Configure SSL/TLS Encryption in Linux

Note

This feature is only available in NCache Enterprise Edition.

NCache provides the facility to enable TLS/SSL encryption (using TLS 1.2) over the network to ensure secure data exchange takes place between the server and the authorized client.

Users can hence enable any issued or self-signed SSL certificate to enable connections of the client with the NCache server. This guarantees encrypted data transmission by default. Moreover, NCache provides the flexibility of optionally providing the certificate over the client machine.

Prerequisites

Before issuing a SSL certificate in Linux, the following prerequisites must be considered:

  • The certificate must have a private key. For creating certificates, refer to this blog on Generating Self Signed Certificates.
  • The private key must be exportable, to be exported to all nodes including the client machine.
  • Before enabling SSL security, make sure that:
    • Cache and Client processes have been stopped.
    • NCache Service has been stopped.
    • The certificate is installed in the Root Store.

Certificate Installation (User Level)

The steps below should be followed in order to install the SSL/TLS certificate on a Linux machine.

  • Firstly, you need to login to your machine as the NCache user.

  • Secondly, it should be observed that the NCache Service is running under NCache user on Linux, and this doesn't have a home directory by default. This home directory is required. So, to create it, you should issue the following commands.

sudo mkdir /home/ncache

sudo chown ncache /home/ncache

  • Now, that the home directory has been created, you need to issue some PowerShell commands (as the NCache user) to install the certificate on your machine. These commands were originally typed in .NET and have been converted into PowerShell commands for simplicity in running.

  • .NET Commands

X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser, OpenFlags.ReadWrite);

store.Add(new X509Certificate2(“certificatename.pfx”, “password”, X509KeyStorageFlags.PersistKeySet));
  • Converted PowerShell commands.
$store=[System.Security.Cryptography.X509Certificates.X509Store]::new([System.Security.Cryptography.X509Certificates.StoreName]::Root,[System.Security.Cryptography.X509Certificates.StoreLocation]::CurrentUser,[System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)

$store.Add([System.Security.Cryptography.X509Certificates.X509Certificate2]::new("certificate.pfx","password",[System.Security.Cryptography.X509Certificates.X509KeyStorageFlags]::PersistKeySet))
Note

In the snippet above, the certificate.pfx is the certificate itself or the path to the certificate and the password is the password of that certificate.

  • The tls.ncconf file contains the configuration settings for the certificates and is placed at %NCHOME/config. A sample configuration has been provided below:
<tls-info>
    <certificate-name>certificate-name</certificate-name>
    <certificate-thumbprint>your-thumbprint</certificate-thumbprint>
    <enabled>False</enabled>
    <require-client-certificate>False</require-client-certificate>
</tls-info>
Note

You can extract the values of the certificate-name and the certificate-thumbprint from the properties of the certificate.pfx file

  • The properties in the above snippet are explained below:

    • certificate-name: Name of the certificate to be enabled for NCache SSL security.

    • certificate-thumbprint: Unique identifier for each certificate.

    • enabled: Boolean value to enable or disable SSL certificate. Enable SSL by setting the value to True.

    • require-client-certificate: Boolean to specify whether the certificate is required at client end or not. Note the following prerequisites for each case:
      RequireClientCertificate = True
      The SSL certificate should exist on both server and client. The value for this property must be True on both server and client.
      RequireClientCertificate = False
      It is not mandatory for the SSL certificate to exist on the client machine; however, the issuer of the SSL certificate must have any other certificate issued on the client in the Trusted Root Certificate Authority. This creates “trust” between the client and server.

Important

Make sure that the configuration values are consistent on all server and client nodes to ensure connectivity and homogeneity of cluster.

  • Once the desired properties are set, restart the Cache and Client processes and the NCache Service. Make sure that NCache Service is running under the same user which was used to import the certificate.

  • Export the certificate (through the standard way of exporting certificates) to all server nodes in the cluster and all client nodes (if client certificate is required) and perform the same steps to enable SSL security on all nodes.

Note

Once the certificates have been enabled, make sure that:

  • NCache Service is running under the same user which was used to import the certificate.
  • All client applications run on 64-bit machines.

Verify Successful Client Connectivity Through TLS

  • In order to verify successful client connectivity through TLS, you can run the Test-Stress cmdlet using the Windows PowerShell Tool. Following example runs Test-Stress on the cache named demoClusterdCache.
Test-Stress -CacheName demoClusterdCache

Troubleshooting

Client connectivity through TLS can be failed due to the following reasons:

  • If NCache Service has different user credentials than the user which was used to import the certificate.

  • Certificate will be invalid if the thumbprint value provided to the CertificateThumbprint property is not correct.

  • If the values of the properties are not same in the client and server machine, you receive an error saying "Decryption Operation Failed".

See Also

Configure SSL/TLS Encryption in Windows
Configure Security for Cache
Configure Security for Client Nodes
Configure Encryption for Cache