I have hazelcast deployed in c/s mode , where I started using UserNamePassword Credentials for authentication, so during the start of server and client, I used username1, password1 as my credentials.
Now due to security aspects, I want to update the credentials, how do I achieve this without downtime on server and client side application .
Advertisement
Answer
Hazelcast doesn’t support the client credentials rotation out-of-the-box. It could be resolved incrementally:
- introduce authentication config (login module stack) which accepts both – old and new credentials;
- do a rolling restart of all members to activate the new authentication configuration;
- replace credentials in client configurations and restart all clients;
- configure members to accept only the new credentials and do the rolling restart again.
This is a similar scenario to updating TLS certificates in the running cluster. Check it in the Hazelcast reference manual:
https://docs.hazelcast.org/docs/4.1/manual/html-single/index.html#updating-certificates-in-the-running-cluster