Enabling Encryption on the Client Side

Hazelcast Cloud allows you to encrypt traffic between clients and your cluster, using TLS. To provide the best performance, members always use the OpenSSL library. To encrypt traffic on the client side, you must configure the clients to use OpenSSL.

Before you Begin

You must have enabled encryption when you created the cluster. You cannot enable encryption on a cluster that has already been created.

Using OpenSSL in Hazelcast Client

For best performance, you can change the default SSL implementation to OpenSSL in your client application. In order to do it, please perform the following steps.

  1. Make sure OpenSSL is installed on your machine.

  2. Include the OpenSSL dependency in your source code.

    <dependency>
      <groupId>io.netty</groupId>
      <artifactId>netty-tcnative</artifactId>
      <version>2.0.19.Final</version>
      <classifier>linux-x86_64</classifier>
    </dependency>
    <dependency>
      <groupId>io.netty</groupId>
      <artifactId>netty-handler</artifactId>
      <version>4.1.31.Final</version>
    </dependency>
  3. Change the SSL factory name in your application code to com.hazelcast.nio.ssl.OpenSSLEngineFactory and use the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher suite.

    Properties props = new Properties();
    ...
    props.setProperty("ciphersuites", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256");
    ClientConfig config = new ClientConfig();
    config.getNetworkConfig().setSSLConfig(
      new SSLConfig().setEnabled(true)
        .setFactoryClassName("com.hazelcast.nio.ssl.OpenSSLEngineFactory")
        .setProperties(props)
    );

With such configuration in place, you are able to use OpenSSL for the client-server communication, which ensures the highest encryption performance.