TLS/SSL
To secure any communications from/to Management Center, you can configure it to communicate over TLS/SSL.
Management Center communicates over many channels. To encrypt data transmitted over those channels, using TLS/SSL, you can do the following.
The /health endpoint is always served over HTTP even if TLS/SSL is enabled. See the hazelcast.mc.healthCheck.enable property.
|
-
Serve the Management Center UI over HTTPS by doing one of the following:
-
Start Management Center from the command line with TLS/SSL enabled. See Serving Management Center over HTTPS.
-
Deploy Management Center on a TLS/SSL-enabled container.
-
Install Management Center behind a TLS-enabled reverse proxy.
Make sure your reverse proxy sets the X-Forwarded-ProtoHTTP header to HTTPS. Also, make sure that thehazelcast.mc.forwarded.requests.enabledproperty is set totrue.
-
-
If your Hazelcast cluster uses TLS, configure Management Center with the necessary truststore information. You’ll need to configure the truststore, using a client configuration file. See Cluster Connections.
-
If you’re using Clustered JMX in Management Center, enable TLS/SSL. See Enabling TLS/SSL for Clustered JMX.
-
If you’re using LDAP authentication, make sure you use LDAPS or enable the Start TLS field. See LDAP Authentication.
-
If you’re using Active Directory authentication, make sure you use Java’s truststore related system properties. See Active Directory Authentication.
Excluding TLS/SSL Protocols
When you enable TLS on the Management Center, it will support any of the TLS/SSL protocols that the JVM supports, by default.
To exclude specific protocols, set the hazelcast.mc.tls.excludeProtocols
property to a comma separated list of protocols to be excluded. For example, to allow only TLSv1.2, use
the following property when starting Management Center:
-Dhazelcast.mc.tls.excludeProtocols=SSLv3,SSLv2Hello,TLSv1,TLSv1.1After starting Management Center, you should see a line similar to the following in the logs:
2017-06-21 12:35:54.856:INFO:oejus.SslContextFactory:Enabled Protocols
[TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]Including and Excluding Cipher Suites
When you configure TLS you also can provide which cipher suites Management Center can use
for establishing TLS connection. You can include cipher suites with the hazelcast.mc.include.cipher.suites property
and exclude cipher suites with the hazelcast.mc.exclude.cipher.suites property on startup. You can either use the exact cipher suite name or a regular expression. For example:
-Dhazelcast.mc.include.cipher.suites=^SSL_.*$
-Dhazelcast.mc.exclude.cipher.suites=^.*_(MD5|SHA|SHA1)$,^TLS_RSA_.*$,^.*_NULL_.*$