TLS Config (tls.ncconf)

The TLS configuration file contains information regarding the user's TLS settings and the associated TLS certificates. This page details the various tags used in this file and their uses.

Note

If your client machines do not have NCache installed you can enable TLS using the tls.ncconf file available via the NCache NuGet Packages in Windows and Linux.

TLS Config Syntax

The tls configuration file is explained below.

<tls-info>
  <enable>false</enable>
  <certificate-name>certificate-name</certificate-name>
  <certificate-thumbprint>your-thumbprint</certificate-thumbprint>
  <enable-client-server-tls>false</enable-client-server-tls>
  <enable-bridge-tls>false</enable-bridge-tls>
  <enable-server-to-server-tls>false</enable-server-to-server-tls>
  <use-mutual-tls-for-client-to-server>false</use-mutual-tls-for-client-to-server>
  <use-mutual-tls-for-server-to-server>true</use-mutual-tls-for-server-to-server>
</tls-info>

Understanding the TLS Config Tags

The following section explains the tags mentioned as part of the file syntax.

  • enable: Allows users to control whether or not they will be able to customize any other setting. Essentially, use-mutual-tls-for-client-to-server, enable-bridge-tls, enable-client-server-tls, enable-server-to-server-tls, and use-mutual-tls-for-server-to-server will not work if this tag hasn't been set as True, regardless of whether they have individually been enabled. By default it is False.

  • certificate-name: Specifies the name of the TLS certificate to be used for encryption. It provides the unique name associated with the desired TLS certificate for secure communication.

  • certificate-thumbprint: Specifies the unique thumbprint of the TLS certificate to ensure its authenticity and integrity. It provides the fingerprint value associated with the desired TLS certificate for secure communication.

  • enable-client-server-tls: Allows you to enable TLS encryption for communication between client and server nodes. By default it is False.

  • enable-bridge-tls: Allows you to enable TLS encryption solely for communication between the NCache bridge and geographically separate caches. If the user wants to extend this security to encompass communication between the bridge nodes as well, they should use the enable-server-to-server-tls flag. If enable-bridge-tls is True, make sure to enable enable-client-server-tls. Currently, NCache requires you to use the same certificate on both bridge nodes. By default it is False.

  • enable-server-to-server-tls: Specifies the TLS encryption for communication between server nodes within a cluster. By default it is False.

  • use-mutual-tls-for-client-to-server: Allows you to enforce the requirement for a valid client TLS certificate. When enabled, client nodes connecting to the server must present a valid TLS certificate for authentication and for that certificate's Certificate Authority to exist in the server's Trusted Root. By default it is False.

  • use-mutual-tls-for-server-to-server: Allows you to enforce the requirement for a valid server TLS certificate during communication. When enabled, the server nodes connecting to the first server must present a valid TLS certificate for authentication. Additionally, all servers need to have each other Certificate Authoroties to exist in their Trusted Roots.

See Also

Configure Security for Cache
Configure Security for Client Nodes
Configure Encryption for Cache