TLS Authentication
Hazelcast is able to protect network communication using TLS. TLS mutual authentication is also supported, which means that not only does the server side have to identify itself to a client (member, client, REST client, etc.), but the client side also needs to prove its identity by using a TLS (X.509) certificate.
The tls authentication type verifies during Hazelcast authentication
that the incoming connection has already authenticated the client’s TLS certificate.
This authentication type is able to parse a role name (or names) from the client’s certificate
subject DN. The roleAttribute property specifies the attribute name (a part of the Subject’s DN)
to be used as a role name in Hazelcast.
<hazelcast>
<network>
<ssl enabled="true">
<properties>
<property name="mutualAuthentication">REQUIRED</property>
<property name="keyStore">/opt/hazelcast-keystore.p12</property>
<property name="keyStorePassword">secret.123</property>
<property name="trustStore">/opt/hazelcast-truststore.p12</property>
<property name="trustStorePassword">changeit</property>
</properties>
</ssl>
</network>
<security enabled="true">
<realms>
<realm name="tlsRealm">
<authentication>
<tls roleAttribute="cn" />
</authentication>
</realm>
</realms>
<client-authentication realm="tlsRealm"/>
</security>
</hazelcast>hazelcast:
network:
ssl:
enabled: true
properties:
mutualAuthentication: REQUIRED
keyStore: /opt/hazelcast-keystore.p12
keyStorePassword: secret.123
trustStore: /opt/hazelcast-truststore.p12
trustStorePassword: changeit
security:
enabled: true
realms:
- name: tlsRealm
authentication:
tls:
roleAttribute: cn
client-authentication:
realm: tlsRealmThis tls authentication uses cn attribute from the subject DN as the role name.
For example, if the subject DN in the certificate is cn=admin,ou=Devs,o=Hazelcast then the "admin" role name is assigned to the client.
Option Name |
Default Value |
Description |
|
|
Name of an attribute in client certificate’s distinguished name (DN), where the attribute value is used as a Role name. |
