How does hazelcast support credentials rotation in c/s mode



I have hazelcast deployed in c/s mode , where I started using UserNamePassword Credentials for authentication, so during the start of server and client, I used username1, password1 as my credentials.
Now due to security aspects, I want to update the credentials, how do I achieve this without downtime on server and client side application .

Answer

Hazelcast doesn’t support the client credentials rotation out-of-the-box. It could be resolved incrementally:

  1. introduce authentication config (login module stack) which accepts both – old and new credentials;
  2. do a rolling restart of all members to activate the new authentication configuration;
  3. replace credentials in client configurations and restart all clients;
  4. configure members to accept only the new credentials and do the rolling restart again.

This is a similar scenario to updating TLS certificates in the running cluster. Check it in the Hazelcast reference manual:
https://docs.hazelcast.org/docs/4.1/manual/html-single/index.html#updating-certificates-in-the-running-cluster



Source: stackoverflow