Validating Secrets Using Strength Policy

6.0-SNAPSHOT 5.5 5.4 5.3 5.2 5.1 5.0

Hazelcast Enterprise Edition offers a secret validation mechanism including a strength policy. The term "secret" here refers to the symmetric encryption password, salt and other passwords and keys.

For this validation, Hazelcast Enterprise Edition comes with the DefaultSecretStrengthPolicy class to identify all possible weaknesses of secrets and to display a warning in the system logger. Note that, by default, no matter how weak the secrets are, the cluster members still start after logging this warning; however, this is configurable (see the Enforcing the Secret Strength Policy section).

The following are the requirements (rules) for the secrets:

  • Minimum length of eight characters; and

  • Large keyspace use, ensuring the use of at least three of the following:

    • mixed case

    • alpha

    • numerals

    • special characters

    • no dictionary words

The rules "Minimum length of eight characters" and "no dictionary words" can be configured using the following system properties:

hazelcast.security.secret.policy.min.length: Set the minimum secret length. The default is 8 characters.

Example:

-Dhazelcast.security.secret.policy.min.length=10

hazelcast.security.dictionary.policy.wordlist.path: Set the path of a wordlist available in the file system. The default is /usr/share/dict/words.

Example:

-Dhazelcast.security.dictionary.policy.wordlist.path=”/Desktop/myWordList”

Using a Custom Secret Strength Policy

You can implement SecretStrengthPolicy to develop your custom strength policy for a more flexible or strict security. After you implement it, you can use the following system property to point to your custom class:

hazelcast.security.secret.strength.default.policy.class: Set the full name of the custom class.

Example:

-Dhazelcast.security.secret.strength.default.policy.class=”com.impl.myStrengthPolicy”

Enforcing the Secret Strength Policy

By default, secret strength policy is NOT enforced. This means, if a weak secret is detected, an informative warning is shown in the system logger and the members continue to initialize. However, you can enforce the policy using the following system property so that the members are not started until the weak secret errors are fixed:

hazelcast.security.secret.strength.policy.enforced: Set to “true” to enforce the secret strength policy. The default is “false”. To enforce:

-Dhazelcast.security.secret.strength.policy.enforced=true

The following is an example warning when secret strength policy is NOT enforced, i.e., the above system property is set to “false”:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SECURITY WARNING @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SSLConfig property[keyStorePassword] does not meet the current policy and complexity requirements.
*Must contain 8 or more characters.
*Must have at least 1 lower and 1 upper case characters.
*Must have at least 1 alphabetic character.
*Must contain at least 1 special character.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

The following is an example warning when secret strength policy is enforced, i.e., the above system property is set to “true”:

WARNING: [10.8.0.10]:5701 [dev] [5.5.2]
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ SECURITY WARNING @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
SSLConfig property[keyStorePassword] does not meet the current policy and complexity requirements.
*Must contain 8 or more characters.
*Must have at least 1 lower and 1 upper case characters.
*Must have at least 1 alphabetic character.
*Must contain at least 1 special character.

SSLConfig property[trustStorePassword] does not meet the current policy and complexity requirements.
*Must contain 8 or more characters.
*Must have at least 1 lower and 1 upper case characters.
*Must have at least 1 alphabetic character.
*Must contain at least 1 special character.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Oct 10, 2022 11:00:52 AM com.hazelcast.instance.impl.Node
SEVERE: [10.8.0.10]:5701 [dev] [5.5.2] Node creation failed
com.hazelcast.security.WeakSecretException: Weak secrets found in configuration, check output above for more details.
	at com.hazelcast.security.impl.WeakSecretsConfigChecker.evaluateAndReport(WeakSecretsConfigChecker.java)
	at com.hazelcast.instance.impl.EnterpriseNodeExtension.printBannersBeforeNodeInfo(EnterpriseNodeExtension.java)
	at com.hazelcast.instance.impl.DefaultNodeExtension.printNodeInfo(DefaultNodeExtension.java)
	at com.hazelcast.instance.impl.Node.<init>(Node.java)
	at com.hazelcast.instance.impl.HazelcastInstanceImpl.createNode(HazelcastInstanceImpl.java)
	at com.hazelcast.instance.impl.HazelcastInstanceImpl.<init>(HazelcastInstanceImpl.java)
	at com.hazelcast.instance.impl.HazelcastInstanceFactory.constructHazelcastInstance(HazelcastInstanceFactory.java)
	at com.hazelcast.instance.impl.HazelcastInstanceFactory.newHazelcastInstance(HazelcastInstanceFactory.java)
	at com.hazelcast.instance.impl.HazelcastInstanceFactory.newHazelcastInstance(HazelcastInstanceFactory.java)
	at com.hazelcast.core.Hazelcast.newHazelcastInstance(Hazelcast.java)
	at com.hazelcast.core.server.HazelcastMemberStarter.main(HazelcastMemberStarter.java)
lifebuoy

Help and support