A high level Java client for Apache Cassandra
Fork me on GitHub CloudBees

Table Of Contents

This Page


Secure connection - Kerberos

The JAAS framework defines the term subject to represent the source of a request. A subject may be any entity, such as a person or service.

Authentication represents the process by which the identity of a subject is verified, and must be performed in a secure fashion; otherwise a perpetrator may impersonate others to gain access to a system. Authentication typically involves the subject demonstrating some form of evidence to prove its identity. Such evidence may be information only the subject would likely know or have (such as a password or fingerprint), or it may be information only the subject could produce (such as signed data using a private key).

A Subject is populated with associated identities, or Principals such as name (“John Doe”) which distinguish it from other Subjects.

In addition to associated Principals, a Subject may own security-related attributes, which are referred to as credentials. A credential may contain information used to authenticate the subject to new services. Such credentials include passwords, Kerberos tickets, and public key certificates.

Kerberos is a known authentication mechanism that lets clients authenticate against a single Key Distribution Center (KDC).

In order to do that, some files are required.

  • jaas.conf (Login configuration file) and
  • krb5.conf Kerberos congif file
  • .keytab config binary file to avoid specifing a system property with a password

jaas.conf can be used for both Server and Client as long as it has one entry for the client side and one for the server side.

jaas.conf sample

Client {
  com.sun.security.auth.module.Krb5LoginModule required

Server {
        com.sun.security.auth.module.Krb5LoginModule required

Client specifies a principal so that all clients authenticate using the same user name. Your Kerberos-style user name is simply the user name you were assigned for Kerberos authentication. It consists of a base user name (like “mjones”) followed by an “@” and your realm (like “mjones@KRBNT-OPERATIONS.ABC.COM”).

krb5.conf sample

        default_realm = <realm>
        default_checksum = rsa-md5

        DATASTAX.COM = {
                kdc = <ip_address>

        datastax.com = DATASTAX.COM

Setting up Kerberos

First we need to tell Hector that we want to use Kerberos authentication:


Second, we need to let Hector know where the jaas.conf and krb5.conf files are. In order to do that, let’s set the following properties:


Note: service_principal should be just the name. I.e: cassandra/host@REALM you should use cassandra.

If java.security.auth.login.config and java.security.krb5.conf two properties are not set, the default is ./jaas.conf and ./krb5.conf respectively from the root of the classpath.

If kerberos.client.reference.name is not set, the default is Client. This is the reference in the jaas.conf file for the client.

Finally, we need to point jaas.conf to the right .keytab file. Edit the property keyTab=”...” in jaas.conf file.

For more Information, visit: