Configuring TLS

Hazelcast TLS is a security feature that provides encryption and authentication of data transmitted between Hazelcast nodes, preventing unauthorized access and eavesdropping.

Hazelcast TLS uses standard SSL/TLS certificates, which can be obtained from trusted Certificate Authorities (CA) or self-signed. The certificates are used to establish trust between the communicating parties and ensure the authenticity of the communication channel.

See TLS/SSL Basics for more detailed information about the configuration and behavior of TLS in Hazelcast.

Prerequisites for TLS

Before you create and configure TLS, you need to create a Kubernetes secret. The Operator uses the secret to create a truststore and keystore, and it modifies the Hazelcast configuration accordingly.

Example:

kubectl create secret generic example \
  --from-file=tls.crt=example.crt \
  --from-file=tls.key=example.key

ca.crt is optional. You can also provide it to create the truststore:

kubectl create secret generic example \
  --from-file=tls.crt=example.crt \
  --from-file=tls.key=example.key \
  --from-file=ca.crt=ca.crt

If you provide ca.crt, it creates a truststore using it, if you don’t create it, the truststore and keystore will be the same.

The Operator creates the keystore and truststore in PKCS12 format.

The provided tls.key must be unencrypted.

Configuring Hazelcast TLS

Below are the configuration options for the TLS.

Field Description

Field	Description
`secretName`	Specifies the name of Kubernetes TLS secret.
`mutualAuthentication`	Mutual authentication configuration, available values are: `None` (default): The client side of the connection is not authenticated. `Required`: Server forces usage of a trusted client certificate `Optional`: Server asks for a client certificate, but it doesn’t require it

secretName

Specifies the name of Kubernetes TLS secret.

mutualAuthentication

Mutual authentication configuration, available values are:

None (default): The client side of the connection is not authenticated.
Required: Server forces usage of a trusted client certificate
Optional: Server asks for a client certificate, but it doesn’t require it

Example Configuration

The example configuration does the following:

Enables member to member and member-client Hazelcast TLS connections
Enforces mutual TLS authentication for cluster members

Example Hazelcast configuration

apiVersion: hazelcast.com/v1alpha1
kind: Hazelcast
metadata:
  name: hazelcast
spec:
  clusterSize: 3
  repository: 'docker.io/hazelcast/hazelcast-enterprise'
  licenseKeySecretName: hazelcast-license-key
  tls:
    secretName: example

Example Management Center configuration

apiVersion: hazelcast.com/v1alpha1
kind: ManagementCenter
metadata:
  name: managementcenter
spec:
  repository: 'hazelcast/management-center'
  licenseKeySecretName: hazelcast-license-key
  hazelcastClusters:
  - address: hazelcast
    name: dev
    tls:
      secretName: example

To update TLS certificates, you need to delete and recreate the appropriate custom resource.

Configuring TLS

Prerequisites for TLS

Configuring Hazelcast TLS

Example Configuration

Help and support