This is a prerelease version.

View latest

Configuring TLS

Hazelcast TLS is a security feature that provides encryption and authentication of data transmitted between Hazelcast nodes, preventing unauthorized access and eavesdropping.

Hazelcast TLS uses standard SSL/TLS certificates, which can be obtained from trusted Certificate Authorities (CA) or self-signed. The certificates are used to establish trust between the communicating parties and ensure the authenticity of the communication channel.

See TLS/SSL Basics for more detailed information about the configuration and behavior of TLS in Hazelcast.

Prerequisites for TLS

Before you create and configure TLS, you need to create Kubernetes secret:

kubectl create secret tls example --cert=example.crt --key=example.key

Configuring Hazelcast TLS

Below are the configuration options for the TLS.

Field Description


Specifies the name of Kubernetes TLS secret.


Mutual authentication configuration, available values are:

  • None (default): The client side of the connection is not authenticated.

  • Required: Server forces usage of a trusted client certificate

  • Optional: Server asks for a client certificate, but it doesn’t require it

Example Configuration

The example configuration does the following:

  • Enables member to member and member-client Hazelcast TLS connections

  • Enforces mutual TLS authentication for cluster members

Example Hazelcast configuration
kind: Hazelcast
  name: hazelcast
  clusterSize: 3
  repository: ''
  licenseKeySecretName: hazelcast-license-key
    secretName: example
Example Management Center configuration
kind: ManagementCenter
  name: managementcenter
  repository: 'hazelcast/management-center'
  licenseKeySecretName: hazelcast-license-key
  - address: hazelcast
    name: dev
      secretName: example