TLS Config (tls.ncconf)
The TLS configuration file contains information regarding the user's TLS settings and the associated TLS certificates. This page details the various tags used in this file and their purposes.
Note
If your client machines do not have NCache installed, you can enable TLS using the tls.ncconf file available via the NCache NuGet Package in Windows and Linux.
TLS Config Syntax
The TLS configuration file is explained below.
<tls-info>
<server-certificate-cn>certificate-name</server-certificate-cn>
<server-certificate-thumbprint>your-thumbprint</server-certificate-thumbprint>
<client-certificate-cn>certificate-name</client-certificate-cn>
<client-certificate-thumbprint>your-thumbprint</client-certificate-thumbprint>
<enable>false</enable>
<enable-client-server-tls>false</enable-client-server-tls>
<enable-bridge-tls>false</enable-bridge-tls>
<enable-server-to-server-tls>false</enable-server-to-server-tls>
<use-mutual-tls-for-client-to-server>false</use-mutual-tls-for-client-to-server>
<use-mutual-tls-for-server-to-server>false</use-mutual-tls-for-server-to-server>
<protocol-version>tls12</protocol-version>
<!-- Required when running Java clients with TLS. -->
<pfx-path>certificate-path</pfx-path>
<pfx-password>certificate-password</pfx-password>
</tls-info>
Understanding the TLS Config Tags
The following section explains the tags mentioned as part of the file syntax.
enable: Enables or disables TLS encryption globally. If set to
false, TLS is disabled for client-server, server-server, and bridge communication, and other TLS-related settings such as use-mutual-tls-for-client-to-server, enable-bridge-tls, enable-client-server-tls, enable-server-to-server-tls, and use-mutual-tls-for-server-to-server are not applied. If set totrue, NCache applies the configured TLS settings. By default, it isfalse.server-certificate-cn: Specifies the name of the TLS certificate to be used for encryption. It provides the unique name associated with the desired TLS certificate for secure communication.
server-certificate-thumbprint: Specifies the unique thumbprint of the TLS certificate to ensure its authenticity and integrity. It provides the fingerprint value associated with the desired TLS certificate for secure communication.
client-certificate-cn: Specifies the Common Name (CN) field in a client's TLS certificate used to identify and authenticate the client during mutual TLS connections.
client-certificate-thumbprint: It is a unique identifier (a hash) of the client's TLS certificate used to verify and authenticate the client during secure connections.
enable-client-server-tls: Allows you to enable TLS encryption for communication between client and server nodes. By default, it is
false.enable-server-to-server-tls: Allows you to enable TLS encryption for communication between server nodes. By default, it is
false.enable-bridge-tls: Allows you to enable TLS encryption for communication between NCache bridge and geographically separate caches. By default, it is
false.use-mutual-tls-for-client-to-server: Allows you to enforce the requirement for a valid client TLS certificate. When enabled, client nodes connecting to the server must present a valid TLS certificate for authentication, and for that, the certificate's Certificate Authority should exist in the server's Trusted Root. By default, it is
false.use-mutual-tls-for-server-to-server: Enforces the requirement for mutual TLS during server-to-server communication within the cluster. When enabled, each server node must present a valid TLS certificate to its peer server for authentication. By default, it is
false.protocol-version: Specifies the TLS version (e.g., TLS 1.2, TLS 1.3) that NCache supports to establish secure communication between clients and cache servers.
pfx-path: Specifies the path to the PFX certificate file used for TLS communication.
pfx-password: Specifies the password of the PFX certificate file specified in pfx-path.
Note
The pfx-path and pfx-password tags are required when running Java clients with TLS, as the Java client needs the PFX certificate path and password in the TLS configuration.