Serving Management Center over HTTPS
Serving Management Center over HTTPS secures communication between Management Center and HTTP clients such as web browsers that are connected to it.
To serve Management Center over HTTPS, you need to enable TLS in the Management Center configuration. This topic explains the options you have for serving Management Center over HTTPS. For a tutorial, see Serve Management Center over HTTPS.
Enabling TLS for Management Center
To enable TLS, you need to do the following:
-
Generate key pairs and a signed certificate. If you are using a self-signed certificate, see Self-Signed Certificates on this page.
-
If your Hazelcast clusters use mutual authentication, add the signed Management Center certificate to your cluster members' truststores, and restart them. See Mutual Authentication in the Platform documentation.
-
Start Management Center with the following system properties:
hz-mc start -Dhazelcast.mc.tls.enabled=true \ -Dhazelcast.mc.tls.keyStore=/path/to/keystore \ -Dhazelcast.mc.tls.keyStorePassword=yourkeystorepasswordmc-start.cmd -Dhazelcast.mc.tls.enabled=true ^ -Dhazelcast.mc.tls.keyStore=/path/to/keystore ^ -Dhazelcast.mc.tls.keyStorePassword=yourkeystorepasswordTo encrypt the keystore/truststore passwords and pass them as command line arguments in encrypted form, see Variable Replacers.
When TLS is enabled, you can access Management Center over HTTPS on port 8443: https://localhost:8443.
Self-Signed Certificates
It’s not always necessary to have certificates signed by a well-known certificate authority. For example, you may want to set up HTTPS on a private network or a staging environment. In this case, you can use a self-signed certificate.
If you want to use a self-signed certificate, do one of the following:
-
Create the certificate with the hostname of the machine you will deploy the Management Center on.
-
Disable hostname verification by setting the
hazelcast.mc.disableHostnameVerificationproperty totrue.
Otherwise, you may see this exceptions in the member logs:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No subject alternative names matching IP address 127.0.0.1 foundWhen using a self-signed certificate, your browser may warn you that the connection is not secure. If so, add your certificate to the browsers list of trusted certificates.
Overrriding the Default HTTPS port
To override the HTTPS port, you can use the hazelcast.mc.https.port
property when starting the Management Center. For example:
hz-mc start -Dhazelcast.mc.tls.enabled=true \
-Dhazelcast.mc.tls.keyStore=/path/to/keystore \
-Dhazelcast.mc.tls.keyStorePassword=yourkeystorepassword \
-Dhazelcast.mc.https.port=443mc-start.cmd -Dhazelcast.mc.tls.enabled=true ^
-Dhazelcast.mc.tls.keyStore=/path/to/keystore ^
-Dhazelcast.mc.tls.keyStorePassword=yourkeystorepassword ^
-Dhazelcast.mc.https.port=443This command starts the Management Center on HTTPS port 443.
Redirecting the HTTP Port to HTTPS
By default, the HTTP port is disabled when you enable TLS. If you want to
have an open HTTP port that redirects to the HTTPS port, set the hazelcast.mc.tls.enableHttpPort property to true.
Mutual Authentication
To make sure that only authenticated HTTP clients such as web browsers or cURL can connect to Management Center, you can enable mutual authentication.
When mutual authentication is enabled, HTTP clients need to present their own TLS certificate to Management Center before they are allowed to connect. You can store trusted clients' TLS certificates in the Management Center truststore so that it can authenticate them.
To enable mutual authentication,
you need to use the hazelcast.mc.tls.mutualAuthentication property.
