To secure any communications from/to Management Center, you can configure it to communicate over TLS/SSL.
Management Center communicates over many channels. To encrypt data transmitted over those channels, using TLS/SSL, you can do the following.
Serve the Management Center UI over HTTPS by doing one of the following:
Start Management Center from the command line with TLS/SSL enabled. See Serving Management Center over HTTPS.
Deploy Management Center on a TLS/SSL-enabled container.
Install Management Center behind a TLS-enabled reverse proxy.
Make sure your reverse proxy sets the
X-Forwarded-ProtoHTTP header to HTTPS. Also, make sure that the
hazelcast.mc.forwarded.requests.enabledproperty is set to
If your Hazelcast cluster uses TLS, configure Management Center with the necessary truststore information. You’ll need to configure the truststore, using a client configuration file. See Cluster Connections.
If you’re using Clustered JMX in Management Center, enable TLS/SSL. See Enabling TLS/SSL for Clustered JMX.
If you’re using LDAP authentication, make sure you use LDAPS or enable the Start TLS field. See LDAP Authentication.
If you’re using Active Directory authentication, make sure you use Java’s truststore related system properties. See Active Directory Authentication.
When you enable TLS on the Management Center, it will support any of the TLS/SSL protocols that the JVM supports, by default.
To exclude specific protocols, set the
property to a comma separated list of protocols to be excluded. For example, to allow only TLSv1.2, use
the following property when starting Management Center:
After starting Management Center, you should see a line similar to the following in the logs:
2017-06-21 12:35:54.856:INFO:oejus.SslContextFactory:Enabled Protocols [TLSv1.2] of [SSLv2Hello, SSLv3, TLSv1, TLSv1.1, TLSv1.2]
When you configure TLS you also can provide which cipher suites Management Center can use
for establishing TLS connection. You can include cipher suites with the
and exclude cipher suites with the
hazelcast.mc.exclude.cipher.suites property on startup. You can either use the exact cipher suite name or a regular expression. For example: