How to configure TLS for Cassandra in the runtime plane
Cassandra provides secure communication between a client machine and a database
cluster and between nodes within a cluster. Enabling encryption ensures that data
in flight is not compromised and is transferred securely. In Apigee hybrid, TLS is
enabled by default for any communication between Cassandra nodes and between clients and
Cassandra nodes.
About Cassandra user authentication
The hybrid platform uses Cassandra as the backend datastore for runtime
plane data. By default, any of the client communications to Cassandra
requires authentication. There are three users used by clients that communicate
with Cassandra. Default passwords are provided for these users, and you are not
required to change them.
These users,
including a default user, are described below:
DML User: Used by the client communication to read and write data to Cassandra
(KMS, KVM, Cahce and Quota).
DDL User: Used by MART for any of the data definition tasks like keyspace
creation, update, and deletion.
Admin User: Used for any administrative activities performed
on cassandra cluster.
Default Cassandra user: Cassandra creates a default user when
Authentication is enabled and the username is cassandra
Changing the default passwords
Apigee hybrid provides default passwords for the Cassandra users. If you want to change
the default user passwords, you can do so in the
overrides.yaml file. Add the following configuration, change the default
passwords ("iloveapis123") as you wish, and apply the change to
your cluster.
Certificate Authority (CA) rotation is not supported.
A server certificate which is generated with passphrase is not supported.
Check the Cassandra logs
Check the logs as soon as the Cassandra starts up. The log below shows you that the
Cassandra client connections are encrypted.
kubectl logs apigee-cassandra-2 -n apigee -f
INFO 00:44:36 Starting listening for CQL clients on /10.0.2.12:9042 (encrypted)...
INFO 00:44:36 Binding thrift service to /10.0.2.12:9160
INFO 00:44:36 enabling encrypted thrift connections between client and server
INFO 00:44:36 Listening for thrift clients...
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-29 UTC."],[[["\u003cp\u003eThis documentation version (1.2) for Apigee hybrid is end-of-life, and users should upgrade to a newer, supported version.\u003c/p\u003e\n"],["\u003cp\u003eApigee hybrid uses Cassandra as the backend datastore, and TLS encryption is enabled by default for communication between Cassandra nodes and clients.\u003c/p\u003e\n"],["\u003cp\u003eThere are three default user accounts (DML, DDL, and Admin) for client communication with Cassandra, along with a default "cassandra" user account, and while default passwords are provided, users can change them in the \u003ccode\u003eoverrides.yaml\u003c/code\u003e file.\u003c/p\u003e\n"],["\u003cp\u003eCassandra client connections are encrypted, as confirmed by checking the Cassandra logs after startup.\u003c/p\u003e\n"],["\u003cp\u003eCertificate Authority rotation and server certificates with a passphrase are not supported.\u003c/p\u003e\n"]]],[],null,["# Configuring TLS for Cassandra\n\n| You are currently viewing version 1.2 of the Apigee hybrid documentation. **This version is end of life.** You should upgrade to a newer version. For more information, see [Supported versions](/apigee/docs/hybrid/supported-platforms#supported-versions).\n\nHow to configure TLS for Cassandra in the runtime plane\n-------------------------------------------------------\n\n\nCassandra provides secure communication between a client machine and a database\ncluster and between nodes within a cluster. Enabling encryption ensures that data\nin flight is not compromised and is transferred securely. In Apigee hybrid, TLS is\nenabled by default for any communication between Cassandra nodes and between clients and\nCassandra nodes.\n\nAbout Cassandra user authentication\n-----------------------------------\n\n\nThe hybrid platform uses Cassandra as the backend datastore for runtime\nplane data. By default, any of the client communications to Cassandra\nrequires authentication. There are three users used by clients that communicate\nwith Cassandra. Default passwords are provided for these users, and you are not\nrequired to change them.\n\nThese users,\nincluding a default user, are described below:\n\n- **DML User**: Used by the client communication to read and write data to Cassandra (KMS, KVM, Cahce and Quota).\n- **DDL User:** Used by MART for any of the data definition tasks like keyspace creation, update, and deletion.\n- **Admin User:** Used for any administrative activities performed on cassandra cluster.\n- **Default Cassandra user:** Cassandra creates a default user when Authentication is enabled and the username is `cassandra`\n\nChanging the default passwords\n------------------------------\n\n\nApigee hybrid provides default passwords for the Cassandra users. If you want to change\nthe default user passwords, you can do so in the\n`overrides.yaml` file. Add the following configuration, change the default\npasswords (\"iloveapis123\") as you wish, and apply the change to\nyour cluster.\n\n\nAll the usernames must be in lowercase. \n\n```actionscript-3\ncassandra:\n auth:\n default: ## the password for the new default user (static username: cassandra)\n password: \"iloveapis123\"\n admin: ## the password for the admin user (static username: admin_user)\n password: \"iloveapis123\"\n ddl: ## the password for the DDL User (static username: ddl_user)\n password: \"iloveapis123\"\n dml: ## the password for the DML User (static username: dml_user)\n password: \"iloveapis123\"\n```\n\n\nNote the following:\n\n- Certificate Authority (CA) rotation is not supported.\n- A server certificate which is generated with passphrase is not supported.\n\nCheck the Cassandra logs\n------------------------\n\n\nCheck the logs as soon as the Cassandra starts up. The log below shows you that the\nCassandra client connections are encrypted. \n\n```\nkubectl logs apigee-cassandra-2 -n apigee -f\n\nINFO 00:44:36 Starting listening for CQL clients on /10.0.2.12:9042 (encrypted)...\nINFO 00:44:36 Binding thrift service to /10.0.2.12:9160\nINFO 00:44:36 enabling encrypted thrift connections between client and server\nINFO 00:44:36 Listening for thrift clients...\n```"]]