb.com/deb/ubuntu/ $(lsb_release -sc) scylla-6.0" > /etc/apt/sources.list.d/scylladb.list
            $PKG_UPDATE
            $PKG_INSTALL scylla openssl
            ;;
        dnf|yum)
            $PKG_UPDATE
            rpm --import https://downloads.scylladb.com/rpm/scylladb-6.0-key.asc
            curl -o /etc/yum.repos.d/scylladb-6.0.repo https://downloads.scylladb.com/rpm/centos/scylladb-6.0.repo
            $PKG_INSTALL scylla openssl
            ;;
    esac
    
    success "ScyllaDB and SSL tools installed"
}

setup_ssl_directories() {
    info "[2/8] Setting up SSL directory structure..."
    
    mkdir -p "$SSL_DIR"/{ca,server,client}
    chown -R scylla:scylla "$SSL_DIR"
    chmod -R 750 "$SSL_DIR"
    
    success "SSL directories created"
}

generate_ca() {
    info "[3/8] Generating Certificate Authority..."
    
    cd "$SSL_DIR/ca"
    openssl genrsa -out ca-key.pem 4096
    openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 3650 \
        -subj "/C=US/ST=CA/L=San Francisco/O=ScyllaDB/OU=Database/CN=ScyllaDB-CA"
    
    chown scylla:scylla ca-*.pem
    chmod 600 ca-key.pem
    chmod 644 ca-cert.pem
    
    success "Certificate Authority generated"
}

generate_server_certs() {
    info "[4/8] Generating server certificates..."
    
    cd "$SSL_DIR/server"
    openssl genrsa -out server-key.pem 2048
    openssl req -new -key server-key.pem -out server.csr \
        -subj "/C=US/ST=CA/L=San Francisco/O=ScyllaDB/OU=Database/CN=$DOMAIN"
    
    # Create server extensions with cluster IPs
    cat > server-ext.cnf << EOF
subjectAltName = @alt_names
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth

[alt_names]
DNS.1 = $DOMAIN
DNS.2 = localhost
IP.1 = 127.0.0.1
EOF
    
    # Add cluster IPs to SAN
    local ip_count=2
    IFS=',' read -ra IPS <<< "$CLUSTER_IPS"
    for ip in "${IPS[@]}"; do
        echo "IP.$ip_count = $ip" >> server-ext.cnf
        ((ip_count++))
    done
    
    openssl x509 -req -in server.csr -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem \
        -CAcreateserial -out server-cert.pem -days 365 -extensions v3_req -extfile server-ext.cnf
    
    chown scylla:scylla server-*.pem server.csr
    chmod 600 server-key.pem
    chmod 644 server-cert.pem
    
    success "Server certificates generated"
}

generate_client_certs() {
    info "[5/8] Generating client certificates..."
    
    cd "$SSL_DIR/client"
    openssl genrsa -out client-key.pem 2048
    openssl req -new -key client-key.pem -out client.csr \
        -subj "/C=US/ST=CA/L=San Francisco/O=ScyllaDB/OU=Database/CN=scylla-client"
    openssl x509 -req -in client.csr -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem \
        -CAcreateserial -out client-cert.pem -days 365
    
    chown scylla:scylla client-*.pem client.csr
    chmod 600 client-key.pem
    chmod 644 client-cert.pem
    
    success "Client certificates generated"
}

configure_scylladb_ssl() {
    info "[6/8] Configuring ScyllaDB SSL settings..."
    
    # Backup original configuration
    cp /etc/scylla/scylla.yaml /etc/scylla/scylla.yaml.backup
    
    # Configure SSL in scylla.yaml
    cat >> /etc/scylla/scylla.yaml << EOF

# SSL Configuration
client_encryption_options:
    enabled: true
    optional: false
    certificate: $SSL_DIR/server/server-cert.pem
    keyfile: $SSL_DIR/server/server-key.pem
    truststore: $SSL_DIR/ca/ca-cert.pem
    require_client_auth: true

server_encryption_options:
    internode_encryption: all
    certificate: $SSL_DIR/server/server-cert.pem
    keyfile: $SSL_DIR/server/server-key.pem
    truststore: $SSL_DIR/ca/ca-cert.pem

authenticator: PasswordAuthenticator
authorizer: CassandraAuthorizer
role_manager: CassandraRoleManager
EOF
    
    success "ScyllaDB SSL configuration updated"
}

create_renewal_script() {
    info "[7/8] Setting up certificate renewal..."
    
    cat > /usr/local/bin/scylla-cert-renewal.sh << 'EOF'
#!/bin/bash
set -euo pipefail

SSL_DIR="/etc/scylla/ssl"
LOG_FILE="/var/log/scylla-ssl-renewal.log"
BACKUP_DIR="/etc/scylla/ssl/backup-$(date +%Y%m%d-%H%M%S)"

log() {
    echo "$(date): $1" >> "$LOG_FILE"
}

log "Starting certificate check"

# Create backup
mkdir -p "$BACKUP_DIR"
cp -r "$SSL_DIR"/* "$BACKUP_DIR/"

# Check certificate expiry (renew if < 30 days)
if openssl x509 -checkend 2592000 -noout -in "$SSL_DIR/server/server-cert.pem"; then
    log "Certificate valid for 30+ days, skipping renewal"
    exit 0
fi

log "Certificate expires soon, renewing..."

# Renew certificate
cd "$SSL_DIR/server"
mv server-key.pem server-key-old.pem
mv server-cert.pem server-cert-old.pem

openssl genrsa -out server-key.pem 2048
openssl req -new -key server-key.pem -out server-new.csr \
    -subj "/C=US/ST=CA/L=San Francisco/O=ScyllaDB/OU=Database/CN=scylla-server"
openssl x509 -req -in server-new.csr -CA ../ca/ca-cert.pem -CAkey ../ca/ca-key.pem \
    -CAcreateserial -out server-cert.pem -days 365 -extensions v3_req -extfile server-ext.cnf

chown scylla:scylla server-*.pem
chmod 600 server-key.pem
chmod 644 server-cert.pem

log "Restarting ScyllaDB..."
systemctl restart scylla-server

if systemctl is-active --quiet scylla-server; then
    log "ScyllaDB restarted successfully"
else
    log "ERROR - ScyllaDB failed to restart, rolling back"
    mv server-key.pem server-key-failed.pem
    mv server-cert.pem server-cert-failed.pem
    mv server-key-old.pem server-key.pem
    mv server-cert-old.pem server-cert.pem
    systemctl start scylla-server
    exit 1
fi
EOF
    
    chmod 755 /usr/local/bin/scylla-cert-renewal.sh
    chown root:root /usr/local/bin/scylla-cert-renewal.sh
    
    # Create systemd service and timer
    cat > /etc/systemd/system/scylla-cert-check.service << EOF
[Unit]
Description=ScyllaDB SSL Certificate Check
After=network.target

[Service]
Type=oneshot
ExecStart=/usr/local/bin/scylla-cert-renewal.sh
User=root
Group=root
EOF
    
    cat > /etc/systemd/system/scylla-cert-check.timer << EOF
[Unit]
Description=Run ScyllaDB certificate check weekly
Requires=scylla-cert-check.service

[Timer]
OnCalendar=weekly
Persistent=true

[Install]
WantedBy=timers.target
EOF
    
    systemctl daemon-reload
    systemctl enable scylla-cert-check.timer
    systemctl start scylla-cert-check.timer
    
    success "Certificate renewal scheduled"
}

verify_installation() {
    info "[8/8] Verifying SSL configuration..."
    
    # Start ScyllaDB
    systemctl enable scylla-server
    systemctl start scylla-server
    
    # Wait for ScyllaDB to start
    sleep 10
    
    if systemctl is-active --quiet scylla-server; then
        success "ScyllaDB is running"
    else
        error "ScyllaDB failed to start"
        return 1
    fi
    
    # Verify certificates
    if openssl verify -CAfile "$SSL_DIR/ca/ca-cert.pem" "$SSL_DIR/server/server-cert.pem" >/dev/null 2>&1; then
        success "Server certificate verification passed"
    else
        error "Server certificate verification failed"
        return 1
    fi
    
    success "SSL configuration completed successfully!"
    info "Certificate files located in: $SSL_DIR"
    info "Log file: $LOG_FILE"
    info "Next steps:"
    info "1. Configure your applications to use SSL certificates"
    info "2. Create database users with proper authentication"
    info "3. Test connections using SSL"
}

main() {
    echo -e "${BLUE}ScyllaDB SSL Configuration Script${NC}"
    echo "================================"
    
    detect_distro
    check_prerequisites
    install_scylladb
    setup_ssl_directories
    generate_ca
    generate_server_certs
    generate_client_certs
    configure_scylladb_ssl
    create_renewal_script
    verify_installation
    
    success "ScyllaDB SSL setup completed successfully!"
}

main "$@"

Review the script before running. Execute with: bash install.sh

#scylladb #ssl #encryption #authentication #security #certificates

Configure ScyllaDB SSL encryption and authentication with certificate management and security hardening

Prerequisites

What this solves

Step-by-step configuration

Install ScyllaDB and SSL tools

Create SSL certificate directory structure

Generate Certificate Authority (CA)

Generate server certificates

Create server certificate extensions

Generate client certificates

Configure ScyllaDB SSL encryption

Inter-node SSL configuration

Enable password authentication

Increase authentication cache to improve performance

Configure network and security settings

Security hardening

Connection limits

Request timeouts

Start ScyllaDB with SSL

Create administrative user

Configure SSL client connection

Create application-specific roles

Create application user with limited permissions

Create read-only analytics user

Create backup user

Configure audit logging

Verify your setup

Verify SSL encryption is active

Check certificate validity

Test application user permissions

Check audit logs

SSL certificate management

Set up certificate renewal

ScyllaDB SSL Certificate Renewal Script

Create backup

Check certificate expiry (renew if < 30 days)

Generate new server certificate

Create extensions file

Replace old certificates

Clean up

Restart ScyllaDB

Schedule certificate monitoring

Security hardening

Configure firewall rules

Allow monitoring from management network

Enable firewall

Apply rules to trusted zone with specific sources

Reload firewall

Enable system audit logging

Monitor ScyllaDB data directory

Monitor ScyllaDB process execution

Monitor authentication attempts

Set up log monitoring

SSL certificate events

Authentication events

Common issues

Next steps

Running this in production?

Related tutorials

Implement ClickHouse backup automation with compression and S3 integration

Benchmark database performance with sysbench and fio integration

Configure MySQL binary log backup and point-in-time recovery

Don't want to manage this yourself?