Serving Management Center over HTTPS
Serving Management Center over HTTPS secures communication between Management Center and HTTP clients such as web browsers that are connected to it.
To serve Management Center over HTTPS, you need to enable TLS in the Management Center configuration. This topic explains the options you have for serving Management Center over HTTPS. For a tutorial, see Serve Management Center over HTTPS.
To enable TLS, you need to do the following:
Generate key pairs and a signed certificate. If you are using a self-signed certificate, see Self-Signed Certificates on this page.
If your Hazelcast clusters use mutual authentication, add the signed Management Center certificate to your cluster members' truststores, and restart them. See Mutual Authentication in the Platform documentation.
Start Management Center with the following system properties:
hz-mc start -Dhazelcast.mc.tls.enabled=true \ -Dhazelcast.mc.tls.keyStore=/path/to/keystore \ -Dhazelcast.mc.tls.keyStorePassword=yourkeystorepassword
mc-start.cmd -Dhazelcast.mc.tls.enabled=true ^ -Dhazelcast.mc.tls.keyStore=/path/to/keystore ^ -Dhazelcast.mc.tls.keyStorePassword=yourkeystorepassword
To encrypt the keystore/truststore passwords and pass them as command line arguments in encrypted form, see Variable Replacers.
When TLS is enabled, you can access Management Center over HTTPS on port 8443:
It’s not always necessary to have certificates signed by a well-known certificate authority. For example, you may want to set up HTTPS on a private network or a staging environment. In this case, you can use a self-signed certificate.
If you want to use a self-signed certificate, do one of the following:
Create the certificate with the hostname of the machine you will deploy the Management Center on.
Disable hostname verification by setting the
Otherwise, you may see this exceptions in the member logs:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 127.0.0.1 found
When using a self-signed certificate, your browser may warn you that the connection is not secure. If so, add your certficate to the browsers list of trusted certificates.
To override the HTTPS port, you can use the
property when starting the Management Center. For example:
hz-mc start -Dhazelcast.mc.tls.enabled=true \ -Dhazelcast.mc.tls.keyStore=/path/to/keystore \ -Dhazelcast.mc.tls.keyStorePassword=yourkeystorepassword \ -Dhazelcast.mc.https.port=443
mc-start.cmd -Dhazelcast.mc.tls.enabled=true ^ -Dhazelcast.mc.tls.keyStore=/path/to/keystore ^ -Dhazelcast.mc.tls.keyStorePassword=yourkeystorepassword ^ -Dhazelcast.mc.https.port=443
This command starts the Management Center on HTTPS port 443.
By default, the HTTP port is disabled when you enable TLS. If you want to
have an open HTTP port that redirects to the HTTPS port, set the
hazelcast.mc.tls.enableHttpPort property to
To make sure that only authenticated HTTP clients such as web browsers or cURL can connect to Management Center, you can enable mutual authentication.
When mutual authentication is enabled, HTTP clients need to present their own TLS certificate to Management Center before they are allowed to connect. You can store trusted clients' TLS certificates in the Management Center truststore so that it can authenticate them.
To enable mutual authentication,
you need to use the