The purpose of this article is to provide steps to configure and enable JMX authentication for the Cassandra database for Cloud Data Protection.
Setup JMX authentication using jmx.passwords file according to the instructions found at this link:
https://support.datastax.com/hc/en-us/articles/204226179-Step-by-step-instructions-for-securing-JMXauthentication-for-nodetool-utility-OpsCenter-and-JConsole
User role that will be used by CDP and the Cassandra nodetool must have read/write permissions defined in the OS access file
Example of password file: cdp password
Example of access file: cdp readwrite
These two files define user cdp with password password and read/write access rights.
Configuring CDP
Add following parameters to container's arguments file:
-Dcassandra.jmx.user=<user_name>
-Dcassandra.jmx.password.file=<password_file>
<password_file> is the absolute path to the same file that is used in Cassandra configuration.
<user_name> must be a user name defined in password file.
Both user name and password file must be configured for JMX authentication to work.
If user name is invalid and/or password file is corrupted or cannot be read, then Contaner will fail to start.
Configuring Nodetool
nodetool must be run with -u <user_name> and either -pw <password> or -pwf <password_file> parameters.
Note that argument to -pw is actual password, not a password file. If one wants to use password file (as it is already used in Cassandra and CDP configuration) then -pwf argument has to be used. We recommend using password file as it minimizes possibility of password typos and mismatches. User name and password/password file arguments must be added to cdp-nodetool-repair cronscript.
By default, cron script is installed into /etc/cron.weekly/cdp-nodetool-repair .
Change line /usr/local/perspecsys/container/cassandra/bin/nodetool repair -full > $LOG 2>$LOG
to
/usr/local/perspecsys/container/cassandra/bin/nodetool -u <username> -pwf <password_file> repair -full > $LOG 2>$LOG