Security Defaults

6.0-SNAPSHOT 5.5 5.4 5.3 5.2 5.1 5.0

Generally speaking:

  • Hazelcast port 5701 is used for all communication by default. Please see the Port section for different configuration methods, and its attributes.

  • REST API and Memcache interfaces are disabled by default.

  • For all distributions (JAR, ZIP/TAR and cloud distributions), a security overview is shown on the Hazelcast startup (to inform whether the cluster is open to network or just local, which modules are enabled and disabled).

  • When a feature is disabled by default, an instructional message is shown regarding how to enable it.

Hazelcast provides the following security defaults for its different distributions.

If you are using hazelcast.jar:

  • Access to all available network interfaces is enabled since this distribution’s usage is mostly for distributed caching.

  • The Jet engine is disabled, see the Security Overview section for the reasoning.

  • Advanced features such as remote code deployment, SQL and pipelines are disabled.

If you are using Hazelcast download packages (ZIP/TAR):

  • This is a localhost-only setup, and all the features are enabled by default (both for full and slim distributions)

If you are using Hazelcast on Docker and Kubernetes environments:

  • Since these environments don’t allow any access unless specified explicitly, all the features are enabled in the Hazelcast distributions on these cloud environments.

Defaults by distribution type

The table shows which security hardening features are used by default in the given distribution type.

Feature ZIP/TAR Binaries Homebrew/Debian/RPM Maven/JAR Docker

Bind to localhost only

Multicast discovery method disabled

Advanced networking enabled

Jet (and SQL) disabled

Jet resource upload disabled

User code deployment disabled

REST health-check disabled

Management Center scripting disallowed

Management Center access to ConsoleApp disabled

Management Center access from a specific IP only

lifebuoy

Help and support