Hyper-Converged Database (HCD) release notes

Version 2.0.6

IBM Passport Advantage part number: M1442EN

Version 2.0.6 is the first public release of 2.0.

HCD 2.0 combines a full rebase to Apache Cassandra 5.0 with additional enterprise capabilities and DataStax enhancements. HCD 2.0 includes all Apache Cassandra® 5.0 features, fixes, performance improvements, and security enhancements. It also continues to provide advanced capabilities in areas such as enterprise security, indexing, vector search, and operations.

This version was released on June 10, 2026 and includes the following items:

New features and enhancements

  • Added Java 17 support.

  • Updated HCD to Cassandra 5. This brings in the following security features:

    • Pre-hashed password support.

    • CIDR / IP allowlist authorizer.

    • Datacenter-level role restrictions.

    • Bulk permission grants.

    • Certificate-based internode authentication.

    • Authentication rate limiting.

    • PEM-based SSL material.

    • Pluggable SSL context creation.

    • Audit logging hardening.

    • Auth cache management.

    • Startup resilience. (HCD-280)

  • Added Dynamic Data Masking (DDM) support. (HCD-322)

  • Added mTLS authentication integration support with externally managed RBAC systems. This enables you to apply role assignments defined in LDAP or OIDC to mTLS-authenticated users. (HCD-154)

  • Upgraded the security plugin library to include Apache Directory version 2.0.0.M27. (HCD-286)

  • Added support for Paxos version 2. To upgrade to Paxos version 2, do the following:

    1. Set paxos_variant: v2 on all nodes in the cluster. You can set this option through JMX, but also write it persistently to the YAML configuration.

    2. Run Paxos repairs regularly as part of your normal incremental repair workflow or on a separate schedule. These operations are inexpensive, so run them frequently, for example, once per hour.

    3. Set paxos_state_purging: repaired on all nodes in the cluster. You can set this option through JMX, but also write it persistently to the YAML configuration. After you set this option, do not restore paxos_state_purging: legacy. If you must disable this setting, set paxos_state_purging: gc_grace instead. You might need to make this change if you must disable Paxos repairs for an extended period. In that case, restore the default commit consistency in your applications to ensure correctness.

You can now safely update applications to use the ANY commit consistency level or, if preferred, LOCAL_QUORUM. Uncontended writes now require two round trips, and uncontended reads typically require one round trip.

Fixed issues

  • Fixed an issue with concurrent repairs and compactions. (HCD-200)

  • Fixed an issue where nodetool --ssl connections failed with hostname verification errors on JDK 17 and later. JDK 17 enabled TLS endpoint identification by default for RMI, which required the connection hostname to match the server certificate’s Subject Alternative Name (SAN). You must now use the exact hostname from the certificate’s SAN when connecting with nodetool --ssl, instead of using an IP address. For example, nodetool --ssl -h HOSTNAME_FROM_CERTIFICATE status. (HCD-290)

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2026 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM