search cancel

Configure Cassandra JMX authentication for Cloud Data Protection

book

Article ID: 174072

calendar_today

Updated On:

Products

CDP for ServiceNow CDP for Salesforce CDP for Xactly CDP Communication Server CDP for Oracle Sales Cloud CDP for Oracle CRM On Demand CDP Policy Builder CDP for Yammer CDP Integration Server

Issue/Introduction

The purpose of this article is to provide steps to configure and enable JMX authentication for the Cassandra database for Cloud Data Protection.

Resolution

Setup JMX authentication using jmx.passwords file according to the instructions found at this link:
https://support.datastax.com/hc/en-us/articles/204226179-Step-by-step-instructions-for-securing-JMXauthentication-for-nodetool-utility-OpsCenter-and-JConsole

 

  1. Modify the conf/Cassandra-env.sh
    • change false to true in JVM_OPTS="$JVM_OPTS
    • Dcom.sun.management.jmxremote.authenticate=false"
    • set correct path to password file in JVM_OPTS="$JVM_OPTS
    • Dcom.sun.management.jmxremote.password.file=
    • uncomment and set correct path to access file in JVM_OPTS="$JVM_OPTS -
    • Dcom.sun.management.jmxremote.access.file=
  2. ​​Check to enable/uncheck to disable (default is Checked)
  3. Save and stop/start the apprtx_server service


User role that will be used by CDP and the Cassandra nodetool must have read/write permissions defined in the OS access file


Example of password file: cdp password
Example of access file: cdp readwrite

These two files define user cdp with password password and read/write access rights.

 

Configuring CDP

Add following parameters to container's arguments file:

-Dcassandra.jmx.user=<user_name>
-Dcassandra.jmx.password.file=<password_file>

<password_file> is the absolute path to the same file that is used in Cassandra configuration.
<user_name> must be a user name defined in password file.

Both user name and password file must be configured for JMX authentication to work.
If user name is invalid and/or password file is corrupted or cannot be read, then Contaner will fail to start.


Configuring Nodetool


nodetool must be run with -u <user_name> and either -pw <password> or -pwf <password_file> parameters.

Note that argument to -pw is actual password, not a password file. If one wants to use password file (as it is already used in Cassandra and CDP configuration) then -pwf argument has to be used. We recommend using password file as it minimizes possibility of password typos and mismatches. User name and password/password file arguments must be added to cdp-nodetool-repair cronscript.

By default, cron script is installed into /etc/cron.weekly/cdp-nodetool-repair .

Change line /usr/local/perspecsys/container/cassandra/bin/nodetool repair -full > $LOG 2>$LOG

to

/usr/local/perspecsys/container/cassandra/bin/nodetool -u <username> -pwf <password_file> repair -full > $LOG 2>$LOG