How to configure TLS for Cassandra in the runtime plane
Cassandra provides secure communication between a client machine and a database
cluster and between nodes within a cluster. Enabling encryption ensures that data
in flight is not compromised and is transferred securely. In Apigee hybrid, TLS is
enabled by default for any communication between Cassandra nodes and between clients and
Cassandra nodes.
About Cassandra user authentication
The hybrid platform uses Cassandra as the backend datastore for runtime
plane data. By default, any of the client communications to Cassandra
requires authentication. There are three users used by clients that communicate
with Cassandra. Default passwords are provided for these users, and you are not
required to change them.
These users,
including a default user, are described below:
DML User: Used by the client communication to read and write data to Cassandra
(KMS, KVM, Cahce and Quota).
DDL User: Used by MART for any of the data definition tasks like keyspace
creation, update, and deletion.
Admin User: Used for any administrative activities performed
on cassandra cluster.
Default Cassandra user: Cassandra creates a default user when
Authentication is enabled and the username is cassandra
Changing the default passwords
Apigee hybrid provides default passwords for the Cassandra users. If you want to change
the default user passwords, you can do so in the
overrides.yaml file. Add the following configuration, change the default
passwords ("iloveapis123") as you wish, and apply the change to
your cluster.
Certificate Authority (CA) rotation is not supported.
A server certificate which is generated with passphrase is not supported.
Check the Cassandra logs
Check the logs as soon as the Cassandra starts up. The log below shows you that the
Cassandra client connections are encrypted.
kubectl logs apigee-cassandra-2 -n apigee -f
INFO 00:44:36 Starting listening for CQL clients on /10.0.2.12:9042 (encrypted)...
INFO 00:44:36 Binding thrift service to /10.0.2.12:9160
INFO 00:44:36 enabling encrypted thrift connections between client and server
INFO 00:44:36 Listening for thrift clients...
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eApigee hybrid uses Cassandra as its backend datastore, and TLS encryption is enabled by default for all communication between Cassandra nodes and clients to ensure data security.\u003c/p\u003e\n"],["\u003cp\u003eClient communication with Cassandra requires authentication, utilizing four different users: DML, DDL, Admin, and a default user, each with specific roles and default passwords.\u003c/p\u003e\n"],["\u003cp\u003eYou can change the default passwords for Cassandra users in the \u003ccode\u003eoverrides.yaml\u003c/code\u003e file by updating the configuration and applying the change to your cluster, ensuring all usernames are in lowercase.\u003c/p\u003e\n"],["\u003cp\u003eCassandra logs indicate that client connections are encrypted, confirming the successful implementation of secure communication between clients and the Cassandra server.\u003c/p\u003e\n"],["\u003cp\u003eThere is an outdated version warning at the top of this page for the user to upgrade to a newer version of the documentation for Apigee hybrid, and the specific version is 1.1, considered end of life.\u003c/p\u003e\n"]]],[],null,["# Configuring TLS for Cassandra\n\n| You are currently viewing version 1.1 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nHow to configure TLS for Cassandra in the runtime plane\n-------------------------------------------------------\n\n\nCassandra provides secure communication between a client machine and a database\ncluster and between nodes within a cluster. Enabling encryption ensures that data\nin flight is not compromised and is transferred securely. In Apigee hybrid, TLS is\nenabled by default for any communication between Cassandra nodes and between clients and\nCassandra nodes.\n\nAbout Cassandra user authentication\n-----------------------------------\n\n\nThe hybrid platform uses Cassandra as the backend datastore for runtime\nplane data. By default, any of the client communications to Cassandra\nrequires authentication. There are three users used by clients that communicate\nwith Cassandra. Default passwords are provided for these users, and you are not\nrequired to change them.\n\nThese users,\nincluding a default user, are described below:\n\n- **DML User**: Used by the client communication to read and write data to Cassandra (KMS, KVM, Cahce and Quota).\n- **DDL User:** Used by MART for any of the data definition tasks like keyspace creation, update, and deletion.\n- **Admin User:** Used for any administrative activities performed on cassandra cluster.\n- **Default Cassandra user:** Cassandra creates a default user when Authentication is enabled and the username is `cassandra`\n\nChanging the default passwords\n------------------------------\n\n\nApigee hybrid provides default passwords for the Cassandra users. If you want to change\nthe default user passwords, you can do so in the\n`overrides.yaml` file. Add the following configuration, change the default\npasswords (\"iloveapis123\") as you wish, and apply the change to\nyour cluster.\n\n\nAll the usernames must be in lowercase. \n\n```actionscript-3\ncassandra:\n auth:\n default: ## the password for the new default user (static username: cassandra)\n password: \"iloveapis123\"\n admin: ## the password for the admin user (static username: admin_user)\n password: \"iloveapis123\"\n ddl: ## the password for the DDL User (static username: ddl_user)\n password: \"iloveapis123\"\n dml: ## the password for the DML User (static username: dml_user)\n password: \"iloveapis123\"\n```\n\n\nNote the following:\n\n- Certificate Authority (CA) rotation is not supported.\n- A server certificate which is generated with passphrase is not supported.\n\nCheck the Cassandra logs\n------------------------\n\n\nCheck the logs as soon as the Cassandra starts up. The log below shows you that the\nCassandra client connections are encrypted. \n\n```\nkubectl logs apigee-cassandra-2 -n apigee -f\n\nINFO 00:44:36 Starting listening for CQL clients on /10.0.2.12:9042 (encrypted)...\nINFO 00:44:36 Binding thrift service to /10.0.2.12:9160\nINFO 00:44:36 enabling encrypted thrift connections between client and server\nINFO 00:44:36 Listening for thrift clients...\n```"]]
