• Products
  • Solutions
  • Customers
  • Resources
  • Company
  • Pricing
  • Download
Try Playground
  • Configure Security
Show / Hide Table of Contents
  • Administrator's Guide
  • NCache Architecture
    • Cache Topologies
      • Partitioned Topologies
      • Replicated Topology
      • Mirrored Topology
      • Scalability in Topologies
    • Dynamic Clustering
    • Local Cache
    • Cache Client
    • Client Cache
    • Bridge for WAN Replication
    • Connectivity with Load Balancer
    • Serialization Format
    • Data Encryption
    • Data Compression
    • Data Load Balancing
    • Pipelining
    • Cache Server Backward Compatibility
    • Client Backward Compatibility
    • Eviction
    • Indexing
    • Split-Brain
    • Maintenance Mode
    • Runtime Data Sharing
    • Portable Data Types
    • Class Versioning
    • IP Binding with Multiple NICs
    • Graceful Node Down
    • Separate Cache Host Process
    • Self Healing Dynamic Clustering
    • Distributed Cache with Persistence
  • NCache Management Center
  • Configure Caches
    • Create a Cache
      • Local Cache Overview
        • Local Cache
        • Local Cache with Persistence
        • Pub/Sub Messaging Cache
        • Add Existing Cache
      • Clustered Cache Overview
        • Distributed Cache
        • Persistent Distributed Cache
        • Pub/Sub Messaging Cache
        • Add Existing Clustered Cache
        • Troubleshooting
    • Remove Cache
    • Clear Cache
    • Add Server Node
    • Remove Server Node
    • Add Test Data
    • Configure Query Indexes
    • Configure JSON Query Indexes
    • Compact Serialization
      • Non-Generic Registration
      • Non-Generic Unregistration
      • Generic Registration
      • Using Type Handler
    • Deploy Providers
    • Configure Custom Dependency
    • Add Data Source Providers
      • Read-Through Provider
      • Write-Through Provider
      • Write-Behind Provider
    • Loader and Refresher
    • Configure Maintenance Mode
      • Stop for Maintenance Mode
      • Exit Maintenance Mode
    • Configure LINQPad
      • Configure LinqPad for NCache
      • Querying Data in LinqPad
  • Configure Clients
    • Add Client Node
    • Remove Client Node
  • Configure Client Cache
    • Create Client Cache
    • Create Client Cache with NuGet
    • Enable Client Cache on Client Nodes
    • Disable Client Cache on Client Nodes
    • Remove Client Cache
  • Management Operations
    • Start Cache
    • Stop Cache
    • Restart Cache
    • Manage Cache Service on a Server Node
    • Memory Dumps
    • Data Load Balancing
    • Invoke Refresher Dataset
    • Import/Export Cache Data
    • Import Lucene Indexes
    • Suspend/Resume NCache Data Persistence
    • Backup and Restore NCache Persisted Data
  • Cache Settings
    • General Cache Settings
      • Cache Size
      • Cache Isolation Levels
      • Cache Serialization Format
      • Cache Data Expiration
    • Cache Cluster Settings
      • Ports
      • Operation Timeout
      • Configure Pipelining
      • Static Replication Interval
      • Connection Retries
      • Retry Interval
      • Split-Brain Auto Recovery
    • NCache Persistence Settings
      • Store Information
      • Persistence Interval
    • Error Logging
    • Cache Level Events
    • Client Activity Events
    • Eviction Policy
    • MapReduce
    • Register Classes for Portable Data Sharing
    • Compression
    • Email Notifications
    • Bind IP with Multiple NICs
      • Bind Cluster with a Dedicated IP
      • Bind Client/Server with a Dedicated IP
    • Heartbeat
    • Keep Alive
    • Client Death Detection
    • Communication Reliability
    • Auto Start Cache on Boot
    • Nagle's Algorithm
    • Dual Socket
    • Configuration Files
      • Client Side Configurations
        • Client Config
        • EFCaching Config
      • Server Side Configurations
        • Cache Config
        • Bridge Config
        • Modules Config
        • Security Config
        • TLS Config
        • Monitoring Config
        • Emails Template
  • Cache Server Settings
    • Server Connectivity
    • Bind to Multiple NICs
    • Server Ports
    • Memory
    • Custom Dependency
    • Request Inquiry
    • Windows Events
    • Message Events
    • Expiration & Eviction
    • SQL Server
    • Logging
    • Monitoring
    • Persistence Data Loading Retries
    • Miscellaneous Configurations
  • Bridge Server Settings
  • Cache Client Settings
  • Client Cache Settings
  • Configure Security
    • Configure Authentication and Authorization
    • Configure Encryption for Cache
    • Configure TLS Encryption
    • Configure HTTPS for NCache Management Center
  • Configure Bridge for WAN Replication
    • Create Bridge
    • Add Clustered Caches to Bridge
    • Configure Bridge Settings
    • Change Cache Synchronization Modes
    • Bridge Management
    • Synchronize Caches in Bridge
    • Leave Bridge
    • Remove Cache from Bridge
    • Configure Conflict Resolver
  • Setup Database for Cache Synchronization
    • Setup SQL Server Environment
    • Setup Oracle Database Environment
    • Setup OleDb Environment
    • Setup SQL Server for CLR Procedures
  • Simulate NCache Usage
  • Monitor Caches
    • Counters
      • Distributed Cache Counters
      • Distributed Cache with Persistence Counters
      • Pub/Sub Messaging Cache Counters
      • Distributed Lucene Cache Counters
      • Cache Client Counters
      • Bridge Counters
    • Monitor NCache using the NCache Management Center
      • Using Tabular Statistics
        • Configure Counters to Display Caching Statistics
        • Configure Counters to Display Pub/Sub Statistics
        • Configure Counters to Display Lucene Statistics
        • Configure Counters to Display Bridge Statistics
        • Browse Cache Statistics
        • Monitor Bridge
      • Using Monitoring Dashboards
        • Configure Monitor Settings
        • Configure Event Logging
        • Configure API Logging
        • Monitor with a Built-In NCache Monitor Dashboard
        • Monitor with the NCache Monitor Custom Dashboard
        • Monitor Cluster Connectivity
        • Monitor Cache Clusters using NCache Email Alerts
    • Monitor Cache Using Command Line Tools
      • Monitor Cache Server Statistics with Command Line Tools
      • Monitor Cache Client Statistics with Command Line Tools
    • Monitor NCache Using Windows PerfMon Tool
      • Monitoring Cache Server Counters using PerfMon
      • Monitoring Cache Client Counters using PerfMon
      • Monitor Bridge Counters Using PerfMon Tool
    • Monitor NCache using Prometheus
    • Monitor NCache using Grafana
    • Monitor NCache Using SNMP Counters
    • Monitor NCache Using JMX Counters
    • Logging
      • NCache Log Viewer
      • Performance Counters Logging
      • Windows Event Logging
      • Cache Health Alerts
      • Email Notifications on NCache Events
      • Cache Server Logging
      • Client Side API Logging
      • Cache Event IDs
      • Feature Usage Logging
    • Troubleshooting NCache Monitoring
      • Computer Name Not Found
      • Diskperf Not Installed
      • No READ Access to Perflib Subkeys
      • Unable to Connect to Remote Server
    • IPV6 Support

Configure Security

NCache understands the need for any enterprise-level software to have airtight security and, therefore, offers a variety of features to ensure that users don't sacrifice their security for performance. These features include defining access permissions for caches/nodes, encryption, network security, and more.

Authentication and Authorization

NCache offers the LDAP-integrated security to secure cache nodes. Once a node is secured, there are two access levels defined on that node. One is related to management operations along with other cache operations, while the other is limited to cache API access.

Note

All the caches on a secured node are automatically secured.

To get the complete benefits of these access levels, NCache supports two types of LDAP users: Node Administrators(Users/Groups) and Cache Users(Users/Groups). Since NCache does not have its authentication mechanisms, all the added users are first authenticated against their LDAP credentials. When a registered LDAP User gets added to the NCache, there is always a validation check through the domain controller to verify whether this user is registered with the domain or not. In this scenario, if the connection with the domain controller breaks, validation fails, and the user cannot perform any operation.

To avoid this, NCache offers Credential Caching where the user's credentials are stored in NCache so that an already authenticated user does not have to be authenticated repeatedly during the life of the process. It is disabled by default and the user can enable it by setting the NCacheServer.EnableCredentialCaching tag as True in the Service config file.

Node Administrators

Node Administrators are Super-Users and have complete control over the cache - they can create, modify, remove caches, and perform any other cache management operations. Node Administrators can save or discard security configurations if previously established. They are also able to inherit the capabilities of Cache Users to access and interact with caches using the NCache API.

Cache Users

However, if you want to limit some users to having cache API access only, and don't want them to perform any management operations, then configuring Cache User is your go-to option. Where you can restrict the user to perform data operations including Add, Remove, Update, and Retrieve through the relevant APIs only.

But, if you don't want to define different access levels for your users and allow all of them to perform all types of operations on cache. Then, there is no need to configure Cache User, as your Node Administrators have all the rights to manage and operate the cache smoothly.

Homogeneous Security Settings

After establishing security settings for one node, you need to ensure that all the nodes in that cluster have similar security settings on them. The user acting as Node Administrator on one node should be the administrator on all the other nodes in that cluster. Similarly, the user acting as a Cache User on one node should be a Cache User on the rest of the nodes.

If homogeneous security settings are not ensured on all nodes of a cluster, you may encounter different issues while managing and operating cache.

Note

A secured node as the first node in a cache cluster should prevent the addition of vulnerable nodes.

Note

A vulnerable node as the first node in a cache cluster shall prevent the addition of secured nodes.

Data Encryption

In distributed caching systems, communication mostly occurs over the network channels. The data travels and resides in the cache in its serialized form, and anyone eavesdropping on your connection can intercept your data easily if it is not encrypted. NCache Data Encryption allows for information to be converted into ciphertext. Only authorized people (i.e., with the appropriate key) can decipher the code and access the original information. NCache supports AES, 3DES, and AES FIPS encryption algorithms.

Data Encryption Workflow

When you add data to the cache, it is encrypted on the client-side using the configured encryption algorithm and encryption key. The encrypted data is stored in the cache, ensuring that data remains secure. Now when the encrypted data is fetched, it is retrieved from the cache and decrypted on the client-side before usage. This end-to-end encryption approach ensures that data remains protected, both in transit and at rest, making NCache a secure solution for caching sensitive information.

Encryption Key Management

Encryption key management in NCache involves securely handling all encryption keys, including the Key Encryption Key (KEK), Data Encryption Key (DEK), and Credentials Encryption Key (CEK), as discussed below.

  • Key Encryption Key (KEK): The Key Encryption Key (KEK), based on AES 256 encryption, secures the Data Encryption Key (DEK) by encrypting it. This key must be configured in the NCache Service configuration file on the server. To ensure consistency and security across all cache servers in a distributed environment, the same Key Encryption Key (KEK) must be used on each server.

  • Data Encryption Key (DEK): The Data Encryption Key (DEK) is responsible for encrypting user data before it is stored in the cache. This DEK is itself encrypted using the KEK. This approach ensures that only authorized tools or processes can retrieve and use encryption keys.

  • Credentials Encryption Key (CEK): NCache encrypts the user credentials stored in the client configuration file (client.ncconf) using a Credential Encryption Key (CEK). This key must be configured in the NCache Service configuration file. Similar to KEK, the same Credentials Encryption Key (CEK) must be used on each server. This ensures consistency and secures client credentials effectively in distributed environments.

How to Add or Change KEK and CEK

You can add or change KEK and CEK for both, the remote client and cache server as follows:

  • To add or change KEK, update the NCache Service configuration file using the following key-value pair:
<add key="NCacheServer.KeyEncryptionKey" value="[Valid AES 256 KEY]"/>
  • Similarly, to add or change CEK, update the NCache Service configuration file using the following key-value pair:
<add key="NCacheServer.CredentialsEncryptionKey" value="[Valid AES 256 KEY]"/>
Important

The NCache Service will not start unless valid KEK and CEK are provided in the NCache Service configuration file.

By default, the NCache installer adds default keys (predefined encryption keys) to the configuration file. For enhanced security, it is recommended to update the KEK and CEK in the NCache Service configuration file for remote clients or cache servers. After updating the keys, restart the NCache Service and cache processes for the changes to take effect.

Important

The KEK and CEK on a remote client can be different from the server nodes, but all server nodes must use the same KEK and CEK.

User Credential Authentication

By utilizing RSA-based cryptographic techniques, NCache secures user credential transmission during authentication. When a management tool or client needs to authenticate these credentials, it requests the server’s RSA-256 public key. The server generates a fresh public/private key pair for each process's lifecycle. Tools and clients encrypt user credentials (like username and password) with the server’s public key before transmitting them. The server decrypts these credentials using its private key to validate the user. This process ensures that credentials remain secure during transmission and are not vulnerable to interception or misuse.

Key Exchange and Authentication Mechanisms for Management Tools

NCache employs advanced cryptographic techniques for secure key exchange and authentication for management tools, like NCache Management Center, PowerShell, etc., as discussed below.

Key Encryption Key Management

For management tools, the key exchange process involves generating an RSA-256 public/private key pair during the process's lifecycle. The tool shares its public key with the server. The server then encrypts the KEK using this public key and shares the encrypted KEK with the tool. The management tool decrypts the KEK using its private key. This RSA key pair remains valid only for the duration of the tool’s lifecycle, ensuring short-lived and secure exchanges. When User Access Control (UAC) is enabled, only authorized tools and clients are permitted to fetch the KEK from the server.

Credentials Encryption Key Management

The management tools fetch the CEK from the cache server using RSA-based secure key exchange. Similar to KEK management, the tool generates an RSA-based 256 public/private based key pair during its lifecycle. The public key is shared with the server, which encrypts the CEK using the tool’s public key and shares the encrypted CEK with the tool. The management tool then decrypts the CEK using its private key and uses it to encrypt user credentials in the client.ncconf file.

Key Exchange for Clients

Similarly, clients connect to the server and request the CEK using RSA-based secure key exchange. The server encrypts the CEK with the client’s public key, and the client decrypts it using its private key, enabling it to decrypt stored credentials in client.ncconf.

TLS Encryption

While NCache includes a Data Encryption feature, it secures data in memory and during transmission over the network. However, Data Encryption comes with an additional performance cost. On the other hand, Transport Layer Security (TLS) provides a more comprehensive approach to securing data during network transmission, following industry-standard practices.

Although TLS also has a performance impact, it tends to be less resource-intensive than the alternative, i.e., Data Encryption. As such, it is more crucial to NCache operations, which involve data traveling over the network in a variety of ways:

  • Between servers and clients
  • Between different servers
  • Between caches and bridges

In NCache, you can decide what type of communication you want to encrypt, as it travels over the network, using TLS. This choice gives you complete control over your data security. Usually, people encrypt traffic over the public internet, such as Bridge communication for Geo Replication. However, for security-sensitive applications, you should probably encrypt traffic between clients and servers and between different servers.

TLS Certificate Considerations

When implementing TLS, certificates are stored in either the Personal or the Trusted Root Certificate Authority Store and are available at both the user and local machine levels. Certificates placed at the local machine level are accessible to all users, whereas user-level certificates are limited to specific users.

Additionally, these certificates require validation. Server-side certificates must be validated at the client end for TLS, verifying whether the client trusts the certificate issuer authority. If you're using a publicly recognized certificate issuer, you may not need to install the issuer's certificate in the client's Trusted Root Certificate Authority store. However, for self-signed or private certificates, you must ensure that the issuer's certificate is installed in the Trusted Root Certificate Authority store on the client end to avoid any chance of TLS handshake failures.

For mutual TLS between clients and servers, the client must also share its certificate with the server. In this case, the server must trust the client's certificate issuer authority, which the client should place in the server's Trusted Root Certificate Authority store. Similarly, when enabling TLS between servers, the other servers involved in communication must validate each other's certificates.

NCache follows a specific order when searching for certificates on the server box:

  • Local Machine: Trusted Root
  • Local Machine: Personal
  • User: Trusted Root
  • User: Personal

Understanding these considerations will ensure your deployment of NCache TLS encryption goes smoothly.

HTTPS for NCache Management Center

Similar to TLS, HTTPS (Hypertext Transfer Protocol Secure) is a widely used protocol to secure communication over a network. As such, NCache supports HTTPS for NCache Management Center in Windows and Linux using TLS certificates.

In This Section

Configure Authentication and Authorization
Explains how to configure the Security for nodes and caches.

Configure Encryption for Cache
Describes how to enable and configure Encryption for cache.

Configure TLS Encryption
Describes how to enable and configure SSL Encryption for cache in Windows and Linux.

Configure HTTPS for NCache Management Center
Describes how to enable and configure HTTPS for NCache Management Center.

In This Article
  • Authentication and Authorization
    • Node Administrators
    • Cache Users
    • Homogeneous Security Settings
  • Data Encryption
    • Data Encryption Workflow
    • Encryption Key Management
    • How to Add or Change KEK and CEK
    • User Credential Authentication
    • Key Exchange and Authentication Mechanisms for Management Tools
  • TLS Encryption
    • TLS Certificate Considerations
  • HTTPS for NCache Management Center
  • In This Section

Contact Us

PHONE

+1 (214) 764-6933   (US)

+44 20 7993 8327   (UK)

 
EMAIL

sales@alachisoft.com

support@alachisoft.com

NCache
  • NCache Enterprise
  • NCache Professional
  • Edition Comparison
  • NCache Architecture
  • Benchmarks
Download
Pricing
Try Playground

Deployments
  • Cloud (SaaS & Software)
  • On-Premises
  • Kubernetes
  • Docker
Technical Use Cases
  • ASP.NET Sessions
  • ASP.NET Core Sessions
  • Pub/Sub Messaging
  • Real-Time ASP.NET SignalR
  • Internet of Things (IoT)
  • NoSQL Database
  • Stream Processing
  • Microservices
Resources
  • Magazine Articles
  • Third-Party Articles
  • Articles
  • Videos
  • Whitepapers
  • Shows
  • Talks
  • Blogs
  • Docs
Customer Case Studies
  • Testimonials
  • Customers
Support
  • Schedule a Demo
  • Forum (Google Groups)
  • Tips
Company
  • Leadership
  • Partners
  • News
  • Events
  • Careers
Contact Us

  • EnglishChinese (Simplified)FrenchGermanItalianJapaneseKoreanPortugueseSpanish

  • Contact Us
  •  
  • Sitemap
  •  
  • Terms of Use
  •  
  • Privacy Policy
© Copyright Alachisoft 2002 - 2025. All rights reserved. NCache is a registered trademark of Diyatech Corp.
Back to top