Security and Encryption in NCache
NCache provides powerful security and encryption features that help ensure that your cache is protected from unauthorized access. It also makes sure that your sensitive application data is secured both in the cache store and during the transmission over a network between your application and the cache servers. And, you can do all this without any code changes.
Here are some of the ways NCache provides security for your cache:
- Secured SSL/TLS Connections
- Data Encryption by Cache Client
- Cache Security: Authentication and Authorization
All the ways that NCache provide security are explained below:
Secured Connections to Cache via SSL/TLS
NCache supports "no-code-change", powerful security features to protect your data and network transmission from unauthorized access.
The optionally enabled Transport Layer Security/ Secure Socket Layer (TLS/SSL) encryption secures data exchange between the NCache cache server and the authorized cache client(s). Users can enable any issued or self-signed SSL certificate to connections with the client(s) or can enable component-to-component connections in NCache. This guarantees encrypted data transmission, which is separate from TLS secured data.
NCache supports secure (encrypted and authenticated) client-server communications using the TLS 1.2 security protocol. This is the same protocol used for HTTPs communications.
To create a TLS (or SSL for earlier versions of NCache) certificate, follow the documentation on Configure SSL/TLS Encryption in NCache.
Data Encryption by Cache Client
If your application deals with confidential and sensitive data that you want to secure and you're using an in-memory distributed cache, you need to ensure that your distributed cache protects this sensitive data from unwanted access through encryption.
NCache provides a rich set of encryption algorithms you can choose from:
- 3DES-128
- 3DES-192
- AES-128
- AES-192
- AES-256
- AES-FIPS 128
- AES-FIPS 192
- AES-FIPS 256
NCache data encryption and decryption occur inside the NCache client application process. Hence, all data traveling over the network between your application and the cache cluster is already encrypted. Similarly, only encrypted data is stored in the cache store. You provide an encryption key that NCache uses which is kept inside NCache security configuration files at each cache server in an encrypted manner. The encryption key is automatically sent to clients to be used in memory upon a successful connection.
You can enable encryption through NCache web manager without any programming effort on your part. Once encryption is enabled, the NCache client automatically starts encrypting your objects before sending them to the cache cluster. And, it automatically decrypts objects fetched from the cache before delivering them to your application.
Cache Security: Authentication and Authorization
NCache provides security with authentication and authorization built into the product. NCache categorizes the users based on the two different levels of security as follows:
- User for Cache Security: These users are authorized to perform cache level operations. This "user" is defined at the cache level and is populated in the cache configuration file.
- User for Node Security: These users are authorized to perform any management and configuration related operations on a cluster node. This "user" is defined at cache server level and is populated in the security configuration file.
Authentication
NCache security ensures that only authorized users are granted access either for cache usage or for administration. All other connections are rejected. NCache security mechanism works with any LDAP supported Directory Services. When NCache security is enabled, all the connections to the cache cluster must be authenticated first against LDAP Directory at the cache server.
You need to provide credentials at the time of establishing a connection to the cache. These credentials include your User Name, Distinguished Name (DN), and Password. If your credentials are not authenticated, your connection request is denied. You need to specify user credentials in the following places based on the security level.
- Cache Level: For cache level security, LDAP host and admin information can be added to config.ncconf as follows:
<security enable-security="True">
<ldap host="yourprimarydomain" port="389"/>
<ldap-secondary host="yoursecondarydomain" port="389"/>
<user id="john_smith" dn="CN=John Smith,OU=admin,DC=yourdomain,DC=org"/>
</security>You can also configure cache level security using NCache Web Manager or PowerShell.
Furthermore, you can enable cache security by calling the GetCache() method from your application. This method requires you to enter your user name and password for authentication. An example of how to call this method with the required user credentials is shown below
CacheConnectionOptions cacheConnectionOptions = new CacheConnectionOptions();
// Required Connection Options Here
// Specify User Credentials to Enable Security Through GetCache API
cacheConnectionOptions.UserCredentials = new Credentials("john_smith", "password");
ICache cache = CacheManager.GetCache("myCache", cacheConnectionOptions);<cache-security enabled="True">
<ldap host="yourprimarydomain" port="389"/>
<ldap-secondary host="yoursecondarydomain" port="389"/>
<administrators>
<admin id="john_smith" dn="CN=John Smith,OU=admin,DC=yourdomain,DC=org"/>
</administrators>
</cache-security>You can also configure security for server nodes using NCache Web Manager or PowerShell.
Authorization
After NCache authenticates a connection to the cache successfully, it checks NCache configuration files at the cache server to authorize this connection. Once a connection is authenticated against the active directory, it is authorized either from config.ncconf or security.ncconf based on cache level or node level security, respectively.
You can specify authorization information through NCache management tools at the time of enabling security. You can then add additional "users" or "admins" to the security authorization as needed.