Serving Management Center over HTTPS

Serving Management Center over HTTPS secures communication between Management Center and HTTP clients such as web browsers that are connected to it.

To serve Management Center over HTTPS, you need to enable TLS in the Management Center configuration. This topic explains the options you have for serving Management Center over HTTPS. For a tutorial, see Serve Management Center over HTTPS.

Enabling TLS for Management Center

To enable TLS, you need to do the following:

Generate key pairs and a signed certificate. If you are using a self-signed certificate, see Self-Signed Certificates on this page.
If your Hazelcast clusters use mutual authentication, add the signed Management Center certificate to your cluster members' truststores, and restart them. See Mutual Authentication in the Platform documentation.

Start Management Center with the following system properties:

Linux and Mac
Windows

hz-mc start -Dhazelcast.mc.tls.enabled=true \
     -Dhazelcast.mc.tls.keyStore=/path/to/keystore \
     -Dhazelcast.mc.tls.keyStorePassword=yourkeystorepassword

mc-start.cmd -Dhazelcast.mc.tls.enabled=true ^
     -Dhazelcast.mc.tls.keyStore=/path/to/keystore ^
     -Dhazelcast.mc.tls.keyStorePassword=yourkeystorepassword

To encrypt the keystore/truststore passwords and pass them as command line arguments in encrypted form, see Variable Replacers.

When TLS is enabled, you can access Management Center over HTTPS on port 8443: https://localhost:8443.

Self-Signed Certificates

It’s not always necessary to have certificates signed by a well-known certificate authority. For example, you may want to set up HTTPS on a private network or a staging environment. In this case, you can use a self-signed certificate.

If you want to use a self-signed certificate, do one of the following:

Create the certificate with the hostname of the machine you will deploy the Management Center on.
Disable hostname verification by setting the hazelcast.mc.disableHostnameVerification property to true.

Otherwise, you may see this exceptions in the member logs:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException:
No subject alternative names matching IP address 127.0.0.1 found

When using a self-signed certificate, your browser may warn you that the connection is not secure. If so, add your certficate to the browsers list of trusted certificates.

Overrriding the Default HTTPS port

To override the HTTPS port, you can use the hazelcast.mc.https.port property when starting the Management Center. For example:

Linux and Mac
Windows

hz-mc start -Dhazelcast.mc.tls.enabled=true \
     -Dhazelcast.mc.tls.keyStore=/path/to/keystore \
     -Dhazelcast.mc.tls.keyStorePassword=yourkeystorepassword \
     -Dhazelcast.mc.https.port=443

mc-start.cmd -Dhazelcast.mc.tls.enabled=true ^
     -Dhazelcast.mc.tls.keyStore=/path/to/keystore ^
     -Dhazelcast.mc.tls.keyStorePassword=yourkeystorepassword ^
     -Dhazelcast.mc.https.port=443

This command starts the Management Center on HTTPS port 443.

Redirecting the HTTP Port to HTTPS

By default, the HTTP port is disabled when you enable TLS. If you want to have an open HTTP port that redirects to the HTTPS port, set the hazelcast.mc.tls.enableHttpPort property to true.

Mutual Authentication

To make sure that only authenticated HTTP clients such as web browsers or cURL can connect to Management Center, you can enable mutual authentication.

When mutual authentication is enabled, HTTP clients need to present their own TLS certificate to Management Center before they are allowed to connect. You can store trusted clients' TLS certificates in the Management Center truststore so that it can authenticate them.

To enable mutual authentication, you need to use the hazelcast.mc.tls.mutualAuthentication property.