Validating Secrets Using Strength Policy
Hazelcast Enterprise offers a secret validation mechanism including a strength policy. The term "secret" here refers to the symmetric encryption password, salt and other passwords and keys.
For this validation, Hazelcast Enterprise comes with the DefaultSecretStrengthPolicy
class to identify all possible weaknesses of secrets and to display a warning
in the system logger. Note that, by default, no matter how weak the secrets are, the
cluster members still start after logging this warning; however, this is
configurable (see the Enforcing the Secret Strength Policy section).
The following are the requirements (rules) for the secrets:
-
Minimum length of eight characters; and
-
Large keyspace use, ensuring the use of at least three of the following:
-
mixed case
-
alpha
-
numerals
-
special characters
-
no dictionary words
-
The rules "Minimum length of eight characters" and "no dictionary words" can be configured using the following system properties:
hazelcast.security.secret.policy.min.length
: Set the minimum secret
length. The default is 8 characters.
Example:
-Dhazelcast.security.secret.policy.min.length=10
hazelcast.security.dictionary.policy.wordlist.path
: Set the path of a wordlist
available in the file system. The default is /usr/share/dict/words
.
Example:
-Dhazelcast.security.dictionary.policy.wordlist.path=”/Desktop/myWordList”
Using a Custom Secret Strength Policy
You can implement SecretStrengthPolicy to develop your custom strength policy for a more flexible or strict security. After you implement it, you can use the following system property to point to your custom class:
hazelcast.security.secret.strength.default.policy.class
: Set the full name of
the custom class.
Example:
-Dhazelcast.security.secret.strength.default.policy.class=”com.impl.myStrengthPolicy”
Enforcing the Secret Strength Policy
By default, secret strength policy is NOT enforced. This means, if a weak secret is detected, an informative warning is shown in the system logger and the members continue to initialize. However, you can enforce the policy using the following system property so that the members are not started until the weak secret errors are fixed:
hazelcast.security.secret.strength.policy.enforced
: Set to “true” to enforce
the secret strength policy. The default is “false”. To enforce:
-Dhazelcast.security.secret.strength.policy.enforced=true
The following is an example warning when secret strength policy is NOT enforced, i.e., the above system property is set to “false”:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SECURITY WARNING @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SSLConfig property[keyStorePassword] does not meet the current policy and complexity requirements.
*Must contain 8 or more characters.
*Must have at least 1 lower and 1 upper case characters.
*Must have at least 1 alphabetic character.
*Must contain at least 1 special character.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The following is an example warning when secret strength policy is enforced, i.e., the above system property is set to “true”:
WARNING: [10.8.0.10]:5701 [dev] [5.2.5]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SECURITY WARNING @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SSLConfig property[keyStorePassword] does not meet the current policy and complexity requirements.
*Must contain 8 or more characters.
*Must have at least 1 lower and 1 upper case characters.
*Must have at least 1 alphabetic character.
*Must contain at least 1 special character.
SSLConfig property[trustStorePassword] does not meet the current policy and complexity requirements.
*Must contain 8 or more characters.
*Must have at least 1 lower and 1 upper case characters.
*Must have at least 1 alphabetic character.
*Must contain at least 1 special character.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Oct 10, 2022 11:00:52 AM com.hazelcast.instance.impl.Node
SEVERE: [10.8.0.10]:5701 [dev] [5.2.5] Node creation failed
com.hazelcast.security.WeakSecretException: Weak secrets found in configuration, check output above for more details.
at com.hazelcast.security.impl.WeakSecretsConfigChecker.evaluateAndReport(WeakSecretsConfigChecker.java)
at com.hazelcast.instance.impl.EnterpriseNodeExtension.printBannersBeforeNodeInfo(EnterpriseNodeExtension.java)
at com.hazelcast.instance.impl.DefaultNodeExtension.printNodeInfo(DefaultNodeExtension.java)
at com.hazelcast.instance.impl.Node.<init>(Node.java)
at com.hazelcast.instance.impl.HazelcastInstanceImpl.createNode(HazelcastInstanceImpl.java)
at com.hazelcast.instance.impl.HazelcastInstanceImpl.<init>(HazelcastInstanceImpl.java)
at com.hazelcast.instance.impl.HazelcastInstanceFactory.constructHazelcastInstance(HazelcastInstanceFactory.java)
at com.hazelcast.instance.impl.HazelcastInstanceFactory.newHazelcastInstance(HazelcastInstanceFactory.java)
at com.hazelcast.instance.impl.HazelcastInstanceFactory.newHazelcastInstance(HazelcastInstanceFactory.java)
at com.hazelcast.core.Hazelcast.newHazelcastInstance(Hazelcast.java)
at com.hazelcast.core.server.HazelcastMemberStarter.main(HazelcastMemberStarter.java)