Configure Security for Cache Server Nodes

This page provides comprehensive guidance on setting up authorization and authentication within the NCache Security framework for cache server nodes. It will guide you through establishing LDAP-based authentication for user verification. Moreover, it also explains how to assign users to particular roles and permissions.

Important

All the participant nodes in a cluster should have uniform security settings.

Prerequisites for Using LDAP on Linux

To configure and use LDAP on Linux systems,

  • Ensure you have the required LDAP utilities installed on your system. For installation instructions, please refer to the LDAP documentation.

  • After installing the LDAP Utilities, create a symbolic link for the installed LDAP library. For example, if libldap-2.4.so.2 is installed, run the following command to create the symlink:

    sudo ln -s /usr/lib/x86_64-linux-gnu/libldap_r-2.4.so.2 /usr/lib/x86_64-linux-gnu/libldap.so.2

Secure Cache Server Nodes with NCache Management Center

Security for cache nodes can be configured through the following steps:

Step 1: Configure the Domain Controller

As NCache is supporting LDAP-integrated security, to secure the cache nodes you should have established LDAP domain controller settings. You can configure these settings in NCache through the following steps:

  • Launch the NCache Management Center by browsing to http://localhost:8251 or <server-ip>:8251 on Windows and Linux.
  • Click on Settings Icon to open NCache Management Center Settings.
  • This will open up a Domain Controller Settings page where you will configure the Domain Controller, Port, Search Base, and optionally Secondary Domain Controller (backup domain controller if your primary domain controller fails). If you are using a secure port, please select the Use SSL Port checkbox.
  • Search Base specifies the base DN (Distinguished Name) for searching LDAP entries. It helps narrow down the search scope within the LDAP directory. If you are unsure about the Search Base, it is recommended to consult your LDAP administrator or IT department for an accurate domain name for your LDAP directory's structure.

Domain Info Verified

  • Click on Verify to verify the provided domain controller settings.
  • On clicking verify you will get the following login prompt asking for valid user credentials.

Login Credentials of Verified User

  • After authentication of user credentials, you will get a prompt asking you to save your changes to apply the domain controller settings.

Save Changes on Verification

  • Click on Save to save your domain controller settings.

Step 2: Secure a Cache Node

Once you have established the domain controller settings and saved them, now is time to secure your cache nodes by following the steps given below:

  • Click on Node-Level Security from the left bar.
  • Specify the cache server node IP that you want to configure.
  • Click Fetch Details.

Node Level Security

  • Select the checkbox Enable Security. Now you can add the Users or Groups on which you want to configure these security settings.

Adding Users and Groups

  • Click on Save.

Step 3: Configuring Homogeneous Security Settings

After setting up security settings for one node, a prompt will appear asking you to add similar security settings to other nodes in that cluster by providing their IP addresses. It is required to configure similar security settings on all nodes in a cluster to avoid any problems while using the cache.

  • After adding the IP addresses of all the nodes, click on Save.
  • Upon clicking Save, the same security settings will be applied to all the other nodes in the cluster.

Homogeneous Security Settings

The next time you launch and access the NCache Management Center, you will encounter a login prompt requesting your authorized login credentials. Moreover, these security settings for the server node are also saved in security.ncconf under the <administrators> tag.

Adding Cache Users

The Node Administrator configured on this node has all the rights of the node and the configured caches. But, if you want to create users who have access over cache and not over a node, then you can configure Cache Users on that node. You can configure the Cache User by following the steps given below:

  • Launch the NCache Management Center by browsing to http://localhost:8251 or <server-ip>:8251 on Windows and Linux.
  • In the left navigation bar, click on Clustered Caches or Local Caches, based on your requirement.
  • Against the cache name, click on View Details.

Configuring Cache Security

  • This opens the detailed configuration page for the cache.
  • Scroll down on the same page to find the Advanced Settings (Clustered Cache) tab. Select Security and Encryption, it will open up a page where you can add the Users or Groups to configure as Cache Users.

Adding Cache User

  • Click on Save Changes to successfully add your Cache User.

Authorizing Client Node

Once you have configured security in NCache, applications connecting to these caches are required to provide credentials. These credentials enable the cache to verify the authorized users and grant them the required rights. There are two ways to provide the necessary user credentials which are explained below:

Client-Side Configuration

You can configure security through the client-side configuration if NCache is installed on your client machine, otherwise, you have to configure security programmatically. To configure security on your client machine, you need to specify the User Id and Password of authorized user using the NCache Management Center as explained below.

  • On the View Details page, go to the Client Nodes tab, select the Client Node IP for which the Client Cache is to be enabled.

Client Node Option

  • Click on "..." against the Client Node IP and select Configure Security.

Enable Client Cache Web

  • The following dialog box appears, where you need to enter the User Id and Password.

Authorize user

  • Click OK to save the changes and this will prompt a success notification.

  • To remove the configured credentials, return to this dialog, clear the entered User Id and Password, and click OK to apply the changes.

Upon validation, these credentials are securely stored in an encrypted form within the client.ncconf on the client machine. After successful configuration, all the applications running on this client machine will automatically provide the specified user credentials to the cache for future validations.

Programmatic Configuration via NCache API

However, if NCache is not installed on the machine where your application is running, you can programmatically provide credentials through the NCache API. This programmatic provision of credentials enables you to dynamically set the necessary credentials in your code to ensure secure and authorized cache access.

Using Command Line Interface

NCache also provides a set of PowerShell cmdlets to seamlessly configure and manage security on the cache. You can add users, enable security, disable security, and remove users by using the following:

Adding Node Administrators

Before enabling security on a node, you need to have Node Administrators with full control over node, including cache management and cache API access. You can add a Node Administrator by executing the Add NCacheUserOrGroup which adds the user, 'John Smith' as an NCache admin on the server 20.200.20.40.

Add-NCacheUserOrGroup -Server 20.200.20.40 -AccessLevel Admin -AdminCredentials(Get-Credential john_smith) -UserOrGroupName john_smith -UserOrGroupDN "CN=John Smith,OU=engineers,DC=example,DC=com" -DomainController 20.200.23.100

This command will also prompt you to enable security immediately after adding the Node Administrator, which you can delay by setting the EnableSecurity flag to False. While executing the command please keep in mind that only the local administrator (domain user) of the machine can add the first Node Administrator. Subsequent Node Administrators can be added or removed by the existing Node Administrator.

Note

Please note that in Linux you can add Administrative Groups (sudo, root, wheel, etc) through the NCacheServer.LinuxAdminGroups tag to configure Node Administrators.

Enabling Security

Once you have added a Node Administrator, you can now Enable Security by executing the following:

Enable-NCacheSecurity -Server 20.200.20.40 -AdminCredential(Get-Credential john_smith) -WriteCredentialsToServiceConfig

This will enable security on the node using the provided admin credentials. The WriteCredentialsToServiceConfig switch stores the provided credentials in an encrypted form within the service configuration to start the caches configured with Auto Start Cache on the Service Startup option.

Adding Cache Users

Now you have successfully secured your node along with all the caches configured on it. But, if you want to limit some users' access to cache operations without management privileges, you can Add Cache Users. You can add them by using the similar cmdlet and command line tool as for Node Administrator, by just specifying the AccessLevel cache parameter. You have to specify the cache to which that user should have access using the CacheName parameter. You can add the Cache User by running the following:

Add-NCacheUserOrGroup -Server 20.200.20.40 -AccessLevel Cache -AdminCredentials(Get-Credential john_smith) -UserOrGroupName john_smith -UserOrGroupDN "CN=John Smith,OU=engineers,DC=example,DC=com" -DomainController 20.200.23.100

Removing Users

Along with adding users, Node Administrators also have the right to Remove Users. The following cmdlet removes the administrator user John Smith from the NCache server with the IP address 20.200.20.40:

Remove-NCacheUserOrGroup -Server 20.200.20.40 -AccessLevel Admin -AdminCredentials(Get-Credential john_smith) -UserOrGroupName john_smith -DisableSecurity Yes

It allows you to specify whether to disable security during user removal or not. You can set the DisableSecurity parameter to either Yes or No to control this behavior.

While attempting to remove a user with security enabled, if the targeted user is the last one, the system will prompt you to decide if you also want to disable security, unless the DisableSecurity parameter is used. Choosing to disable security will result in the deletion of the user and deactivation of the security feature. If you choose not to disable security, the system will not remove the last user.

Disabling Security

NCache also provides the option to disable security without removing configured Node Administrators and Cache Users through the following cmdlet and command line tool:

Disable-NCacheSecurity -Server 20.200.20.40 -AdminCredentials(Get-Credential john_smith)

It disables security while retaining the configured user settings.

After you have configured security settings, they will be reflected in the security.ncconf config file shipped at %NCHOME%\config. Refer to the Security Config to learn more about the parameters of security.ncconf.

See Also

Configure Encryption for Cache
Configure SSL/TLS Encryption in NCache