How to secure Apache Cassandra JMX

An Apache Cassandra node with remote JMX open to a network can expose administrative operations used by nodetool, JConsole, and monitoring tools. Securing JMX means keeping port 7199 off untrusted networks and requiring a dedicated JMX role before those tools can read cluster state or run management operations.

Cassandra controls JMX startup flags in /etc/cassandra/cassandra-env.sh for package installs, separate from CQL authentication in /etc/cassandra/cassandra.yaml. Current Cassandra packages keep JMX local by default; changing LOCAL_JMX to no uses the remote JMX block where standard Java JMX authentication is turned on and the password file path points to /etc/cassandra/jmxremote.password.

The file-based JMX password file stores clear text credentials, so the Cassandra service user must be the only reader. Use this path for a trusted administration network or pair remote JMX with JMX SSL and client certificate settings before crossing an untrusted network, and roll the change one node at a time because Cassandra must restart to load the JMX flags.

Related: How to enable authentication in Apache Cassandra

Steps to secure Apache Cassandra JMX:

  1. Check current JMX access from the Cassandra node. 
    $ nodetool status
Datacenter: datacenter1
=======================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
--  Address    Load        Tokens  Owns (effective)  Host ID                               Rack
UN  10.0.0.10  144.33 KiB  16      100.0%            8f4f6e2d-9f74-4f5a-a85f-43df5d4fcb21  rack1

    This confirms nodetool can reach the node before the JMX security change. After authentication is enabled, the same command should fail until credentials are supplied.

  2. Create the server-side JMX password file with Cassandra-only read access. 
    $ sudo install -o cassandra -g cassandra -m 400 /dev/null /etc/cassandra/jmxremote.password
  3. Add the JMX role and password to the server-side password file. 
    $ sudoedit /etc/cassandra/jmxremote.password
    jmx_admin UseALongUniquePasswordHere!2026

    Replace the sample password with a unique secret from the cluster's credential process. The Java JMX password file is clear text, so do not reuse a CQL role password or a shared personal password.

  4. Create the server-side JMX access file with Cassandra-only read access. 
    $ sudo install -o cassandra -g cassandra -m 400 /dev/null /etc/cassandra/jmxremote.access
  5. Grant the JMX role read-write management access. 
    $ sudoedit /etc/cassandra/jmxremote.access
    jmx_admin readwrite

    Standard Java JMX access levels are coarse. Many Cassandra nodetool operations need readwrite, so use this role only from trusted administrator accounts and networks.

  6. Open the active Cassandra environment file. 
    $ sudoedit /etc/cassandra/cassandra-env.sh

    For tarball installs, edit conf/cassandra-env.sh under the Cassandra installation directory instead of /etc/cassandra/cassandra-env.sh.

  7. Set the effective JMX settings to require authentication and use the password and access files.
    /etc/cassandra/cassandra-env.sh
    LOCAL_JMX=no
JMX_PORT="7199"
 
JVM_OPTS="$JVM_OPTS -Dcassandra.jmx.remote.port=$JMX_PORT"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.rmi.port=$JMX_PORT"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.authenticate=true"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.password.file=/etc/cassandra/jmxremote.password"
JVM_OPTS="$JVM_OPTS -Dcom.sun.management.jmxremote.access.file=/etc/cassandra/jmxremote.access"

    If remote clients fail after authentication works locally, set java.rmi.server.hostname in /etc/cassandra/cassandra-env.sh to the DNS name or management address that JMX clients use to reach the node.

  8. Restrict network access to the JMX port before exposing the node.

    Allow TCP 7199 only from trusted management hosts or private administration networks. Do not publish remote JMX directly to the internet.

  9. Restart the Cassandra service on the selected node. 
    $ sudo systemctl restart cassandra

    Restart one node first, verify JMX access, and wait for the node to return to UN before changing the next node.
    Related: How to check Apache Cassandra service status

  10. Verify unauthenticated JMX is rejected. 
    $ nodetool status
error: Authentication failed! Credentials required
-- StackTrace --
java.lang.SecurityException: Authentication failed! Credentials required
##### snipped #####
  11. Create a private nodetool credential directory for the operator account. 
    $ install -d -m 700 ~/.cassandra
  12. Create a local nodetool password file for the JMX role. 
    $ install -m 600 /dev/null ~/.cassandra/jmxremote.password
    jmx_admin UseALongUniquePasswordHere!2026

    nodetool –password-file reads the same role-and-password format as the server-side JMX password file. Keep the local copy readable only by the operator account.

  13. Verify authenticated JMX access with nodetool. 
    $ nodetool --username jmx_admin --password-file ~/.cassandra/jmxremote.password status
Datacenter: datacenter1
=======================
Status=Up/Down
|/ State=Normal/Leaving/Joining/Moving
--  Address    Load        Tokens  Owns (effective)  Host ID                               Rack
UN  10.0.0.10  136.31 KiB  16      100.0%            8f4f6e2d-9f74-4f5a-a85f-43df5d4fcb21  rack1
  14. Repeat the password, access, environment, restart, and verification sequence on each remaining Cassandra node.

    Keep the JMX role available on every node that management tools contact, and verify cluster state after each restart.
    Related: How to check Apache Cassandra cluster status with nodetool