Configure Security
NCache understands the need for any enterprise-level software to have airtight security and, therefore, offers a variety of features to ensure that users don't sacrifice their security for performance. These features include defining access permissions for caches/nodes, encryption, network security, and more.
Authentication and Authorization
NCache offers the LDAP-integrated security to secure cache nodes. Once a node is secured there are two access levels defined on that node. One is related to management operations along with other cache operations. While the other is limited to cache API access.
Note
All the caches on a secured node are automatically secured.
To get the complete benefits of these access levels NCache supports two types of LDAP users: Node Administrators (Users/Groups) and Cache Users (Users/Groups). Since NCache does not have its Authentication mechanisms and all the added users are first authenticated against their LDAP credentials. When a registered LDAP User gets added to the NCache there is always a validation check through the domain controller to verify whether this User is registered with the domain or not. In this scenario, if the connection with the domain controller breaks, validation fails and the user cannot perform any operation.
To avoid this, NCache offers Credential Caching where the User's credentials are stored in NCache so that an already authenticated user does not have to be authenticated repeatedly during the life of the process. It is enabled by default and the User can disable it by setting the NCacheServer.EnableCredentialCaching tag False in the Service config file.
Node Administrators
Node Administrators are Super-Users and have complete control over the cache - they can create, modify, remove caches, and perform any other cache management operations. Node Administrators can save or discard security configurations if previously established. They are also able to inherit the capabilities of Cache Users to access and interact with caches using the NCache API.
Cache Users
However, if you want to limit some users to having cache API access only, and don't want them to perform any management operations, then configuring Cache User is your go-to option. Where you can restrict the user to perform data operations including Add, Remove, Update, and Retrieve through the relevant APIs only.
But, if you don't want to define different access levels for your users and allow all of them to perform all types of operations on cache. Then, there is no need to configure Cache User, as your Node Administrators have all the rights to manage and operate the cache smoothly.
Homogeneous Security Settings
After establishing security settings for one node, you need to ensure that all the nodes in that cluster have similar security settings on them. The User acting as Node Administrator on one node should be the administrator on all the other nodes in that cluster. Similarly, the User acting as a Cache User on one node should be a Cache User on the rest of the nodes.
If homogeneous security settings are not ensured on all nodes of a cluster you may encounter different issues while managing and operating cache.
Note
A secured node as the first node in a cache cluster should prevent the addition of vulnerable nodes.
Note
A vulnerable node as the first node in a cache cluster shall prevent the addition of secured nodes.
Data Encryption
In distributed caching systems, communication mostly occurs over the network channels. The data travels and resides in the cache in its serialized form, and anyone eavesdropping on your connection can intercept your data easily if it is not encrypted. NCache Data Encryption allows for information to be converted into ciphertext. Only authorized (i.e., people with the appropriate key) can decipher the code and access the original information.
TLS Encryption
While NCache includes a Data Encryption feature, it secures data in memory and during transmission over the network. However, Data Encryption comes with an additional performance cost. On the other hand, Transport Layer Security (TLS) provides a more comprehensive approach to securing data during network transmission, following industry-standard practices.
Although TLS also has a performance impact, it tends to be less resource-intensive than the alternative, i.e., Data Encryption. As such, it is more crucial to NCache operations, which involve data traveling over the network in a variety of ways:
- Between servers and clients
- Between different servers
- Between caches and bridges
In NCache, you can decide what type of communication you want to encrypt, as it travels over the network, using TLS. This choice gives you complete control over your data security. Usually, people encrypt traffic over the public internet, such as Bridge communication for WAN replication. However, for security-sensitive applications, you should probably encrypt traffic between clients and servers and between different servers.
TLS Certificate Considerations
When implementing TLS, certificates are stored in either the Personal or the Trusted Root Certificate Authority Store and are available at both the user and local machine levels. Certificates placed at the local machine level are accessible to all users, whereas user-level certificates are limited to specific users.
Additionally, these certificates require validation. Server-side certificates must be validated at the client end for TLS, verifying whether the client trusts the certificate issuer authority. If you're using a publicly recognized certificate issuer, you may not need to install the issuer's certificate in the client's Trusted Root Certificate Authority store. However, for self-signed or private certificates, you must ensure that the issuer's certificate is installed in the Trusted Root Certificate Authority store on the client end to avoid any chance of TLS handshake failures.
For mutual TLS between clients and servers, the client must also share its certificate with the server. In this case, the server must trust the client's certificate issuer authority, which the client should place in the server's Trusted Root Certificate Authority store. Similarly, when enabling TLS between servers, the other servers involved in communication must validate each other's certificates.
NCache follows a specific order when searching for certificates on the server box:
- Local Machine: Trusted Root
- Local Machine: Personal
- User: Trusted Root
- User: Personal
Understanding these considerations will ensure your deployment of NCache TLS encryption goes smoothly.
HTTPS for NCache Management Center
Similar to TLS, HTTPS (Hypertext Transfer Protocol Secure) is a widely used protocol to secure communication over a network. As such, NCache supports HTTPS for NCache Management Center in Windows and Linux using TLS certificates.
In This Section
Configure Authentication and Authorization
Explains how to configure the Security for nodes and caches.
Configure Encryption for Cache
Describes how to enable and configure Encryption for cache.
Configure TLS Encryption
Describes how to enable and configure SSL Encryption for cache in Windows and Linux.
Configure HTTPS for NCache Management Center
Describes how to enable and configure HTTPS for NCache Management Center.
