Configure SSL/TLS Encryption in Linux
This feature is only available in NCache Enterprise Edition.
NCache provides the facility to enable TLS/SSL encryption (using TLS 1.2) over the network to ensure secure data exchange takes place between the server and the authorized client.
Users can hence enable any issued or self-signed SSL certificate to enable connections of the client with NCache server. This guarantees encrypted data transmission by default. Moreover, NCache provides the flexibility of optionally providing the certificate over the client machine.
Before issuing a SSL certificate in Linux, the following prerequisites must be considered:
- The certificate must have a private key. For creating certificates, refer to this blog on Generating Self Signed Certificates.
- The private key must be exportable, to be exported to all nodes including the client machine.
Before enabling SSL security, make sure that:
- Cache and client processes have been stopped.
- NCache service has been stopped.
- The certificate is installed in the Root Store.
Certificate Installation (User Level)
The steps below should be followed in order to install the SSL/TLS certificate on a Linux machine.
Firstly you need to login to your machine as the ncache user.
Secondly it should be observed that the ncache service is running under ncache user on Linux, and this doesn't have a home directory by deault. This home directory is required. So, to create it, you should issue the following commands.
sudo mkdir /home/ncache sudo chown ncache /home/ncache
Now that the home directory has been created, you need to issue some PowerShell commands (as the ncache user) to install the certificate on your machine. These commands were originally typed in .NET and have been converted into PowerShell commands for simplicity in running.
X509Store store = new X509Store(StoreName.Root, StoreLocation.CurrentUser, OpenFlags.ReadWrite); store.Add(new X509Certificate2(“certificatename.pfx”, “password”, X509KeyStorageFlags.PersistKeySet));
- Converted PowerShell commands.
In the snippet above, the
certificate.pfx is the certificate itself or the path to the certificate and the
password is the password of that certificate.
tls.ncconffile contains the configuration settings for the certificates and is placed at %NCHOME/config . A sample configuration has been provided below:
<tls-info> <certificate-name>certificate-name</certificate-name> <certificate-thumbprint>your-thumbprint</certificate-thumbprint> <enabled>False</enabled> <require-client-certificate>False</require-client-certificate> </tls-info>
You can extract the values of the
certificate-name and the
certificate-thumbprint from the properties of the
The properties in the above snippet are explained below:
certificate-name: Name of the certificate to be enabled for NCache SSL security.
certificate-thumbprint: Unique identifier for each certificate.
enabled: Boolean value to enable or disable SSL certificate. Enable SSL by setting the value to
require-client-certificate: Boolean to specify whether the certificate is required at client end or not. Note the following pre-requisites for each case:
The SSL certificate should exist on both server and client. The value for this property must be
Trueon both server and client.
It is not mandatory for the SSL certificate to exist on the client machine; however, the issuer of the SSL certificate must have any other certificate issued on the client in the Trusted Root Certificate Authority. This creates “trust” between the client and server.
Make sure that the configuration values are consistent on all server and client nodes to ensure connectivity and homogeneity of cluster.
Once the desired properties are set, restart the Cache and Client processes and the NCache service. Make sure that NCache service is running under the same user which was used to import the certificate.
Export the certificate (through the standard way of exporting certificates) to all server nodes in the cluster (and all client nodes if client certificate is required) and perform the same steps to enable SSL security on all nodes.
Once the certificates have been enabled, make sure that:
- NCache service is running under the same user which was used to import the certificate.
- All client applications run on 64-bit machines.
Verify Successful Client Connectivity Through TLS
- In order to verify successful client connectivity through TLS, you can run the Test-Stress cmdlet using Windows PowerShell Tool. Following example runs
Test-Stresson the cache named myPartitionedCache.
Test-Stress -CacheName myPartitionedCache
Client connectivity through TLS can be failed due to the following reasons:
If NCache Service has different user credentials than the user which was used to import the certificate.
Certificate will be invalid if the thumbprint value provided to the CertificateThumbprint property is not correct.
If the values of the properties are not same in the client and server machine, you receive an error saying "Decryption Operation Failed".