启用加密后，代理无法连接到群集

Question

我在多区域配置中安装了AWS中的Datastax enterprise 4.5.3和Opscenter 5.0.1。我试图通过在opscenter和代理之间启用节点到节点加密，客户端到节点加密和ssl来尽可能保证通信安全。

启用客户端到节点加密后，代理遇到问题。在casssandra.yaml中启用加密后，datastax代理会引发错误，指出它无法连接到群集。 cassandra.yaml的

部分：

# enable or disable client/server encryption. 
client_encryption_options: 
    enabled: true 
    keystore: /usr/share/dse/resources/dse/conf/.keystore 
    keystore_password: supersecret_password 
    # require_client_auth: false 
    # Set trustore and truststore_password if require_client_auth is true 
    truststore: /usr/share/dse/resources/dse/conf/.truststore 
    truststore_password: supersecret_password 
    # More advanced defaults below: 
    protocol: SSL 
    # algorithm: SunX509 
    # store_type: JKS 
    # cipher_suites [TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA] 

药剂不能连接到使能的客户机到节点加密在cassandra.yaml后群集。在/var/log/datastax-agent/agent.log，我多次看到这个错误：

ERROR [pdp-loader] 2014-11-10 20:06:18,902 Unable to connect to Cassandra: 
me.prettyprint.hector.api.exceptions.HectorException: All host pools marked down. Retry burden pushed out to client. 
    at me.prettyprint.cassandra.connection.HConnectionManager.getClientFromLBPolicy(HConnectionManager.java:390) 
    at me.prettyprint.cassandra.connection.HConnectionManager.operateWithFailover(HConnectionManager.java:244) 
    at me.prettyprint.cassandra.service.AbstractCluster.describePartitioner(AbstractCluster.java:255) 
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) 
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) 
    at java.lang.reflect.Method.invoke(Method.java:606) 
    at clojure.lang.Reflector.invokeMatchingMethod(Reflector.java:93) 
    at clojure.lang.Reflector.invokeNoArgInstanceMember(Reflector.java:298) 
    at clj_hector.core$partitioner.invoke(core.clj:42) 
    at opsagent.cassandra$load_pdps_with_retry$fn__1066.invoke(cassandra.clj:211) 
    at opsagent.cassandra$load_pdps_with_retry.invoke(cassandra.clj:210) 
    at opsagent.cassandra$setup_cassandra$f__388__auto____1094$fn__1095$f__388__auto____1102.invoke(cassandra.clj:357) 
    at clojure.lang.AFn.run(AFn.java:24) 
    at java.lang.Thread.run(Thread.java:745) 
INFO [Hector.me.prettyprint.cassandra.connection.CassandraHostRetryService-1] 2014-11-10 20:06:28,700 Not checking that 54.86.178.77(54.86.178.77):9160 is a member of the ring since there are no live hosts 
WARN [Hector.me.prettyprint.cassandra.connection.CassandraHostRetryService-1] 2014-11-10 20:06:28,701 Downed 54.86.178.77(54.86.178.77):9160 host still appears to be down: Unable to open transport to 54.86.178.77(54.86.178.77):9160 , java.net.ConnectException: Connection refused 

Answer 1

请确保您已完成代理配置在address.yaml。应设置如下：

stomp_interface: <stomp_interface_ip of opscenterd box> 
local_interface: <broadcast or listen_address_ip in cassandra.yaml> 
cassandra_conf: "<path>/dse-4.5.1/resources/cassandra/conf/cassandra.yaml" 
use_ssl: 1 
ssl_keystore: <path to keystore>/.keystore 
ssl_keystore_password: <ks password> 
thrift_ssl_truststore: <path to truststore>/.truststore 
thrift_ssl_truststore_password: <ts password> 
hosts: ["<ip address>"] 

见SSL和OpsCenter其他详细配置步骤这里tarball安装和这里package安装