If multicast is not preferred way of discovery for your environment, then you can configure Hazelcast for full
TCP/IP cluster. As configuration below shows, while
enable
attribute of
multicast
is set to false,
tcp-ip
has to be set to true. For the none-multicast option, all or subset of cluster members' hostnames and/or ip
addresses must be listed. Note that all of the cluster members don't have to be listed there but at least one of
them has to be active in cluster when a new member joins. The tcp-ip tag accepts an attribute called
"conn-timeout-seconds".
The default value is 5. Increasing this value is recommended if you have many IP's listed and members
can not properly build up the cluster.
<hazelcast>
...
<network>
<port auto-increment="true">5701</port>
<join>
<multicast enabled="false">
<multicast-group>224.2.2.3</multicast-group>
<multicast-port>54327</multicast-port>
</multicast>
<tcp-ip enabled="true">
<hostname>machine1</hostname>
<hostname>machine2</hostname>
<hostname>machine3:5799</hostname>
<interface>192.168.1.0-7</interface>
<interface>192.168.1.21</interface>
</tcp-ip>
</join>
...
</network>
...
</hazelcast>
You can also specify which network interfaces that Hazelcast should use. Servers mostly have more than one network interface so you may want to list the valid IPs. Range characters ('*' and '-') can be used for simplicity. So 10.3.10.*, for instance, refers to IPs between 10.3.10.0 and 10.3.10.255. Interface 10.3.10.4-18 refers to IPs between 10.3.10.4 and 10.3.10.18 (4 and 18 included). If network interface configuration is enabled (disabled by default) and if Hazelcast cannot find an matching interface, then it will print a message on console and won't start on that node.
<hazelcast>
...
<network>
....
<interfaces enabled="true">
<interface>10.3.16.*</interface>
<interface>10.3.10.4-18</interface>
<interface>192.168.1.3</interface>
</interfaces>
</network>
...
</hazelcast>
Hazelcast supports EC2 Auto Discovery as of 1.9.4. It is useful when you don't want or can't provide the list of possible IP addresses. Here is a sample configuration: Disable join over multicast and tcp/ip and enable aws. Also provide the credentials. The aws tag accepts an attribute called "conn-timeout-seconds". The default value is 5. Increasing this value is recommended if you have many IP's listed and members can not properly build up the cluster.
<join>
<multicast enabled="false">
<multicast-group>224.2.2.3</multicast-group>
<multicast-port>54327</multicast-port>
</multicast>
<tcp-ip enabled="false">
<interface>192.168.1.2</interface>
</tcp-ip>
<aws enabled="true">
<access-key>my-access-key</access-key>
<secret-key>my-secret-key</secret-key>
<region>us-west-1</region> <!-- optional, default is us-east-1 -->
<host-header>ec2.amazonaws.com</host-header> <!-- optional, default is ec2.amazonaws.com.
If set, region shouldn't be set as it will override this property -->
<security-group-name>hazelcast-sg</security-group-name> <!-- optional -->
<tag-key>type</tag-key> <!-- optional -->
<tag-value>hz-nodes</tag-value> <!-- optional -->
</aws>
</join>
You need to add hazelcast-cloud.jar dependency into your project. Note that it is also bundled inside hazelcast-all.jar. hazelcast-cloud module doesn't depend on any other third party modules.
Imagine that you have 10-node cluster and for some reason the network is divided into two in a way that 4 servers cannot see the other 6. As a result you ended up having two separate clusters; 4-node cluster and 6-node cluster. Members in each sub-cluster are thinking that the other nodes are dead even though they are not. This situation is called Network Partitioning (aka Split-Brain Syndrome).
Since it is a network failure, there is no way to avoid it programatically and your application will run as two separate independent clusters but we should be able answer the following questions: "What will happen after the network failure is fixed and connectivity is restored between these two clusters? Will these two clusters merge into one again? If they do, how are the data conflicts resolved, because you might end up having two different values for the same key in the same map?"
Here is how Hazelcast deals with it:
The oldest member of the cluster checks if there is another cluster with the same group-name and group-password in the network.
If the oldest member founds such cluster, then figures out which cluster should merge to the other.
Each member of the merging cluster will do the followings
pause (HazelcastInstance.getLifecycleService().pause())
take locally owned map entries
close all its network connections (detach from its cluster)
join to the new cluster
send merge request for each its locally owned map entry
resume (HazelcastInstance.getLifecycleService().resume())
So each member of the merging cluster is actually rejoining to the new cluster and sending merge request for each its locally owned map entry.
Q: Which cluster will merge into the other?
A. Smaller cluster will merge into the bigger one. If they have equal number of members then a hashing algorithm determines the merging cluster.
Q. Each cluster may have different versions of the same key in the same map. How is the conflict resolved?
A. Destination cluster will decide how to handle merging entry based on the
MergePolicy
set for that map. There are built-in merge policies such
as
hz.NO_MERGE, hz.ADD_NEW_ENTRY and hz.LATEST_UPDATE
but you can develop
your own merge policy by implementingcom.hazelcast.merge.MergePolicy. You
should register your custom merge policy in the configuration so that Hazelcast can find it
by name.
public interface MergePolicy {
/**
* Returns the value of the entry after the merge
* of entries with the same key. Returning value can be
* You should consider the case where existingEntry is null.
*
* @param mapName name of the map
* @param mergingEntry entry merging into the destination cluster
* @param existingEntry existing entry in the destination cluster
* @return final value of the entry. If returns null then no change on the entry.
*/
Object merge(String mapName, MapEntry mergingEntry, MapEntry existingEntry);
}
Here is how merge policies are registered and specified per map.
<hazelcast>
...
<map name="default">
<backup-count>1</backup-count>
<eviction-policy>NONE</eviction-policy>
<max-size>0</max-size>
<eviction-percentage>25</eviction-percentage>
<!--
While recovering from split-brain (network partitioning),
map entries in the small cluster will merge into the bigger cluster
based on the policy set here. When an entry merge into the
cluster, there might an existing entry with the same key already.
Values of these entries might be different for that same key.
Which value should be set for the key? Conflict is resolved by
the policy set here. Default policy is hz.ADD_NEW_ENTRY
There are built-in merge policies such as
hz.NO_MERGE ; no entry will merge.
hz.ADD_NEW_ENTRY ; entry will be added if the merging entry's key
doesn't exist in the cluster.
hz.HIGHER_HITS ; entry with the higher hits wins.
hz.LATEST_UPDATE ; entry with the latest update wins.
-->
<merge-policy>MY_MERGE_POLICY</merge-policy>
</map>
<merge-policies>
<map-merge-policy name="MY_MERGE_POLICY">
<class-name>com.acme.MyOwnMergePolicy</class-name>
</map-merge-policy>
</merge-policies>
...
</hazelcast>
Hazelcast allows you to use SSL socket communication among all Hazelcast
members. You need to implement com.hazelcast.nio.ssl.SSLContextFactory
and configure SSL section in network configuration.
public class MySSLContextFactory implements SSLContextFactory {
public void init(Properties properties) throws Exception {
}
public SSLContext getSSLContext() {
...
SSLContext sslCtx = SSLContext.getInstance(protocol);
return sslCtx;
}
}
<hazelcast>
...
<network>
...
<ssl enabled="true">
<factory-class-name>com.hazelcast.examples.MySSLContextFactory</factory-class-name>
<properties>
<property name="foo">bar</property>
</properties>
</ssl>
</network>
...
</hazelcast>
Hazelcast provides a default SSLContextFactory; com.hazelcast.nio.ssl.BasicSSLContextFactory which
uses configured keystore to initialize SSLContext. All required is to define keyStore and
keyStorePassword. Also you can set keyManagerAlgorithm (default SunX509),
trustManagerAlgorithm (default SunX509) and protocol (default TLS).
<hazelcast>
...
<network>
...
<ssl enabled="true">
<factory-class-name>com.hazelcast.nio.ssl.BasicSSLContextFactory</factory-class-name>
<properties>
<property name="keyStore">keyStore</property>
<property name="keyStorePassword">keyStorePassword</property>
<property name="keyManagerAlgorithm">SunX509</property>
<property name="trustManagerAlgorithm">SunX509</property>
<property name="protocol">TLS</property>
</properties>
</ssl>
</network>
...
</hazelcast>
You can also set keyStore and keyStorePassword through
javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword system properties.
Note that, you can not use SSL when Hazelcast Encryption is enabled.
Hazelcast allows you to encrypt entire socket level communication among all Hazelcast members. Encryption is based on Java Cryptography Architecture and both symmetric and asymmetric encryption are supported. In symmetric encryption, each node uses the same key, so the key is shared. Here is a sample configuration for symmetric encryption:
<hazelcast>
...
<network>
...
<!--
Make sure to set enabled=true
Make sure this configuration is exactly the same on
all members
-->
<symmetric-encryption enabled="true">
<!--
encryption algorithm such as
DES/ECB/PKCS5Padding,
PBEWithMD5AndDES,
Blowfish,
DESede
-->
<algorithm>PBEWithMD5AndDES</algorithm>
<!-- salt value to use when generating the secret key -->
<salt>thesalt</salt>
<!-- pass phrase to use when generating the secret key -->
<password>thepass</password>
<!-- iteration count to use when generating the secret key -->
<iteration-count>19</iteration-count>
</symmetric-encryption>
</network>
...
</hazelcast>
In asymmetric encryption, public and private key pair is used. Data is encrypted with one of these keys and decrypted with the other. The idea is that each node has to have its own private key and other trusted members' public key. So that means, for each member, we should do the followings:
Pick a unique name for the member. We will use the name as the key alias. Let's name them as member1, member2...memberN.
Generate the keystore and the private key for the member1.
keytool -genkey -alias member1 -keyalg RSA -keypass thekeypass -keystore keystore -storetype
JKS
Remember all the parameters you used here because you will need this information when
you configure asymmetric-encryption in your hazelcast.xml file.
Create a public certificate file so that we can add it to the other members' keystore
keytool -export -alias member1 -keypass thekeypass -storepass thestorepass -keystore keystore
-rfc -file member1.cer
Now take all the other members' public certificates, and add (import) them into member1's keystore
keytool -import -alias member2 -file member2.cer -keystore keystore -storepass thestorepass keytool -import -alias member3 -file member3.cer -keystore keystore -storepass thestorepass ... keytool -import -alias memberN -file memberN.cer -keystore keystore -storepass thestorepass
You should repeat these steps for each trusted member in your cluster. Here is a sample configuration for asymmetric encryption:
<hazelcast>
...
<network>
...
<!--
Make sure to set enabled=true
-->
<asymmetric-encryption enabled="true">
<!-- encryption algorithm -->
<algorithm>RSA/NONE/PKCS1PADDING</algorithm>
<!-- private key password -->
<keyPassword>thekeypass</keyPassword>
<!-- private key alias -->
<keyAlias>member1</keyAlias>
<!-- key store type -->
<storeType>JKS</storeType>
<!-- key store password -->
<storePassword>thestorepass</storePassword>
<!-- path to the key store -->
<storePath>keystore</storePath>
</asymmetric-encryption>
</network>
...
</hazelcast>
Hazelcast allows you to intercept socket connections before a node joins to cluster or a client connects to a node.
This provides ability to add custom hooks to join/connection procedure (like identity checking using Kerberos, etc.).
You should implement com.hazelcast.nio.MemberSocketInterceptor for members and
com.hazelcast.nio.SocketInterceptor for clients.
public class MySocketInterceptor implements MemberSocketInterceptor {
public void init(SocketInterceptorConfig socketInterceptorConfig) {
// initialize interceptor
}
void onConnect(Socket connectedSocket) throws IOException {
// do something meaningful when connected
}
public void onAccept(Socket acceptedSocket) throws IOException {
// do something meaningful when accepted a connection
}
}
<hazelcast>
...
<network>
...
<socket-interceptor enabled="true">
<class-name>com.hazelcast.examples.MySocketInterceptor</class-name>
<properties>
<property name="kerberos-host">kerb-host-name</property>
<property name="kerberos-config-file">kerb.conf</property>
</properties>
</socket-interceptor>
</network>
...
</hazelcast>
public class MyClientSocketInterceptor implements SocketInterceptor {
void onConnect(Socket connectedSocket) throws IOException {
// do something meaningful when connected
}
}
ClientConfig clientConfig = new ClientConfig();
clientConfig.setGroupConfig(new GroupConfig("dev","dev-pass")).addAddress("10.10.3.4");
MyClientSocketInterceptor myClientSocketInterceptor = new MyClientSocketInterceptor();
clientConfig.setSocketInterceptor(myClientSocketInterceptor);
HazelcastInstance client = HazelcastClient.newHazelcastClient(clientConfig);
Hazelcast supports IPv6 addresses seamlessly. [IPv6 support has been switched off by default. See note below] All you need is to define IPv6 addresses or interfaces in network configuration. Only limitation at the moment is you can not define wildcard IPv6 addresses in TCP-IP join configuration. Interfaces section does not have this limitation, you can configure wildcard IPv6 interfaces same as IPv4 interfaces.
<hazelcast>
...
<network>
<port auto-increment="true">5701</port>
<join>
<multicast enabled="false">
<multicast-group>FF02:0:0:0:0:0:0:1</multicast-group>
<multicast-port>54327</multicast-port>
</multicast>
<tcp-ip enabled="true">
<member>[fe80::223:6cff:fe93:7c7e]:5701</member>
<interface>192.168.1.0-7</interface>
<interface>192.168.1.*</interface>
<interface>fe80:0:0:0:45c5:47ee:fe15:493a</interface>
</tcp-ip>
</join>
<interfaces enabled="true">
<interface>10.3.16.*</interface>
<interface>10.3.10.4-18</interface>
<interface>fe80:0:0:0:45c5:47ee:fe15:*</interface>
<interface>fe80::223:6cff:fe93:0-5555</interface>
</interfaces>
...
</network>
JVM has two system properties for setting the preferred protocol stack —IPv4 or IPv6— as well as the preferred
address family types —inet4 or inet6. On a dual stack machine IPv6 stack is preferred by default, this can be
changed through java.net.preferIPv4Stack=<true|false> system property. And when querying name
services JVM prefers IPv4 addressed over IPv6 addresses and will return an IPv4 address if possible. This can be
changed through java.net.preferIPv6Addresses=<true|false> system property.
Also see additional details on IPv6 support in Java .
IPv6 support has been switched off by default, since some platforms have issues in use of IPv6 stack. And some other
platforms such as Amazon AWS have no support at all. To enable IPv6 support, just set configuration property
hazelcast.prefer.ipv4.stack to false.
See Configuration Properties.