TLS Config (tls.ncconf)

The TLS configuration file contains information regarding the user's TLS settings and the associated TLS certificates. This page details the various tags used in this file and their uses.

Note

If your client machines do not have NCache installed, you can enable TLS using the tls.ncconf file available via the NCache NuGet Package in Windows and Linux.

TLS Config Syntax

The tls configuration file is explained below.

<tls-info>
    <server-certificate-cn>certificate-name</server-certificate-cn> 
    <server-certificate-thumbprint>your-thumbprint</server-certificate-thumbprint>
    <client-certificate-cn>certificate-name</client-certificate-cn>
    <client-certificate-thumbprint>your-thumbprint</client-certificate-thumbprint>
    <enable>false</enable>
    <enable-client-server-tls>false</enable-client-server-tls>
    <enable-bridge-tls>false</enable-bridge-tls>
    <enable-server-to-server-tls>false</enable-server-to-server-tls>
    <use-mutual-tls-for-client-to-server>false</use-mutual-tls-for-client-to-server>
    <use-mutual-tls-for-server-to-server>false</use-mutual-tls-for-server-to-server>
    <protocol-version>tls12</protocol-version>
</tls-info>

Understanding the TLS Config Tags

The following section explains the tags mentioned as part of the file syntax.

  • enable: Allows users to control whether or not they will be able to customize any other setting. Essentially, use-mutual-tls-for-client-to-server, enable-bridge-tls, enable-client-server-tls, enable-server-to-server-tls, and use-mutual-tls-for-server-to-server will not work if this tag hasn't been set as True, regardless of whether they have individually been enabled. By default, it is False.

  • server-certificate-cn: Specifies the name of the TLS certificate to be used for encryption. It provides the unique name associated with the desired TLS certificate for secure communication.

  • server-certificate-thumbprint: Specifies the unique thumbprint of the TLS certificate to ensure its authenticity and integrity. It provides the fingerprint value associated with the desired TLS certificate for secure communication.

  • client-certificate-cn: Specifies the the Common Name (CN) field in a client's TLS certificate used to identify and authenticate the client during mutual TLS connections.

  • client-certificate-thumbprint: It is a unique identifier (a hash) of the client's TLS certificate used to verify and authenticate the client during secure connections

  • enable-client-server-tls: Allows you to enable TLS encryption for communication between client and server nodes. By default, it is False.

  • enable-server-to-server-tls: Allows you to enable TLS encryption for communication between server nodes. By default, it is False.

  • enable-bridge-tls: Allows you to enable TLS encryption for communication between NCache bridge and geographically separate caches. By default, it is False.

  • use-mutual-tls-for-client-to-server: Allows you to enforce the requirement for a valid client TLS certificate. When enabled, client nodes connecting to the server must present a valid TLS certificate for authentication and for that, the certificate's Certificate Authority should exist in the server's Trusted Root. By default, it is False.

  • use-mutual-tls-for-server-to-server: Enforces the requirement for mutual TLS during server-to-server communication within the cluster. When enabled, each server node must present a valid TLS certificate to its peer server for authentication. By default, it is False.

  • protocol-version: Specifies the TLS version (e.g., TLS 1.2, TLS 1.3) that NCache supports to establish secure communication between clients and cache servers.

See Also

Configure Security for Cache
Configure Security for Client Nodes
Configure Encryption for Cache