Chapter 12. Encryption

Chapter 12. Encryption
Prev		Next

Hazelcast allows you to encrypt entire socket level communication among all Hazelcast members. Encription is based on Java Cryptography Architecture and both symmetric and asymmetric encryption are supported. In symmetric encryption, each node uses the same key, so the key is shared. Here is a sample configuration for symmetric encryption:

<hazelcast>
    ...
    <network>
        ...
        <!--
            Make sure to set enabled=true
            Make sure this configuration is exactly the same on
            all members
        -->
        <symmetric-encryption enabled="true">
            <!--
               encryption algorithm such as
               DES/ECB/PKCS5Padding,
               PBEWithMD5AndDES,
               Blowfish,
               DESede
            -->
            <algorithm>PBEWithMD5AndDES</algorithm>

            <!-- salt value to use when generating the secret key -->
            <salt>thesalt</salt>

            <!-- pass phrase to use when generating the secret key -->
            <password>thepass</password>

            <!-- iteration count to use when generating the secret key -->
            <iteration-count>19</iteration-count>
        </symmetric-encryption>
    </network>
    ...
</hazelcast>

In asymmetric encryption, public and private key pair is used. Data is encrypted with one of these keys and decrypted with the other. The idea is that each node has to have its own private key and other trusted members' public key. So that means, for each member, we should do the followings:

Pick a unique name for the member. We will use the name as the key alias. Let's name them as member1, member2...memberN.
Generate the keystore and the private key for the member1. keytool -genkey -alias member1 -keyalg RSA -keypass thekeypass -keystore keystore -storetype JKS Remember all the parameters you used here because you will need this information when you configure asymmetric-encryption in your hazelcast.xml file.
Create a public certificate file so that we can add it to the other members' keystore keytool -export -alias member1 -keypass thekeypass -storepass thestorepass -keystore keystore -rfc -file member1.cer

Now take all the other members' public certificates, and add (import) them into member1's keystore

 keytool -import -alias member2 -file member2.cer -keystore keystore -storepass thestorepass

 keytool -import -alias member3 -file member3.cer -keystore keystore -storepass thestorepass

 ...

 keytool -import -alias memberN -file memberN.cer -keystore keystore -storepass thestorepass

You should repeat these steps for each trusted member in your cluster. Here is a sample configuration for asymmetric encryption:

<hazelcast>
    ...
    <network>
        ...
        <!--
            Make sure to set enabled=true
        -->
        <asymmetric-encryption enabled="true">
            <!-- encryption algorithm -->
            <algorithm>RSA/NONE/PKCS1PADDING</algorithm>
            <!-- private key password -->
            <keyPassword>thekeypass</keyPassword>
            <!-- private key alias -->
            <keyAlias>member1</keyAlias>
            <!-- key store type -->
            <storeType>JKS</storeType>
            <!-- key store password -->
            <storePassword>thestorepass</storePassword>
            <!-- path to the key store --> 
            <storePath>keystore</storePath>
        </asymmetric-encryption>
    </network>
    ...
</hazelcast>

Prev		Next
Chapter 11. WAN Replication	Home	Chapter 13. Configuration