Configure TLS

Hazelcast TLS is a security feature that provides encryption and authentication of data transmitted between Hazelcast nodes, preventing unauthorized access and eavesdropping.

Hazelcast TLS uses standard SSL/TLS certificates, which can be obtained from trusted Certificate Authorities (CAs) or self-signed. The certificates are used to establish trust between the communicating parties and ensure the authenticity of the communication channel.

See TLS/SSL basics for more detailed information about the configuration and behavior of TLS in Hazelcast.

For a worked example, see the Secure a cluster with TLS tutorial.

Prerequisites

Before you configure TLS, you need to create a Kubernetes secret. Operator uses the secret to create a truststore and keystore, and it modifies the Hazelcast configuration accordingly.

The provided tls.key must be unencrypted.

Example:

kubectl create secret generic example \
  --from-file=tls.crt=example.crt \
  --from-file=tls.key=example.key

If you provide a CA certificate, Operator creates a separate truststore for it in PKCS12 format. Otherwise, the truststore and keystore will be the same. To create a truststore with ca.crt:

kubectl create secret generic example \
  --from-file=tls.crt=example.crt \
  --from-file=tls.key=example.key \
  --from-file=ca.crt=ca.crt

Configure Hazelcast TLS

Operator provides the following options for configuring TLS.

Field Description

Field	Description
`secretName`	Name of the Kubernetes TLS secret.
`clientAuthentication`	Mutual authentication configuration for client to member communication: `None` (default): The client side of the connection is not authenticated. `Required`: Server forces usage of a trusted client certificate. `Optional`: Server asks for a client certificate, but doesn’t require it.
`memberAuthentication`	Mutual authentication configuration for member to member communication: `None`: The client side of the connection is not authenticated. `Required`(default): Server forces usage of a trusted client certificate. `Optional`: Server asks for a client certificate, but it doesn’t require it.

secretName

Name of the Kubernetes TLS secret.

clientAuthentication

Mutual authentication configuration for client to member communication:

None (default): The client side of the connection is not authenticated.
Required: Server forces usage of a trusted client certificate.
Optional: Server asks for a client certificate, but doesn’t require it.

memberAuthentication

Mutual authentication configuration for member to member communication:

None: The client side of the connection is not authenticated.
Required(default): Server forces usage of a trusted client certificate.
Optional: Server asks for a client certificate, but it doesn’t require it.

Example configuration

The following example configuration does the following:

Enables member to member and member to client Hazelcast TLS connections.
Enforces mutual TLS authentication for cluster members.

Example Hazelcast configuration

apiVersion: hazelcast.com/v1alpha1
kind: Hazelcast
metadata:
  name: hazelcast
spec:
  clusterSize: 3
  repository: 'docker.io/hazelcast/hazelcast-enterprise'
  licenseKeySecretName: hazelcast-license-key
  tls:
    secretName: example

Example Management Center configuration

apiVersion: hazelcast.com/v1alpha1
kind: ManagementCenter
metadata:
  name: managementcenter
spec:
  repository: 'hazelcast/management-center'
  licenseKeySecretName: hazelcast-license-key
  hazelcastClusters:
  - address: hazelcast
    name: dev
    tls:
      secretName: example

To update TLS certificates, you need to delete and recreate the appropriate custom resource.

Configure TLS

Prerequisites

Configure Hazelcast TLS

Example configuration

Send us your feedback

Help and support