Docker TLS
NCache supports TLS encryption to secure communication between clients and cache servers, as well as communication between cache servers in a cluster. In a Docker deployment, TLS helps protect cache traffic that is transmitted over the network between containerized NCache components. This page explains how to install certificates inside a running NCache Docker container and enable regular TLS for client-server and server-to-server communication.
Note
TLS in NCache Docker is supported for regular TLS only. Mutual TLS is not supported in the Docker environment.
Prerequisites
Before enabling TLS, make sure that:
- The NCache Docker container is running.
- The server certificate is available as a
.pfxfile. - The root CA certificate is available as a
.crtfile. - You know the password for the certificate file.
- You have the certificate Common Name (CN) and thumbprint, or you can retrieve them during certificate installation.
If the certificate files are on the Docker host machine, copy them into the container:
docker cp certificate.pfx <container-name>:/usr/local/share/ca-certificates/
docker cp certificate.crt <container-name>:/usr/local/share/ca-certificates/
Note
Always place custom certificates in /usr/local/share/ca-certificates/ to ensure they are not overwritten by system updates.
Step 1: Access the Docker Container
To interact with NCache tools, you need to open a shell session directly inside the running container. Run the following command from the Docker host machine to enter the NCache container:
docker exec -it ncache bash
Navigate to the NCache tools directory:
cd /opt/ncache/bin/tools/
Step 2: Install the Server Certificate
In Docker containers, sudo access is not available by default, so certificate installation should be performed using the NCache-provided install-pfxcertificate tool.
Install your server PFX certificate using the install-pfxcertificate tool:
./install-pfxcertificate `
-filepath "/usr/local/share/ca-certificates/certificate.pfx" `
-password "<pfx-password>"
The command returns the certificate Common Name (CN) and thumbprint. Save these values because they are required when enabling TLS.
Example output:
SUCCESS: Installed /usr/local/share/ca-certificates/certificate.pfx into Root store (CurrentUser)
CN=<your-certificate-cn>
THUMBPRINT=<your-thumbprint>
Step 3: Install the Root CA Certificate
Install the Root CA certificate using the same install-pfxcertificate tool:
./install-pfxcertificate `
-filepath "/usr/local/share/ca-certificates/certificate.crt" `
-password "<crt-password>"
Example output:
SUCCESS: Installed /usr/local/share/ca-certificates/certificate.crt into Root store (CurrentUser)
CN=<your-root-ca-cn>
THUMBPRINT=<your-root-ca-thumbprint>
Step 4: Enable TLS
After installing the certificates, use the enable-ncachetls tool to enable TLS. Use the CN and thumbprint returned during server certificate installation.
./enable-ncachetls `
-servercertificatecn "<server-certificate-cn>" `
-servercertificatethumbprint "<server-certificate-thumbprint>" `
-clientcertificatecn "<client-certificate-cn>" `
-clientcertificatethumbprint "<client-certificate-thumbprint>" `
-pfxpath "/usr/local/share/ca-certificates/certificate.pfx" `
-pfxpassword "<pfx-password>" `
-clientservercommunication `
-servertoservercommunication
Note
If you do not specify -protocolversion, NCache uses TLS 1.2 by default.
Step 5: Verify TLS Configuration
Before restarting the service, verify that the TLS settings were written to the NCache TLS configuration file:
cat /opt/ncache/config/tls.ncconf
The file should show TLS as enabled and should include your certificate details:
<tls-info>
<enable>true</enable>
<server-certificate-cn><server-certificate-cn></server-certificate-cn>
<server-certificate-thumbprint><server-certificate-thumbprint></server-certificate-thumbprint>
<client-certificate-cn><client-certificate-cn></client-certificate-cn>
<client-certificate-thumbprint><client-certificate-thumbprint></client-certificate-thumbprint>
<enable-client-server-tls>true</enable-client-server-tls>
<enable-server-to-server-tls>true</enable-server-to-server-tls>
<protocol-version>tls12</protocol-version>
</tls-info>
Note
- Restarting the NCache service and caches is required for the updated TLS configuration to take effect and switch communication to secure streams.
- Since
systemctlis not available in the NCache Docker image, restart the service manually.
Step 6: Restart the NCache Service
After updating TLS settings, restart the NCache daemon inside the container. Find the NCache daemon process using the following command:
ps aux | grep ncache
Look for the process containing Alachisoft.NCache.Daemon, similar to the following:
/opt/ncache/bin/service/Alachisoft.NCache.Daemon start /opt/ncache/
Kill the process using its process ID and start the NCache service again:
kill -9 <process-id>
/opt/ncache/bin/service/Alachisoft.NCache.Daemon start &
Verify that the daemon is running again:
ps aux | grep ncache
You should see Alachisoft.NCache.Daemon listed again with a new process ID.
Step 7: Restart the Cache
After the NCache service is running, restart the cache so it can use the updated TLS configuration:
/opt/ncache/bin/tools/stop-cache demoCache
/opt/ncache/bin/tools/start-cache demoCache
Verify that the cache is running:
/opt/ncache/bin/tools/get-caches
Step 8: Verify TLS in Cache Logs
Check the cache log files to confirm that TLS is active. Log files are located at /opt/ncache/log-files/:
ls -lt /opt/ncache/log-files/
cat /opt/ncache/log-files/demoCache_12-5-2026-9-31-13_192.168.65.6.txt
If TLS is active, the cache log should show entries similar to the following:
secure_connection :True
require_server_certifiate :True
TLS version is Tls12
These log entries confirm that the cache is running with TLS enabled.
See Also
Configure SSL/TLS Encryption
Enable-NCacheTLS
Disable-NCacheTLS
Docker Installation