TLS Config

The TLS configuration file contains information regarding the user's TLS settings and the associated TLS certificates. This page details the various tags used in this file and their uses.

Note

If your client machines do not have NCache installed you can enable TLS using the tls.ncconf file available via the NCache NuGet Packages in Windows and Linux.

TLS Config Syntax and Tags

<tls-info>
  <enable>false</enable>
  <certificate-name>certificate-name</certificate-name>
  <certificate-thumbprint>your-thumbprint</certificate-thumbprint>
  <enable-client-server-tls>false</enable-client-server-tls>
  <enable-bridge-tls>false</enable-bridge-tls>
  <enable-server-to-server-tls>false</enable-server-to-server-tls>
  <use-mutual-tls-for-client-to-server>false</use-mutual-tls-for-client-to-server>
  <use-mutual-tls-for-server-to-server>true</use-mutual-tls-for-server-to-server>
</tls-info>

enable is a flag that allows users to control whether or not they will be able to customize any other setting. Essentially, use-mutual-tls-for-client-to-server, enable-bridge-tls, enable-client-server-tls, enable-server-to-server-tls, and use-mutual-tls-for-server-to-server will not work if enable hasn't been set as true, regardless of whether they have individually been enabled.

certificate-name specifies the name of the TLS certificate to be used for encryption. It provides the unique name associated with the desired TLS certificate for secure communication.

certificate-thumbprint specifies the unique thumbprint of the TLS certificate to ensure its authenticity and integrity. It provides the fingerprint value associated with the desired TLS certificate for secure communication.

enable-client-server-tls is a flag that enables TLS encryption for communication between client and server nodes.

enable-bridge-tls is a flag that enables TLS encryption solely for communication between the NCache bridge and geographically separate caches. If the user wants to extend this security to encompass communication between the bridge nodes as well, they should use the enable-server-to-server-tls flag. If enable-bridge-tls is true, make sure to enable enable-client-server-tls. Currently, NCache requires you to use the same certificate on both bridge nodes.

enable-server-to-server-tls is a flag that enables TLS encryption for communication between server nodes within a cluster.

use-mutual-tls-for-client-to-server is a flag that enforces the requirement for a valid client TLS certificate. When enabled, client nodes connecting to the server must present a valid TLS certificate for authentication and for that certificate's Certificate Authority to exist in the server's Trusted Root.

use-mutual-tls-for-server-to-server is a flag that enforces the requirement for a valid server TLS certificate during communication. When enabled, the server nodes connecting to the first server must present a valid TLS certificate for authentication. Additionally, all servers need to have each other Certificate Authoroties to exist in their Trusted Roots.

See Also

Configure Security for Cache
Configure Security for Client Nodes
Configure Encryption for Cache