• Products
  • Solutions
  • Customers
  • Resources
  • Company
  • Pricing
  • Download
Try Playground
  • Configure Security
  • Configure TLS Encryption
Show / Hide Table of Contents
  • Administrator's Guide
  • NCache Architecture
    • Cache Topologies
      • Partitioned Topologies
      • Replicated Topology
      • Mirrored Topology
      • Scalability in Topologies
    • Dynamic Clustering
    • Local Cache
    • Cache Client
    • Client Cache
    • Bridge for WAN Replication
    • Connectivity with Load Balancer
    • Serialization Format
    • Data Encryption
    • Data Compression
    • Data Load Balancing
    • Pipelining
    • Cache Server Backward Compatibility
    • Client Backward Compatibility
    • Eviction
    • Indexing
    • Split-Brain
    • Maintenance Mode
    • Runtime Data Sharing
    • Portable Data Types
    • Class Versioning
    • IP Binding with Multiple NICs
    • Graceful Node Down
    • Separate Cache Host Process
    • Self Healing Dynamic Clustering
    • Distributed Cache with Persistence
  • NCache Management Center
  • Configure Caches
    • Create a Cache
      • Local Cache Overview
        • Local Cache
        • Local Cache with Persistence
        • Pub/Sub Messaging Cache
        • Add Existing Cache
      • Clustered Cache Overview
        • Distributed Cache
        • Persistent Distributed Cache
        • Pub/Sub Messaging Cache
        • Add Existing Clustered Cache
        • Troubleshooting
    • Remove Cache
    • Clear Cache
    • Add Server Node
    • Remove Server Node
    • Add Test Data
    • Configure Query Indexes
    • Configure JSON Query Indexes
    • Compact Serialization
      • Non-Generic Registration
      • Non-Generic Unregistration
      • Generic Registration
      • Using Type Handler
    • Deploy Providers
    • Configure Custom Dependency
    • Add Data Source Providers
      • Read-Through Provider
      • Write-Through Provider
      • Write-Behind Provider
    • Loader and Refresher
    • Configure Maintenance Mode
      • Stop for Maintenance Mode
      • Exit Maintenance Mode
    • Configure LINQPad
      • Configure LinqPad for NCache
      • Querying Data in LinqPad
  • Configure Clients
    • Add Client Node
    • Remove Client Node
  • Configure Client Cache
    • Create Client Cache
    • Create Client Cache with NuGet
    • Enable Client Cache on Client Nodes
    • Disable Client Cache on Client Nodes
    • Remove Client Cache
  • Management Operations
    • Start Cache
    • Stop Cache
    • Restart Cache
    • Manage Cache Service on a Server Node
    • Memory Dumps
    • Data Load Balancing
    • Invoke Refresher Dataset
    • Import/Export Cache Data
    • Import Lucene Indexes
    • Suspend/Resume NCache Data Persistence
    • Backup and Restore NCache Persisted Data
  • Cache Settings
    • General Cache Settings
      • Cache Size
      • Cache Isolation Levels
      • Cache Serialization Format
      • Cache Data Expiration
    • Cache Cluster Settings
      • Ports
      • Operation Timeout
      • Configure Pipelining
      • Static Replication Interval
      • Connection Retries
      • Retry Interval
      • Split-Brain Auto Recovery
    • NCache Persistence Settings
      • Store Information
      • Persistence Interval
    • Error Logging
    • Cache Level Events
    • Client Activity Events
    • Eviction Policy
    • MapReduce
    • Register Classes for Portable Data Sharing
    • Compression
    • Email Notifications
    • Bind IP with Multiple NICs
      • Bind Cluster with a Dedicated IP
      • Bind Client/Server with a Dedicated IP
    • Heartbeat
    • Keep Alive
    • Client Death Detection
    • Communication Reliability
    • Auto Start Cache on Boot
    • Nagle's Algorithm
    • Dual Socket
    • Configuration Files
      • Client Side Configurations
        • Client Config
        • EFCaching Config
      • Server Side Configurations
        • Cache Config
        • Bridge Config
        • Modules Config
        • Security Config
        • TLS Config
        • Monitoring Config
        • Emails Template
  • Cache Server Settings
    • Server Connectivity
    • Bind to Multiple NICs
    • Server Ports
    • Memory
    • Custom Dependency
    • Request Inquiry
    • Windows Events
    • Message Events
    • Expiration & Eviction
    • SQL Server
    • Logging
    • Monitoring
    • Persistence Data Loading Retries
    • Miscellaneous Configurations
  • Bridge Server Settings
  • Cache Client Settings
  • Client Cache Settings
  • Configure Security
    • Configure Authentication and Authorization
    • Configure Encryption for Cache
    • Configure TLS Encryption
    • Configure HTTPS for NCache Management Center
  • Configure Bridge for WAN Replication
    • Create Bridge
    • Add Clustered Caches to Bridge
    • Configure Bridge Settings
    • Change Cache Synchronization Modes
    • Bridge Management
    • Synchronize Caches in Bridge
    • Leave Bridge
    • Remove Cache from Bridge
    • Configure Conflict Resolver
  • Setup Database for Cache Synchronization
    • Setup SQL Server Environment
    • Setup Oracle Database Environment
    • Setup OleDb Environment
    • Setup SQL Server for CLR Procedures
  • Simulate NCache Usage
  • Monitor Caches
    • Counters
      • Distributed Cache Counters
      • Distributed Cache with Persistence Counters
      • Pub/Sub Messaging Cache Counters
      • Distributed Lucene Cache Counters
      • Cache Client Counters
      • Bridge Counters
    • Monitor NCache using the NCache Management Center
      • Using Tabular Statistics
        • Configure Counters to Display Caching Statistics
        • Configure Counters to Display Pub/Sub Statistics
        • Configure Counters to Display Lucene Statistics
        • Configure Counters to Display Bridge Statistics
        • Browse Cache Statistics
        • Monitor Bridge
      • Using Monitoring Dashboards
        • Configure Monitor Settings
        • Configure Event Logging
        • Configure API Logging
        • Monitor with a Built-In NCache Monitor Dashboard
        • Monitor with the NCache Monitor Custom Dashboard
        • Monitor Cluster Connectivity
        • Monitor Cache Clusters using NCache Email Alerts
    • Monitor Cache Using Command Line Tools
      • Monitor Cache Server Statistics with Command Line Tools
      • Monitor Cache Client Statistics with Command Line Tools
    • Monitor NCache Using Windows PerfMon Tool
      • Monitoring Cache Server Counters using PerfMon
      • Monitoring Cache Client Counters using PerfMon
      • Monitor Bridge Counters Using PerfMon Tool
    • Monitor NCache using Prometheus
    • Monitor NCache using Grafana
    • Monitor NCache Using SNMP Counters
    • Monitor NCache Using JMX Counters
    • Logging
      • NCache Log Viewer
      • Performance Counters Logging
      • Windows Event Logging
      • Cache Health Alerts
      • Email Notifications on NCache Events
      • Cache Server Logging
      • Client Side API Logging
      • Cache Event IDs
      • Feature Usage Logging
    • Troubleshooting NCache Monitoring
      • Computer Name Not Found
      • Diskperf Not Installed
      • No READ Access to Perflib Subkeys
      • Unable to Connect to Remote Server
    • IPV6 Support

Configure SSL/TLS Encryption in Windows and Linux

TLS delivers network security with a lower performance overhead than NCache Data Encryption. It is essential for NCache activities that require data sharing between servers and clients, different servers, caches, and bridges. You can use TLS selectively to secure specific data transfers based on your needs. Read more about how it works, here. Understanding these considerations will ensure your deployment of NCache TLS encryption goes smoothly.

Note

Make sure the cache and client processes are stopped before proceeding with the following.

How to Configure TLS Encryption

NCache has two primary locations on both server and client machines from where it can retrieve the authentication certificate: the Personal store and the Trusted Root (TR) store. Certificates placed in the Personal store are accessible by all users on the local machine, while those in the user store are only accessible by the specific user, and NCache can only access it if it is running with that particular user. There are four specific stores from which NCache can retrieve the authentication certificate:

  • Trusted Root: Local Machine
  • Trusted Root: Current User
  • Personal: Local Machine
  • Personal: Current User
Note

Place the authentication certificate at machine level to avoid any access restrictions.

Note

From 5.3 SP5 onwards, clients and servers can have different certificates.

When the server starts, it begins reading the certificate with its thumbprint stored in the registry. It systematically checks the certificate in the four aforementioned stores: Trusted Root (TR) of both Local Machine and Current User, followed by Personal of both Local Machine and Current User. The server selects the first certificate it finds in this order. Subsequently, the server reads this chosen certificate through its thumbprint and shares it with the client, facilitating secure communication. This process ensures that the server obtains the appropriate certificate for authentication from the available stores during startup. Similarly, the client follows the same process to select and share its certificate with the server for authentication.

In the case of mutual TLS, the client must also share its certificate with the server. For the server to accept the client’s certificate, it must trust the client’s certificate issuer, which is stored in the server's Trusted Root Certificate Authority store.

To configure TLS Encryption, please see below.

  • Windows
  • Linux

The steps below should be followed in order to install the TLS certificate on a Windows machine.

Step-1: Login to your machine.
Step-2: Create (you can create a self-signed certificate as detailed here) or obtain a TLS certificate that includes an exportable private key.

Important
  • Your certificate must be authorized by a Certificate Authority (CA). To reflect this as part of your configurations, please ensure that the Basic Constraints section specifies Subject Type=CA in the Certificate Details. Similarly, you can achieve this through the -TextExtension attribute with the value @("2.5.29.19={text}CA=true") when generating a certificate using the following command: New-SelfSignedCertificate.
  • We do not recommend using self-generated certificates in your production environments. Although, you can use them in your testing environments.

Step-3: Import your certificate to the appropriate machine as detailed here.
Step-4: Press Win + R, type mmc, and press Enter.


Step-5: In Microsoft Management Console (MMC), in the File menu, click Add or Remove Snap-ins. Select Certificates from the list of available snap-ins and click the Add button.


Step-6: Choose the account type from the My user account, Service account, and Computer account. You can choose a My user account or local machine based on where you place your certificate.


Step-7: In the left pane of MMC, expand Certificates and navigate Current User > Personal > Certificates to locate the TLS certificate that lists Client Authentication as an Intended Purpose and double-click. To learn about the certificate placement, refer to Considerations for Certificate Placement.


Step-8: In the Certificate Dialog Box, click the Details tab and locate Thumbprint. Click on it and copy the hexadecimal characters from the box. Remove any colons (':') or extra spaces in the certificate thumbprint, if there are any. Save the thumbprint as it will be required in the proceeding steps.


Step-9: Similarly, copy Certificate Name (CN) by clicking on the Subject property and copying only what comes after CN = in this case "Example". Save the certificate name as it will be required in the proceeding steps.


Step-10: Make sure that the NCache Service is running under the same user that was used to import the certificate.
Step-11: Use the following PowerShell Cmdlet to enable TLS security. To learn more about the properties used here, refer to the certificate elements discussed below. When executing the Enable NCacheTLS command, make sure to specify the respective certificate name and thumbprint for the client and server that were saved in Steps 8 and 9.

Enable-NCacheTLS -Node "20.200.20.39,20.200.20.40" -ServerCertificateCN "MyCert" -ServerCertificateThumbprint "1234567890ABCDEF" -ClientCertificateCN "MyClientCert" -ClientCertificateThumbprint "1234567890EFGHIJKL" -ServerToServerCommunication -ClientServerCommunication -UseMutualTLSForClientToServer True
  • The above command will only work if you have NCache installed on your client machine. If otherwise, then you must manually enable TLS using the tls.ncconf file available via the NCache NuGet Packages in Windows, as follows:
Note

If the ProtocolVersion parameter is not provided in the above command, the default protocol used is TLS 1.2.

<tls-info>
    <server-certificate-cn>certificate-name</server-certificate-cn> 
    <server-certificate-thumbprint>your-thumbprint</server-certificate-thumbprint>
    <client-certificate-cn>certificate-name</client-certificate-cn>
    <client-certificate-thumbprint>your-thumbprint</client-certificate-thumbprint>
    <enable>false</enable>
    <enable-client-server-tls>false</enable-client-server-tls>
    <use-mutual-tls-for-client-to-server>false</use-mutual-tls-for-client-to-server>
    <protocol-version>protocol-version</protocol-version>
</tls-info>
Important

Make sure that the configuration values are consistent on all server and client nodes to ensure connectivity and homogeneity of the cluster.

Step-12: Once the desired properties are set, restart the cache, client processes, and NCache Service. Make sure that the NCache Service is running under the same user that was used to import the certificate.

The steps below should be followed in order to install the TLS certificate on a Linux machine. Keep in mind that the following steps are performed using Ubuntu and may vary if you use Fedora, Red Hat, etc.

Step-1: Login to your machine.
Step-2: Create (you can create a self-signed certificate as detailed here) or obtain a TLS certificate that includes an exportable private key.
You can do this by running the following command to create a self-signed certificate using OpenSSL:

openssl req -new -x509 -days 365 -keyout ncachetest-private-key.pem -out ncachetest-certificate.crt

This will create two files: ncachetest-private-key.pem (private key) and ncachetest-certificate.crt (certificate).

Important

We do not recommend using self-generated certificates in your production environments. Although, you can use them in your testing environments.

Step-3: To use TLS in NCache, you need a .pfx file. If you already have a .crt and .pem file, here is how you can create the pfx file:

openssl pkcs12 -export -out ncachetest-certificate.pfx -inkey ncachetest-private-key.pem -in ncachetest-certificate.crt

Step-4: Get the Thumbprint/Fingerprint and Certificate Name by running the following command and remove any colons (':') or extra spaces in the certificate thumbprint, should there be any. Save both the certificate name and thumbprint as they will be required in the proceeding steps.

openssl x509 -noout -in ncachetest-certificate.crt -fingerprint -subject | sed 's/://g'

Step-5: Additionally, if UseMutualTLSForClientToServer or UseMutualTLSForServerToServer has been enabled, the certificate must also be installed on the server machines. To do so, proceed with the following:

  • Create a directory to store the certificates that need to be applied system-wide. For example:
sudo mkdir -p /usr/local/share/ca-certificates/
  • Copy the certificates to this newly created directory.
sudo cp ncachetest-certificate.crt /usr/local/share/ca-certificates/
  • Update the System's Certificate Store through the following command:
sudo update-ca-certificates

Step-6: Now, to use the certificate with NCache, you must run the following command as ncache user. Since, the install-pfxcertificate command simply deploys the given certificate to Personal store of current user.

/opt/ncache/bin/tools/install-pfxcertificate -filepath "/home/ncache/ncachetest-certificate.pfx" -password "YourPassword"

Step-7: Use the following Command Line to enable TLS security. To learn more about the properties used here, refer to the certificate elements discussed below. When executing the enable-ncachetls command, make sure to specify the respective certificate name and thumbprint for the client and server that were saved in Step 4 during the installation of their certificates.

/opt/ncache/bin/tools/enable-ncachetls -node "20.200.20.39,20.200.20.40" -servercertificatecn "MyCert" -servercertificatethumbprint "1234567890ABCDEF" -clientcertificatecn "MyClientCert" -clientcertificatethumbprint "1234567890EFGHIJKL" -servertoservercommunication -clientservercommunication -usemutualtlsforclienttoserver true -pfxpath /home/ncache/ncachetest-certificate.pfx -pfxpassword YourPassword
  • The above command is installed with NCache and is unavailable otherwise. If your client machine does not have NCache installed, and you want to run this command, you will need to manually enable TLS using the tls.ncconf file available via the NCache NuGet Packages and Maven Packages.
Note

If the ProtocolVersion parameter is not provided in the above command, the default protocol used is TLS 1.2.

  • However, if you are using the Java application from this machine, it will be necessary to add the pfx-path and pfx-password. These parameters help set PFX file path and PFX file password in TLS configuration file. For .NET Clients, pfx path is automatically set without manual intervention, but for Java Clients, you can also provide the pfx path and pfx password in the above command. The configuration is as follows:
<tls-info>
    <server-certificate-cn>certificate-name</server-certificate-cn> 
    <server-certificate-thumbprint>your-thumbprint</server-certificate-thumbprint>
    <client-certificate-cn>certificate-name</client-certificate-cn>
    <client-certificate-thumbprint>your-thumbprint</client-certificate-thumbprint>
    <enable>false</enable>
    <enable-client-server-tls>false</enable-client-server-tls>
    <use-mutual-tls-for-client-to-server>false</use-mutual-tls-for-client-to-server>
    <protocol-version>protocol-version</protocol-version>
    <!-- Following two parameters are required if you're running Java application from this machine. -->
    <pfx-path>/home/ncache/ncachetest-certificate.pfx</pfx-path>
    <pfx-password>YourPassword</pfx-password>
</tls-info>
Important

Make sure that the configuration values are consistent on all server and client nodes to ensure connectivity and homogeneity of the cluster.

Step-8: Once the desired properties are set, restart the cache, client processes, and NCache Service. Make sure that the NCache Service is running under the same user that was used to import the certificate.

Note

Once the certificates have been enabled, make sure that:

  • The NCache Service is running under the same user that was used to import the certificate.
  • All client applications run on 64-bit machines.

Considerations for Certificate Placement

When the Java client is running on a Windows machine, an important consideration arises with regard to certificate management. Specifically, Java does not natively support the use of local machine certificates; rather, it retrieves certificates from the current user. This means that if the client is configured for mutual TLS, both the client's certificate and the associated issuer's certificate must be present in the current user's certificate store. In the scenario where mutual TLS is disabled, the requirement changes. In this case, only the certificate issued by the Certificate Authority (CA) needs to be present in the current user's certificate store.

Note

NCache will utilize the certificates stored in the certificate stores automatically. When started under the correct user account, the NCache Service will automatically identify and use the relevant certificates from the appropriate certificate stores.

Note

You don’t need to install client certificate on Bridge and Server nodes if you don’t want to run client from them.

Important

For Windows, if you have a bundled certificate (that contains the root and intermediate certificates), then you need to add the certificate in both, the Personal and the Trusted Root of the local machine. If you have a separate Trusted Root and Personal certificate, then you need to add them individually i.e., the Personal certificate to the Personal store and the CA root certificate to the Trusted Root store. The client requires a client certificate, while the server needs only a server certificate. The server does not require a client certificate, but the client's issuer must be in the Trusted Root. Similarly, the client must have the server's issuer in its Trusted Root.

Verify Successful Client Connectivity Through TLS

  • In order to verify successful client connectivity through TLS, you can run the Test Stress cmdlet using the PowerShell. The following example runs Test Stress on the cache named demoCache.
  • Windows
  • Linux
Test-Stress -CacheName demoCache

You can also verify this using the Microsoft Network Monitor. In case TLS is enabled, the Protocol Name of the process PowerShell on running this command will be TLS.

/opt/ncache/bin/tools/test-stress -cachename demoCache

You can also verify this using the Microsoft Network Monitor. In case TLS is enabled, the Protocol Name of the process PowerShell on running this command will be TLS.

Note

UseMutualTLSForClientToServer, EnableBridgeTLS, EnableClientServerTLS, EnableServerToServerTLS, and UseMutualTLSServerToServer will not work if Enable hasn't been set as true, regardless of whether they have individually been enabled.

Troubleshooting

Client connectivity through TLS can fail due to the following reasons:

  • If the registry entries are missing, the connectivity might fail. Make sure that all the entries are made in the registry.
  • If NCache Service has different user credentials than the user that was used to import the certificate, it will be invalid if the thumbprint value provided to the CertificateThumbprint property is incorrect.
  • If the Trusted Root of the client does not have the CA of the server.
  • If UseMutualTLSForClientToServer or UseMutualTLSForServerToServer are true and the Trusted Root of the server does not have the CA of the client or the other server.
  • If the values of the properties are not the same in the client and server machine, you receive an error saying "Decryption Operation Failed".

See Also

Configure Security for Cache
Configure Encryption for Cache

In This Article
  • How to Configure TLS Encryption
  • Considerations for Certificate Placement
  • Verify Successful Client Connectivity Through TLS
  • Troubleshooting
  • See Also

Contact Us

PHONE

+1 (214) 764-6933   (US)

+44 20 7993 8327   (UK)

 
EMAIL

sales@alachisoft.com

support@alachisoft.com

NCache
  • NCache Enterprise
  • NCache Professional
  • Edition Comparison
  • NCache Architecture
  • Benchmarks
Download
Pricing
Try Playground

Deployments
  • Cloud (SaaS & Software)
  • On-Premises
  • Kubernetes
  • Docker
Technical Use Cases
  • ASP.NET Sessions
  • ASP.NET Core Sessions
  • Pub/Sub Messaging
  • Real-Time ASP.NET SignalR
  • Internet of Things (IoT)
  • NoSQL Database
  • Stream Processing
  • Microservices
Resources
  • Magazine Articles
  • Third-Party Articles
  • Articles
  • Videos
  • Whitepapers
  • Shows
  • Talks
  • Blogs
  • Docs
Customer Case Studies
  • Testimonials
  • Customers
Support
  • Schedule a Demo
  • Forum (Google Groups)
  • Tips
Company
  • Leadership
  • Partners
  • News
  • Events
  • Careers
Contact Us

  • EnglishChinese (Simplified)FrenchGermanItalianJapaneseKoreanPortugueseSpanish

  • Contact Us
  •  
  • Sitemap
  •  
  • Terms of Use
  •  
  • Privacy Policy
© Copyright Alachisoft 2002 - 2025. All rights reserved. NCache is a registered trademark of Diyatech Corp.
Back to top