Hazelcast Security

Hazelcast is embedded in the openLooKeng. When hazelcast is used in openLooKeng, in order to ensure the communication security between the client and the server of hazelcast, as well as between the members of each server, It is recommended to enable hazelcast authentication and SSL/TLS channel encryption.

Hazelcast Authentication

Hazelcast only supports Kerberos authentication. Because the hazelcast is used by state-store module, so user wants to enable Hazelcast authentication, the state-store has to enable first.

When state-store enabled, add the following configuration in the state-store.properties:

hazelcast.kerberos.enable=true
hazelcast.kerberos.login.context.name=Hazelcast
hazelcast.kerberos.service.principal=openlookeng
hazelcast.kerberos.krb5.conf=/etc/krb5.conf
hazelcast.kerberos.auth.login.config=/etc/jaas.conf
PropertyDescription
hazelcast.kerberos.enableEnable Hazelcast authentication, the default value is false.
hazelcast.kerberos.login.context.nameThe context name to login the kerberos.
hazelcast.kerberos.service.principalThe service principal name of kerberos
hazelcast.kerberos.krb5.confThe location of the Kerberos configuration file.
hazelcast.kerberos.auth.login.configThe location of the configuration file to login the kerberos

The format of the configuration file jass.conf to login the kerberos is as the following. User has to create a principal in the kerberos first and configure the principal and the keytab.

Hazelcast {
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab=true
principal="openlookeng"
keyTab="/etc/openlookeng.keytab"
useTicketCache=false
storeKey=true;
};
PropertyDescription
principalThe principal name to login the Kerberos
keyTabThe location of the keytab that can be used to authenticate the Kerberos principal.

Note

All of the nodes must use the same configuration, including the kerberos principal and keytab.

Hazelcast SSL/TLS

SSL/TLS is configured in the state-store.properties. The same configuration is used on all nodes that need to use state store. After SSL/TLS is enabled, nodes that have not been configured SSL/ TLS is or configured incorrectly, will not be able to communicate with other nodes.

To enable SSL/TLS for Hazelcast, do the following:

  1. Generate Java keystore file. You can use the fully-qualified host name of each host to create a unique certificate for each node, which contains the key store of all public keys of all hosts, and provides a specifies the keystore. In most cases, it is more convenient to use wildcards to create certificates, as follows:

    keytool -genkeypair -alias openLooKeng -keyalg EC -keysize 256 -validity 365 -keystore keystore.jks -storepass <password>
        What is your first and last name?
          [Unknown]:  *.example.com
        What is the name of your organizational unit?
          [Unknown]:  
        What is the name of your organization?
          [Unknown]:  
        What is the name of your City or Locality?
          [Unknown]:  
        What is the name of your State or Province?
          [Unknown]:  
        What is the two-letter country code for this unit?
          [Unknown]:  
        Is CN=*.example.com, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown correct?
          [no]:  yes
        
        Enter key password for <openLooKeng>
        	(RETURN if same as keystore password):
    
  2. Distribute the Java keystore file to other nodes.

  3. Enable the SSL/TLS of Hazelcast in state-store.properties.

    hazelcast.ssl.enabled=true
    hazelcast.ssl.keystore.path=<keystore path>
    hazelcast.ssl.keystore.password=<keystore pasword>
    hazelcast.ssl.cipher.suites=<cipher suite list>
    hazelcast.ssl.protocols=<ssl protocol list>
    

    Suggested cipher suite is TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.

    Suggested ssl protocol is TLS1.2 or TLS1.3.

有奖捉虫

“有虫”文档片段

0/500

存在的问题

文档存在风险与错误

● 拼写,格式,无效链接等错误;

● 技术原理、功能、规格等描述和软件不一致,存在错误;

● 原理图、架构图等存在错误;

● 版本号不匹配:文档版本或内容描述和实际软件不一致;

● 对重要数据或系统存在风险的操作,缺少安全提示;

● 排版不美观,影响阅读;

内容描述不清晰

● 描述存在歧义;

● 图形、表格、文字等晦涩难懂;

● 逻辑不清晰,该分类、分项、分步骤的没有给出;

内容获取有困难

● 很难通过搜索引擎,openLooKeng官网,相关博客找到所需内容;

示例代码有错误

● 命令、命令参数等错误;

● 命令无法执行或无法完成对应功能;

内容有缺失

● 关键步骤错误或缺失,无法指导用户完成任务,比如安装、配置、部署等;

● 逻辑不清晰,该分类、分项、分步骤的没有给出

● 图形、表格、文字等晦涩难懂

● 缺少必要的前提条件、注意事项等;

● 描述存在歧义

0/500

您对文档的总体满意度

非常不满意
非常满意

请问是什么原因让您参与到这个问题中

您的邮箱

创Issue赢奖品
根据您的反馈,会自动生成issue模板。您只需点击按钮,创建issue即可。
有奖捉虫