Merge pull request #2999 from rhafer/stable/7.2/backports

[stable-7.2] Backport fixes from main
2026-06-22 23:09:38 -04:00 · 2026-06-22 15:56:49 +02:00
parent 8fd9a82acf cd99a6fd44
commit b4ed8c4aeb
72 changed files with 964 additions and 387 deletions
--- a/opencloud/pkg/command/posixfs.go
+++ b/opencloud/pkg/command/posixfs.go
@@ -31,6 +31,7 @@ import (
 const (
 	parentIDAttrName = "user.oc.parentid"
 	idAttrName       = "user.oc.id"
+	nameAttrName     = "user.oc.name"
 	spaceIDAttrName  = "user.oc.space.id"
 	ownerIDAttrName  = "user.oc.owner.id"
 )
@@ -292,7 +293,7 @@ func checkSpaceID(spacePath string) {
 	}
 }

-func walkParentIDs(dir string, parentID string) int {
+func walkNodes(dir string, parentID string) int {
 	fixes := 0
 	entries, err := os.ReadDir(dir)
 	if err != nil {
@@ -307,6 +308,7 @@ func walkParentIDs(dir string, parentID string) int {
 			continue
 		}

+		// Check if the parent ID attribute matches the expected parent ID, if not, fix it.
 		actualParentID, err := xattr.Get(fullPath, parentIDAttrName)
 		if err != nil || string(actualParentID) != parentID {
 			err = xattr.Set(fullPath, parentIDAttrName, []byte(parentID))
@@ -314,7 +316,22 @@ func walkParentIDs(dir string, parentID string) int {
 				logFailure("Failed to fix parent ID for '%s': %v", fullPath, err)
 			} else {
 				spinner.Pause()
-				fmt.Printf("\n  + Fixed parent ID for '%s'\n", fullPath)
+				fmt.Printf("  + Fixed parent ID for '%s'", fullPath)
+				spinner.Unpause()
+				fixes++
+				restartRequired = true
+			}
+		}
+
+		// Check that the name attribute matches the actual name of the file/directory, if not, fix it.
+		nameAttr, err := xattr.Get(fullPath, nameAttrName)
+		if err != nil || string(nameAttr) != entry.Name() {
+			err = xattr.Set(fullPath, nameAttrName, []byte(entry.Name()))
+			if err != nil {
+				logFailure("Failed to fix name attribute for '%s': %v", fullPath, err)
+			} else {
+				spinner.Pause()
+				fmt.Printf("  + Fixed name attribute for '%s'", fullPath)
 				spinner.Unpause()
 				fixes++
 				restartRequired = true
@@ -327,14 +344,14 @@ func walkParentIDs(dir string, parentID string) int {
 				logFailure("Directory '%s' missing '%s', skipping its children", fullPath, idAttrName)
 				continue
 			}
-			walkParentIDs(fullPath, string(nodeID))
+			walkNodes(fullPath, string(nodeID))
 		}
 	}
 	return fixes
 }

 func checkNodeIDs(spacePath string) {
-	spinner.Message(" - checking parent IDs")
+	spinner.Message(" - checking nodes")

 	rootID, err := xattr.Get(spacePath, idAttrName)
 	if err != nil || len(rootID) == 0 {
@@ -342,11 +359,11 @@ func checkNodeIDs(spacePath string) {
 		return
 	}

-	fixes := walkParentIDs(spacePath, string(rootID))
+	fixes := walkNodes(spacePath, string(rootID))

 	if fixes > 0 {
 		spinner.Pause()
-		fmt.Printf("\n  ✓ Fixed %d incorrect parent IDs in %s\n", fixes, filepath.Base(spacePath))
+		fmt.Printf("\n  ✓ Fixed %d incorrect node attributes in %s\n", fixes, filepath.Base(spacePath))
 		spinner.Unpause()
 	}
 }
--- a/pkg/nats/options.go
+++ b/pkg/nats/options.go
@@ -0,0 +1,20 @@
+package nats
+
+import (
+	"crypto/tls"
+
+	"github.com/nats-io/nats.go"
+)
+
+func Secure(enableTLS, insecure bool, rootCA string) nats.Option {
+	if enableTLS {
+		if rootCA != "" {
+			return nats.RootCAs(rootCA)
+		}
+		return nats.Secure(&tls.Config{
+			MinVersion:         tls.VersionTLS12,
+			InsecureSkipVerify: insecure,
+		})
+	}
+	return nil
+}
--- a/pkg/shared/shared_types.go
+++ b/pkg/shared/shared_types.go
@@ -48,14 +48,17 @@ type HTTPServiceTLS struct {
 }

 type Cache struct {
-	Store              string        `yaml:"store" env:"OC_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes              []string      `yaml:"nodes" env:"OC_CACHE_STORE_NODES" desc:"A comma separated list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store." introductionVersion:"1.0.0"`
-	Database           string        `yaml:"database" env:"OC_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table              string        `yaml:"table" env:"OC_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL                time.Duration `yaml:"ttl" env:"OC_CACHE_TTL" desc:"Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h." introductionVersion:"1.0.0"`
-	DisablePersistence bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
-	AuthUsername       string        `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword       string        `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_CACHE_STORE_NODES" desc:"A comma separated list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"OC_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	Table                string        `yaml:"table" env:"OC_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_CACHE_TTL" desc:"Time to live for events in the store. The duration can be set as number followed by a unit identifier like s, m or h." introductionVersion:"1.0.0"`
+	DisablePersistence   bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided OC_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }

 // Commons holds configuration that are common to all extensions. Each extension can then decide whether
--- a/services/activitylog/pkg/command/server.go
+++ b/services/activitylog/pkg/command/server.go
@@ -9,9 +9,7 @@ import (
 	"github.com/opencloud-eu/reva/v2/pkg/events"
 	"github.com/opencloud-eu/reva/v2/pkg/events/stream"
 	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
-	"github.com/opencloud-eu/reva/v2/pkg/store"
 	"github.com/spf13/cobra"
-	microstore "go-micro.dev/v4/store"

 	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
 	"github.com/opencloud-eu/opencloud/pkg/generators"
@@ -77,15 +75,6 @@ func Server(cfg *config.Config) *cobra.Command {
 				return err
 			}

-			evStore := store.Create(
-				store.Store(cfg.Store.Store),
-				store.TTL(cfg.Store.TTL),
-				microstore.Nodes(cfg.Store.Nodes...),
-				microstore.Database(cfg.Store.Database),
-				microstore.Table(cfg.Store.Table),
-				store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword),
-			)
-
 			tm, err := pool.StringToTLSMode(cfg.GRPCClientTLS.Mode)
 			if err != nil {
 				logger.Error().Err(err).Msg("Failed to parse tls mode")
@@ -120,7 +109,6 @@ func Server(cfg *config.Config) *cobra.Command {
 					http.Context(ctx), // NOTE: not passing this "option" leads to a panic in go-micro
 					http.TraceProvider(tracerProvider),
 					http.Stream(evStream),
-					http.Store(evStore),
 					http.GatewaySelector(gatewaySelector),
 					http.HistoryClient(hClient),
 					http.ValueClient(vClient),
--- a/services/activitylog/pkg/config/config.go
+++ b/services/activitylog/pkg/config/config.go
@@ -50,13 +50,15 @@ type Events struct {

 // Store configures the store to use
 type Store struct {
-	Store        string        `yaml:"store" env:"OC_PERSISTENT_STORE;ACTIVITYLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes        []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;ACTIVITYLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database     string        `yaml:"database" env:"ACTIVITYLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table        string        `yaml:"table" env:"ACTIVITYLOG_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL          time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;ACTIVITYLOG_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	AuthUsername string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;ACTIVITYLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;ACTIVITYLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_PERSISTENT_STORE;ACTIVITYLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;ACTIVITYLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"ACTIVITYLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;ACTIVITYLOG_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;ACTIVITYLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;ACTIVITYLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;ACTIVITYLOG_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;ACTIVITYLOG_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;ACTIVITYLOG_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided ACTIVITYLOG_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }

 // ServiceAccount is the configuration for the used service account
--- a/services/activitylog/pkg/config/defaults/defaultconfig.go
+++ b/services/activitylog/pkg/config/defaults/defaultconfig.go
@@ -37,7 +37,6 @@ func DefaultConfig() *config.Config {
 			Store:    "nats-js-kv",
 			Nodes:    []string{"127.0.0.1:9233"},
 			Database: "activitylog",
-			Table:    "",
 		},
 		RevaGateway:     shared.DefaultRevaConfig().Address,
 		DefaultLanguage: "en",
--- a/services/activitylog/pkg/server/debug/server.go
+++ b/services/activitylog/pkg/server/debug/server.go
@@ -5,6 +5,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("http reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr))

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := healthHandlerConfiguration.
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))

 	return debug.NewService(
 		debug.Logger(options.Logger),
--- a/services/activitylog/pkg/server/http/server.go
+++ b/services/activitylog/pkg/server/http/server.go
@@ -81,7 +81,6 @@ func Server(opts ...Option) (http.Service, error) {
 		svc.Logger(options.Logger),
 		svc.Stream(options.Stream),
 		svc.Mux(mux),
-		svc.Store(options.Store),
 		svc.Config(options.Config),
 		svc.GatewaySelector(options.GatewaySelector),
 		svc.TraceProvider(options.TraceProvider),
--- a/services/activitylog/pkg/service/options.go
+++ b/services/activitylog/pkg/service/options.go
@@ -11,7 +11,6 @@ import (
 	"github.com/opencloud-eu/opencloud/services/activitylog/pkg/config"
 	"github.com/opencloud-eu/reva/v2/pkg/events"
 	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
-	microstore "go-micro.dev/v4/store"
 	"go.opentelemetry.io/otel/trace"
 )

@@ -25,7 +24,6 @@ type Options struct {
 	TraceProvider       trace.TracerProvider
 	Stream              events.Stream
 	RegisteredEvents    []events.Unmarshaller
-	Store               microstore.Store
 	GatewaySelector     pool.Selectable[gateway.GatewayAPIClient]
 	Mux                 *chi.Mux
 	HistoryClient       ehsvc.EventHistoryService
@@ -69,13 +67,6 @@ func RegisteredEvents(e []events.Unmarshaller) Option {
 	}
 }

-// Store configures the store to use
-func Store(store microstore.Store) Option {
-	return func(o *Options) {
-		o.Store = store
-	}
-}
-
 // GatewaySelector adds a grpc client selector for the gateway service
 func GatewaySelector(gatewaySelector pool.Selectable[gateway.GatewayAPIClient]) Option {
 	return func(o *Options) {
--- a/services/activitylog/pkg/service/service.go
+++ b/services/activitylog/pkg/service/service.go
@@ -2,6 +2,7 @@ package service

 import (
 	"context"
+	"crypto/tls"
 	"encoding/base32"
 	"encoding/json"
 	"fmt"
@@ -166,6 +167,18 @@ func New(opts ...Option) (*ActivitylogService, error) {
 	natsOptions := nats.Options{
 		Servers: o.Config.Store.Nodes,
 	}
+	if o.Config.Store.EnableTLS {
+		if o.Config.Store.TLSRootCACertificate != "" {
+			// when root ca is configured use it. an insecure flag is ignored.
+			nats.RootCAs(o.Config.Store.TLSRootCACertificate)(&natsOptions)
+		} else {
+			// enable tls and use insecure flag
+			nats.Secure(&tls.Config{MinVersion: tls.VersionTLS12, InsecureSkipVerify: o.Config.Store.TLSInsecure})(&natsOptions)
+		}
+	}
+	if o.Config.Store.AuthUsername != "" && o.Config.Store.AuthPassword != "" {
+		nats.UserInfo(o.Config.Store.AuthUsername, o.Config.Store.AuthPassword)(&natsOptions)
+	}
 	conn, err := natsOptions.Connect()
 	if err != nil {
 		return nil, err
--- a/services/antivirus/pkg/server/debug/server.go
+++ b/services/antivirus/pkg/server/debug/server.go
@@ -10,6 +10,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -18,9 +19,14 @@ import (
 func Server(opts ...Option) (*http.Server, error) {
 	options := newOptions(opts...)

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration().
 		WithLogger(options.Logger).
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)).
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)).
 		WithCheck("antivirus reachability", func(ctx context.Context) error {
 			cfg := options.Config
 			switch cfg.Scanner.Type {
--- a/services/audit/pkg/server/debug/server.go
+++ b/services/audit/pkg/server/debug/server.go
@@ -5,6 +5,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -13,9 +14,14 @@ import (
 func Server(opts ...Option) (*http.Server, error) {
 	options := newOptions(opts...)

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration().
 		WithLogger(options.Logger).
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))

 	return debug.NewService(
 		debug.Logger(options.Logger),
--- a/services/clientlog/pkg/server/debug/server.go
+++ b/services/clientlog/pkg/server/debug/server.go
@@ -5,6 +5,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -13,9 +14,14 @@ import (
 func Server(opts ...Option) (*http.Server, error) {
 	options := newOptions(opts...)

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration().
 		WithLogger(options.Logger).
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))

 	return debug.NewService(
 		debug.Logger(options.Logger),
--- a/services/clientlog/pkg/service/service.go
+++ b/services/clientlog/pkg/service/service.go
@@ -83,7 +83,8 @@ EventLoop:
 			if !ok {
 				break EventLoop
 			}
-			cl.processEvent(event)
+
+			go cl.processEvent(event)

 			if cl.stopped.Load() {
 				break EventLoop
--- a/services/collaboration/pkg/command/server.go
+++ b/services/collaboration/pkg/command/server.go
@@ -101,6 +101,9 @@ func Server(cfg *config.Config) *cobra.Command {
 				microstore.Database(cfg.Store.Database),
 				microstore.Table(cfg.Store.Table),
 				store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword),
+				store.TLSEnabled(cfg.Store.EnableTLS),
+				store.TLSInsecure(cfg.Store.TLSInsecure),
+				store.TLSRootCA(cfg.Store.TLSRootCACertificate),
 			)

 			gr := runner.NewGroup()
--- a/services/collaboration/pkg/config/store.go
+++ b/services/collaboration/pkg/config/store.go
@@ -4,11 +4,14 @@ import "time"

 // Store configures the store to use
 type Store struct {
-	Store        string        `yaml:"store" env:"OC_PERSISTENT_STORE;COLLABORATION_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes        []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;COLLABORATION_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database     string        `yaml:"database" env:"COLLABORATION_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table        string        `yaml:"table" env:"COLLABORATION_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL          time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;COLLABORATION_STORE_TTL" desc:"Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	AuthUsername string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;COLLABORATION_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;COLLABORATION_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_PERSISTENT_STORE;COLLABORATION_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;COLLABORATION_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"COLLABORATION_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	Table                string        `yaml:"table" env:"COLLABORATION_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;COLLABORATION_STORE_TTL" desc:"Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;COLLABORATION_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;COLLABORATION_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;COLLABORATION_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;COLLABORATION_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;COLLABORATION_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided COLLABORATION_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }
--- a/services/eventhistory/pkg/command/server.go
+++ b/services/eventhistory/pkg/command/server.go
@@ -71,6 +71,9 @@ func Server(cfg *config.Config) *cobra.Command {
 				microstore.Database(cfg.Store.Database),
 				microstore.Table(cfg.Store.Table),
 				store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword),
+				store.TLSEnabled(cfg.Store.EnableTLS),
+				store.TLSInsecure(cfg.Store.TLSInsecure),
+				store.TLSRootCA(cfg.Store.TLSRootCACertificate),
 			)

 			service := grpc.NewService(
--- a/services/eventhistory/pkg/config/config.go
+++ b/services/eventhistory/pkg/config/config.go
@@ -36,13 +36,16 @@ type GRPCConfig struct {

 // Store configures the store to use
 type Store struct {
-	Store        string        `yaml:"store" env:"OC_PERSISTENT_STORE;EVENTHISTORY_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes        []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;EVENTHISTORY_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database     string        `yaml:"database" env:"EVENTHISTORY_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table        string        `yaml:"table" env:"EVENTHISTORY_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL          time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;EVENTHISTORY_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	AuthUsername string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;EVENTHISTORY_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;EVENTHISTORY_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_PERSISTENT_STORE;EVENTHISTORY_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;EVENTHISTORY_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"EVENTHISTORY_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	Table                string        `yaml:"table" env:"EVENTHISTORY_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;EVENTHISTORY_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;EVENTHISTORY_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;EVENTHISTORY_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;EVENTHISTORY_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;EVENTHISTORY_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;EVENTHISTORY_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided EVENTHISTORY_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }

 // Events combines the configuration options for the event bus.
--- a/services/eventhistory/pkg/server/debug/server.go
+++ b/services/eventhistory/pkg/server/debug/server.go
@@ -5,6 +5,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr))

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := healthHandlerConfiguration.
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))

 	return debug.NewService(
 		debug.Logger(options.Logger),
--- a/services/frontend/pkg/config/config.go
+++ b/services/frontend/pkg/config/config.go
@@ -121,18 +121,21 @@ type DataGateway struct {
 }

 type OCS struct {
-	Prefix                      string        `yaml:"prefix" env:"FRONTEND_OCS_PREFIX" desc:"URL path prefix for the OCS service. Note that the string must not start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
-	SharePrefix                 string        `yaml:"share_prefix" env:"FRONTEND_OCS_SHARE_PREFIX" desc:"Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
-	HomeNamespace               string        `yaml:"home_namespace" env:"FRONTEND_OCS_PERSONAL_NAMESPACE" desc:"Home namespace identifier." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
-	AdditionalInfoAttribute     string        `yaml:"additional_info_attribute" env:"FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE" desc:"Additional information attribute for the user like {{.Mail}}." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
-	StatCacheType               string        `yaml:"stat_cache_type" env:"OC_CACHE_STORE;FRONTEND_OCS_STAT_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE, the OCS API is deprecated" deprecationReplacement:""`
-	StatCacheNodes              []string      `yaml:"stat_cache_nodes" env:"OC_CACHE_STORE_NODES;FRONTEND_OCS_STAT_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE_NODES, the OCS API is deprecated" deprecationReplacement:""`
-	StatCacheDatabase           string        `yaml:"stat_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	StatCacheTable              string        `yaml:"stat_cache_table" env:"FRONTEND_OCS_STAT_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
-	StatCacheTTL                time.Duration `yaml:"stat_cache_ttl" env:"OC_CACHE_TTL;FRONTEND_OCS_STAT_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_TTL, the OCS API is deprecated" deprecationReplacement:""`
-	StatCacheDisablePersistence bool          `yaml:"stat_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE" desc:"Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE, the OCS API is deprecated" deprecationReplacement:""`
-	StatCacheAuthUsername       string        `yaml:"stat_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME, the OCS API is deprecated" deprecationReplacement:""`
-	StatCacheAuthPassword       string        `yaml:"stat_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD, the OCS API is deprecated" deprecationReplacement:""`
+	Prefix                        string        `yaml:"prefix" env:"FRONTEND_OCS_PREFIX" desc:"URL path prefix for the OCS service. Note that the string must not start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
+	SharePrefix                   string        `yaml:"share_prefix" env:"FRONTEND_OCS_SHARE_PREFIX" desc:"Path prefix for shares as part of a CS3 resource. Note that the path must start with '/'." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
+	HomeNamespace                 string        `yaml:"home_namespace" env:"FRONTEND_OCS_PERSONAL_NAMESPACE" desc:"Home namespace identifier." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
+	AdditionalInfoAttribute       string        `yaml:"additional_info_attribute" env:"FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE" desc:"Additional information attribute for the user like {{.Mail}}." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
+	StatCacheType                 string        `yaml:"stat_cache_type" env:"OC_CACHE_STORE;FRONTEND_OCS_STAT_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE, the OCS API is deprecated" deprecationReplacement:""`
+	StatCacheNodes                []string      `yaml:"stat_cache_nodes" env:"OC_CACHE_STORE_NODES;FRONTEND_OCS_STAT_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_STORE_NODES, the OCS API is deprecated" deprecationReplacement:""`
+	StatCacheDatabase             string        `yaml:"stat_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	StatCacheTable                string        `yaml:"stat_cache_table" env:"FRONTEND_OCS_STAT_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"The OCS API is deprecated" deprecationReplacement:""`
+	StatCacheTTL                  time.Duration `yaml:"stat_cache_ttl" env:"OC_CACHE_TTL;FRONTEND_OCS_STAT_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_TTL, the OCS API is deprecated" deprecationReplacement:""`
+	StatCacheDisablePersistence   bool          `yaml:"stat_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE" desc:"Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE, the OCS API is deprecated" deprecationReplacement:""`
+	StatCacheAuthUsername         string        `yaml:"stat_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME, the OCS API is deprecated" deprecationReplacement:""`
+	StatCacheAuthPassword         string        `yaml:"stat_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when using the 'nats-js-kv' store type." introductionVersion:"1.0.0" deprecationVersion:"1.0.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD, the OCS API is deprecated" deprecationReplacement:""`
+	StatCacheEnableTLS            bool          `yaml:"stat_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;FRONTEND_OCS_STAT_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	StatCacheTLSInsecure          bool          `yaml:"stat_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;FRONTEND_OCS_STAT_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	StatCacheTLSRootCACertificate string        `yaml:"stat_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;FRONTEND_OCS_STAT_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided FRONTEND_OCS_STAT_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`

 	CacheWarmupDriver                    string             `yaml:"cache_warmup_driver,omitempty"`  // not supported by the OpenCloud product, therefore not part of docs
 	CacheWarmupDrivers                   CacheWarmupDrivers `yaml:"cache_warmup_drivers,omitempty"` // not supported by the OpenCloud product, therefore not part of docs
--- a/services/frontend/pkg/revaconfig/config.go
+++ b/services/frontend/pkg/revaconfig/config.go
@@ -164,14 +164,17 @@ func FrontendConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string
 					"share_prefix":         cfg.OCS.SharePrefix,
 					"home_namespace":       cfg.OCS.HomeNamespace,
 					"stat_cache_config": map[string]any{
-						"cache_store":               cfg.OCS.StatCacheType,
-						"cache_nodes":               cfg.OCS.StatCacheNodes,
-						"cache_database":            cfg.OCS.StatCacheDatabase,
-						"cache_table":               cfg.OCS.StatCacheTable,
-						"cache_ttl":                 cfg.OCS.StatCacheTTL,
-						"cache_disable_persistence": cfg.OCS.StatCacheDisablePersistence,
-						"cache_auth_username":       cfg.OCS.StatCacheAuthUsername,
-						"cache_auth_password":       cfg.OCS.StatCacheAuthPassword,
+						"cache_store":                   cfg.OCS.StatCacheType,
+						"cache_nodes":                   cfg.OCS.StatCacheNodes,
+						"cache_database":                cfg.OCS.StatCacheDatabase,
+						"cache_table":                   cfg.OCS.StatCacheTable,
+						"cache_ttl":                     cfg.OCS.StatCacheTTL,
+						"cache_disable_persistence":     cfg.OCS.StatCacheDisablePersistence,
+						"cache_auth_username":           cfg.OCS.StatCacheAuthUsername,
+						"cache_auth_password":           cfg.OCS.StatCacheAuthPassword,
+						"cache_tls_enabled":             cfg.OCS.StatCacheEnableTLS,
+						"cache_tls_insecure":            cfg.OCS.StatCacheTLSInsecure,
+						"cache_tls_root_ca_certificate": cfg.OCS.StatCacheTLSRootCACertificate,
 					},
 					"prefix":                    cfg.OCS.Prefix,
 					"additional_info_attribute": cfg.OCS.AdditionalInfoAttribute,
--- a/services/frontend/pkg/server/debug/server.go
+++ b/services/frontend/pkg/server/debug/server.go
@@ -5,6 +5,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr))

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := healthHandlerConfiguration.
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))

 	return debug.NewService(
 		debug.Logger(options.Logger),
--- a/services/gateway/pkg/config/config.go
+++ b/services/gateway/pkg/config/config.go
@@ -84,11 +84,18 @@ type Cache struct {
 	ProviderCacheDisablePersistence   bool          `yaml:"provider_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
 	ProviderCacheAuthUsername         string        `yaml:"provider_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_PROVIDER_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
 	ProviderCacheAuthPassword         string        `yaml:"provider_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	CreateHomeCacheStore              string        `yaml:"create_home_cache_store" env:"OC_CACHE_STORE;GATEWAY_CREATE_HOME_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	CreateHomeCacheNodes              []string      `yaml:"create_home_cache_nodes" env:"OC_CACHE_STORE_NODES;GATEWAY_CREATE_HOME_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	CreateHomeCacheDatabase           string        `yaml:"create_home_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	CreateHomeCacheTTL                time.Duration `yaml:"create_home_cache_ttl" env:"OC_CACHE_TTL;GATEWAY_CREATE_HOME_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	CreateHomeCacheDisablePersistence bool          `yaml:"create_home_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
-	CreateHomeCacheAuthUsername       string        `yaml:"create_home_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	CreateHomeCacheAuthPassword       string        `yaml:"create_home_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	ProviderCacheEnableTLS            bool          `yaml:"provider_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;GATEWAY_PROVIDER_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	ProviderCacheTLSInsecure          bool          `yaml:"provider_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GATEWAY_PROVIDER_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	ProviderCacheTLSRootCACertificate string        `yaml:"provider_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GATEWAY_PROVIDER_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_PROVIDER_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
+
+	CreateHomeCacheStore                string        `yaml:"create_home_cache_store" env:"OC_CACHE_STORE;GATEWAY_CREATE_HOME_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	CreateHomeCacheNodes                []string      `yaml:"create_home_cache_nodes" env:"OC_CACHE_STORE_NODES;GATEWAY_CREATE_HOME_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	CreateHomeCacheDatabase             string        `yaml:"create_home_cache_database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	CreateHomeCacheTTL                  time.Duration `yaml:"create_home_cache_ttl" env:"OC_CACHE_TTL;GATEWAY_CREATE_HOME_CACHE_TTL" desc:"Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	CreateHomeCacheDisablePersistence   bool          `yaml:"create_home_cache_disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
+	CreateHomeCacheAuthUsername         string        `yaml:"create_home_cache_auth_username" env:"OC_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME" desc:"The username to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	CreateHomeCacheAuthPassword         string        `yaml:"create_home_cache_auth_password" env:"OC_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD" desc:"The password to use for authentication. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	CreateHomeCacheEnableTLS            bool          `yaml:"create_home_cache_enable_tls" env:"OC_CACHE_ENABLE_TLS;GATEWAY_CREATE_HOME_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	CreateHomeCacheTLSInsecure          bool          `yaml:"create_home_cache_tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	CreateHomeCacheTLSRootCACertificate string        `yaml:"create_home_cache_tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GATEWAY_CREATE_HOME_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GATEWAY_CREATE_HOME_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }
--- a/services/gateway/pkg/revaconfig/config.go
+++ b/services/gateway/pkg/revaconfig/config.go
@@ -45,15 +45,15 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]a
 					"groupprovidersvc": cfg.GroupsEndpoint,
 					"permissionssvc":   cfg.PermissionsEndpoint,
 					// sharing is located on the sharing service
-					"usershareprovidersvc":          cfg.SharingEndpoint,
-					"publicshareprovidersvc":        cfg.SharingEndpoint,
-					"ocmshareprovidersvc":           cfg.OCMEndpoint,
-					"ocminvitemanagersvc":           cfg.OCMEndpoint,
-					"ocmproviderauthorizersvc":      cfg.OCMEndpoint,
-					"ocmcoresvc":                    cfg.OCMEndpoint,
+					"usershareprovidersvc":              cfg.SharingEndpoint,
+					"publicshareprovidersvc":            cfg.SharingEndpoint,
+					"ocmshareprovidersvc":               cfg.OCMEndpoint,
+					"ocminvitemanagersvc":               cfg.OCMEndpoint,
+					"ocmproviderauthorizersvc":          cfg.OCMEndpoint,
+					"ocmcoresvc":                        cfg.OCMEndpoint,
 					"use_common_space_root_share_logic": true,
-				"commit_share_to_storage_grant":    cfg.CommitShareToStorageGrant,
-					"share_folder":                  cfg.ShareFolder, // ShareFolder is the location where to create shares in the recipient's storage provider.
+					"commit_share_to_storage_grant":     cfg.CommitShareToStorageGrant,
+					"share_folder":                      cfg.ShareFolder, // ShareFolder is the location where to create shares in the recipient's storage provider.
 					// other
 					"disable_home_creation_on_login": cfg.DisableHomeCreationOnLogin,
 					"datagateway":                    strings.TrimRight(cfg.FrontendPublicURL, "/") + "/data",
@@ -71,14 +71,17 @@ func GatewayConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]a
 						"cache_auth_password": cfg.Cache.ProviderCacheAuthPassword,
 					},
 					"create_personal_space_cache_config": map[string]any{
-						"cache_store":               cfg.Cache.CreateHomeCacheStore,
-						"cache_nodes":               cfg.Cache.CreateHomeCacheNodes,
-						"cache_database":            cfg.Cache.CreateHomeCacheDatabase,
-						"cache_table":               "create_personal_space",
-						"cache_ttl":                 cfg.Cache.CreateHomeCacheTTL,
-						"cache_disable_persistence": cfg.Cache.CreateHomeCacheDisablePersistence,
-						"cache_auth_username":       cfg.Cache.CreateHomeCacheAuthUsername,
-						"cache_auth_password":       cfg.Cache.CreateHomeCacheAuthPassword,
+						"cache_store":                   cfg.Cache.CreateHomeCacheStore,
+						"cache_nodes":                   cfg.Cache.CreateHomeCacheNodes,
+						"cache_database":                cfg.Cache.CreateHomeCacheDatabase,
+						"cache_table":                   "create_personal_space",
+						"cache_ttl":                     cfg.Cache.CreateHomeCacheTTL,
+						"cache_disable_persistence":     cfg.Cache.CreateHomeCacheDisablePersistence,
+						"cache_auth_username":           cfg.Cache.CreateHomeCacheAuthUsername,
+						"cache_auth_password":           cfg.Cache.CreateHomeCacheAuthPassword,
+						"cache_tls_enabled":             cfg.Cache.CreateHomeCacheEnableTLS,
+						"cache_tls_insecure":            cfg.Cache.CreateHomeCacheTLSInsecure,
+						"cache_tls_root_ca_certificate": cfg.Cache.CreateHomeCacheTLSRootCACertificate,
 					},
 				},
 				"authregistry": map[string]any{
--- a/services/gateway/pkg/server/debug/server.go
+++ b/services/gateway/pkg/server/debug/server.go
@@ -18,6 +18,7 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("nats reachability", func(ctx context.Context) error {
 			if options.Config.Cache.ProviderCacheStore == "nats-js-kv" && len(options.Config.Cache.ProviderCacheNodes) > 0 {
+				// no secureOption because we cannot yet configure tls for the cache store
 				return checks.NewNatsCheck(options.Config.Cache.ProviderCacheNodes[0])(ctx)
 			}
 			return nil
--- a/services/graph/pkg/command/server.go
+++ b/services/graph/pkg/command/server.go
@@ -4,9 +4,11 @@ import (
 	"context"
 	"fmt"
 	"os/signal"
+	"strings"

 	"github.com/opencloud-eu/opencloud/pkg/config/configlog"
 	"github.com/opencloud-eu/opencloud/pkg/log"
+	natspkg "github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/runner"
 	"github.com/opencloud-eu/opencloud/pkg/tracing"
 	"github.com/opencloud-eu/opencloud/pkg/version"
@@ -50,13 +52,9 @@ func Server(cfg *config.Config) *cobra.Command {
 			var kv jetstream.KeyValue
 			// Allow to run without a NATS store (e.g. for the standalone Education provisioning service)
 			if len(cfg.Store.Nodes) > 0 {
-				//Connect to NATS servers
-				natsOptions := nats.Options{
-					Servers:  cfg.Store.Nodes,
-					User:     cfg.Store.AuthUsername,
-					Password: cfg.Store.AuthPassword,
-				}
-				conn, err := natsOptions.Connect()
+				// Connect to NATS servers
+				secureOption := natspkg.Secure(cfg.Store.EnableTLS, cfg.Store.TLSInsecure, cfg.Store.TLSRootCACertificate)
+				conn, err := nats.Connect(strings.Join(cfg.Store.Nodes, ","), secureOption, nats.UserInfo(cfg.Store.AuthUsername, cfg.Store.AuthPassword))
 				if err != nil {
 					return err
 				}
--- a/services/graph/pkg/config/cache.go
+++ b/services/graph/pkg/config/cache.go
@@ -4,12 +4,15 @@ import "time"

 // Cache defines the available configuration for a cache store
 type Cache struct {
-	Store              string        `yaml:"store" env:"OC_CACHE_STORE;GRAPH_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes              []string      `yaml:"nodes" env:"OC_CACHE_STORE_NODES;GRAPH_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database           string        `yaml:"database" env:"GRAPH_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table              string        `yaml:"table" env:"GRAPH_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL                time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;GRAPH_CACHE_TTL" desc:"Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	DisablePersistence bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GRAPH_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
-	AuthUsername       string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;GRAPH_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword       string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;GRAPH_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_CACHE_STORE;GRAPH_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_CACHE_STORE_NODES;GRAPH_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"GRAPH_CACHE_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	Table                string        `yaml:"table" env:"GRAPH_CACHE_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;GRAPH_CACHE_TTL" desc:"Time to live for cache records in the graph. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	DisablePersistence   bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;GRAPH_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;GRAPH_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;GRAPH_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;GRAPH_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;GRAPH_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;GRAPH_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }
--- a/services/graph/pkg/config/config.go
+++ b/services/graph/pkg/config/config.go
@@ -172,8 +172,11 @@ type Metadata struct {

 // Store configures the store to use
 type Store struct {
-	Nodes        []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;GRAPH_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database     string   `yaml:"database" env:"GRAPH_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	AuthUsername string   `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;GRAPH_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword string   `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;GRAPH_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Nodes                []string `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;GRAPH_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string   `yaml:"database" env:"GRAPH_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	AuthUsername         string   `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;GRAPH_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string   `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;GRAPH_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool     `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;GRAPH_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool     `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;GRAPH_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string   `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;GRAPH_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided GRAPH_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }
--- a/services/graph/pkg/server/debug/server.go
+++ b/services/graph/pkg/server/debug/server.go
@@ -6,6 +6,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -32,8 +33,13 @@ func Server(opts ...Option) (*http.Server, error) {

 	// only check nats if really needed
 	if options.Config.Events.Endpoint != "" {
+		secureOption := nats.Secure(
+			options.Config.Events.EnableTLS,
+			options.Config.Events.TLSInsecure,
+			options.Config.Events.TLSRootCACertificate,
+		)
 		readyHandlerConfiguration = readyHandlerConfiguration.
-			WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+			WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))
 	}

 	return debug.NewService(
--- a/services/graph/pkg/service/v0/api_driveitem_permissions.go
+++ b/services/graph/pkg/service/v0/api_driveitem_permissions.go
@@ -22,7 +22,6 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/render"
 	libregraph "github.com/opencloud-eu/libre-graph-api-go"
-
 	revactx "github.com/opencloud-eu/reva/v2/pkg/ctx"
 	"github.com/opencloud-eu/reva/v2/pkg/publicshare"
 	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
@@ -30,16 +29,14 @@ import (
 	"github.com/opencloud-eu/reva/v2/pkg/storagespace"
 	"github.com/opencloud-eu/reva/v2/pkg/utils"

-	"github.com/opencloud-eu/opencloud/pkg/l10n"
-	l10n_pkg "github.com/opencloud-eu/opencloud/services/graph/pkg/l10n"
-	"github.com/opencloud-eu/opencloud/services/graph/pkg/odata"
-
 	"github.com/opencloud-eu/opencloud/pkg/conversions"
+	"github.com/opencloud-eu/opencloud/pkg/l10n"
 	"github.com/opencloud-eu/opencloud/pkg/log"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/config"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/errorcode"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/identity"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/identity/cache"
+	"github.com/opencloud-eu/opencloud/services/graph/pkg/odata"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/unifiedrole"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/validate"
 )
@@ -755,16 +752,8 @@ func (api DriveItemPermissionsApi) ListPermissions(w http.ResponseWriter, r *htt

 	loc := r.Header.Get(l10n.HeaderAcceptLanguage)
 	w.Header().Add("Content-Language", loc)
-	if loc != "" && loc != "en" {
-		err := l10n_pkg.TranslateEntity(loc, "en", permissions,
-			l10n.TranslateEach("LibreGraphPermissionsRolesAllowedValues",
-				l10n.TranslateField("Description"),
-				l10n.TranslateField("DisplayName"),
-			),
-		)
-		if err != nil {
-			api.logger.Error().Err(err).Msg("tranlation error")
-		}
+	for i := range permissions.LibreGraphPermissionsRolesAllowedValues {
+		permissions.LibreGraphPermissionsRolesAllowedValues[i] = unifiedrole.LocalizeRole(&permissions.LibreGraphPermissionsRolesAllowedValues[i], loc)
 	}

 	render.Status(r, http.StatusOK)
@@ -806,16 +795,8 @@ func (api DriveItemPermissionsApi) ListSpaceRootPermissions(w http.ResponseWrite

 	loc := r.Header.Get(l10n.HeaderAcceptLanguage)
 	w.Header().Add("Content-Language", loc)
-	if loc != "" && loc != "en" {
-		err := l10n_pkg.TranslateEntity(loc, "en", permissions,
-			l10n.TranslateEach("LibreGraphPermissionsRolesAllowedValues",
-				l10n.TranslateField("Description"),
-				l10n.TranslateField("DisplayName"),
-			),
-		)
-		if err != nil {
-			api.logger.Error().Err(err).Msg("tranlation error")
-		}
+	for i := range permissions.LibreGraphPermissionsRolesAllowedValues {
+		permissions.LibreGraphPermissionsRolesAllowedValues[i] = unifiedrole.LocalizeRole(&permissions.LibreGraphPermissionsRolesAllowedValues[i], loc)
 	}

 	render.Status(r, http.StatusOK)
--- a/services/graph/pkg/service/v0/rolemanagement.go
+++ b/services/graph/pkg/service/v0/rolemanagement.go
@@ -7,14 +7,17 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/render"

+	"github.com/opencloud-eu/opencloud/pkg/l10n"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/errorcode"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/unifiedrole"
 )

 // GetRoleDefinitions a list of permission roles than can be used when sharing with users or groups
 func (g Graph) GetRoleDefinitions(w http.ResponseWriter, r *http.Request) {
+	loc := r.Header.Get(l10n.HeaderAcceptLanguage)
+	w.Header().Add("Content-Language", loc)
 	render.Status(r, http.StatusOK)
-	render.JSON(w, r, g.availableRoles)
+	render.JSON(w, r, unifiedrole.LocalizeRoles(g.availableRoles, loc))
 }

 // GetRoleDefinition a permission role than can be used when sharing with users or groups
@@ -32,6 +35,8 @@ func (g Graph) GetRoleDefinition(w http.ResponseWriter, r *http.Request) {
 		errorcode.ItemNotFound.Render(w, r, http.StatusNotFound, err.Error())
 		return
 	}
+	loc := r.Header.Get(l10n.HeaderAcceptLanguage)
+	w.Header().Add("Content-Language", loc)
 	render.Status(r, http.StatusOK)
-	render.JSON(w, r, role)
+	render.JSON(w, r, unifiedrole.LocalizeRole(role, loc))
 }
--- a/services/graph/pkg/service/v0/rolemanagement_test.go
+++ b/services/graph/pkg/service/v0/rolemanagement_test.go
@@ -0,0 +1,170 @@
+package svc_test
+
+import (
+	"context"
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+
+	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
+	. "github.com/onsi/ginkgo/v2"
+	. "github.com/onsi/gomega"
+	libregraph "github.com/opencloud-eu/libre-graph-api-go"
+	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
+	cs3mocks "github.com/opencloud-eu/reva/v2/tests/cs3mocks/mocks"
+	"google.golang.org/grpc"
+
+	"github.com/opencloud-eu/opencloud/pkg/shared"
+	"github.com/opencloud-eu/opencloud/services/graph/mocks"
+	"github.com/opencloud-eu/opencloud/services/graph/pkg/config"
+	"github.com/opencloud-eu/opencloud/services/graph/pkg/config/defaults"
+	service "github.com/opencloud-eu/opencloud/services/graph/pkg/service/v0"
+	"github.com/opencloud-eu/opencloud/services/graph/pkg/unifiedrole"
+)
+
+var _ = Describe("RoleManagement", func() {
+	var (
+		svc             service.Service
+		gatewayClient   *cs3mocks.GatewayAPIClient
+		gatewaySelector pool.Selectable[gateway.GatewayAPIClient]
+		eventsPublisher mocks.Publisher
+		permSvc         mocks.Permissions
+		cfg             *config.Config
+		rr              *httptest.ResponseRecorder
+		ctx             context.Context
+	)
+
+	BeforeEach(func() {
+		rr = httptest.NewRecorder()
+		ctx = context.Background()
+
+		cfg = defaults.FullDefaultConfig()
+		cfg.Identity.LDAP.CACert = ""
+		cfg.TokenManager.JWTSecret = "loremipsum"
+		cfg.Commons = &shared.Commons{}
+		cfg.GRPCClientTLS = &shared.GRPCClientTLS{}
+
+		pool.RemoveSelector("GatewaySelector" + "eu.opencloud.api.gateway")
+		gatewayClient = &cs3mocks.GatewayAPIClient{}
+		gatewaySelector = pool.GetSelector[gateway.GatewayAPIClient](
+			"GatewaySelector",
+			"eu.opencloud.api.gateway",
+			func(cc grpc.ClientConnInterface) gateway.GatewayAPIClient {
+				return gatewayClient
+			},
+		)
+		eventsPublisher = mocks.Publisher{}
+		permSvc = mocks.Permissions{}
+
+		var err error
+		svc, err = service.NewService(
+			service.Config(cfg),
+			service.WithGatewaySelector(gatewaySelector),
+			service.EventsPublisher(&eventsPublisher),
+			service.PermissionService(&permSvc),
+		)
+		Expect(err).ToNot(HaveOccurred())
+	})
+
+	Describe("GetRoleDefinitions", func() {
+		It("returns all available roles in English when no Accept-Language is set", func() {
+			r := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions", nil)
+			r = r.WithContext(ctx)
+			svc.ServeHTTP(rr, r)
+
+			Expect(rr.Code).To(Equal(http.StatusOK))
+
+			var roles []libregraph.UnifiedRoleDefinition
+			Expect(json.Unmarshal(rr.Body.Bytes(), &roles)).To(Succeed())
+			Expect(roles).NotTo(BeEmpty())
+
+			viewer := findRoleByID(roles, unifiedrole.UnifiedRoleViewerID)
+			Expect(viewer).NotTo(BeNil())
+			Expect(viewer.GetDisplayName()).To(Equal("Can view"))
+		})
+
+		It("returns translated roles when Accept-Language is German", func() {
+			r := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions", nil)
+			r.Header.Set("Accept-Language", "de")
+			r = r.WithContext(ctx)
+			svc.ServeHTTP(rr, r)
+
+			Expect(rr.Code).To(Equal(http.StatusOK))
+			Expect(rr.Header().Get("Content-Language")).To(Equal("de"))
+
+			var roles []libregraph.UnifiedRoleDefinition
+			Expect(json.Unmarshal(rr.Body.Bytes(), &roles)).To(Succeed())
+
+			viewer := findRoleByID(roles, unifiedrole.UnifiedRoleViewerID)
+			Expect(viewer).NotTo(BeNil())
+			Expect(viewer.GetDisplayName()).To(Equal("Kann anzeigen"))
+			Expect(viewer.GetDescription()).To(Equal("Ansehen und herunterladen."))
+		})
+
+		It("does not mutate the global buildInRoles after a German request", func() {
+			r := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions", nil)
+			r.Header.Set("Accept-Language", "de")
+			r = r.WithContext(ctx)
+			svc.ServeHTTP(rr, r)
+			Expect(rr.Code).To(Equal(http.StatusOK))
+
+			// A second request without a locale must still return English
+			rr2 := httptest.NewRecorder()
+			r2 := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions", nil)
+			r2 = r2.WithContext(ctx)
+			svc.ServeHTTP(rr2, r2)
+			Expect(rr2.Code).To(Equal(http.StatusOK))
+
+			var roles []libregraph.UnifiedRoleDefinition
+			Expect(json.Unmarshal(rr2.Body.Bytes(), &roles)).To(Succeed())
+			viewer := findRoleByID(roles, unifiedrole.UnifiedRoleViewerID)
+			Expect(viewer).NotTo(BeNil())
+			Expect(viewer.GetDisplayName()).To(Equal("Can view"))
+		})
+	})
+
+	Describe("GetRoleDefinition", func() {
+		It("returns a single role in English when no Accept-Language is set", func() {
+			r := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions/"+unifiedrole.UnifiedRoleViewerID, nil)
+			r = r.WithContext(ctx)
+			svc.ServeHTTP(rr, r)
+
+			Expect(rr.Code).To(Equal(http.StatusOK))
+			var role libregraph.UnifiedRoleDefinition
+			Expect(json.Unmarshal(rr.Body.Bytes(), &role)).To(Succeed())
+			Expect(role.GetDisplayName()).To(Equal("Can view"))
+		})
+
+		It("returns a single role translated when Accept-Language is German", func() {
+			r := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions/"+unifiedrole.UnifiedRoleViewerID, nil)
+			r.Header.Set("Accept-Language", "de")
+			r = r.WithContext(ctx)
+			svc.ServeHTTP(rr, r)
+
+			Expect(rr.Code).To(Equal(http.StatusOK))
+			Expect(rr.Header().Get("Content-Language")).To(Equal("de"))
+			var role libregraph.UnifiedRoleDefinition
+			Expect(json.Unmarshal(rr.Body.Bytes(), &role)).To(Succeed())
+			Expect(role.GetDisplayName()).To(Equal("Kann anzeigen"))
+			Expect(role.GetDescription()).To(Equal("Ansehen und herunterladen."))
+		})
+
+		It("returns 404 for an unknown roleID", func() {
+			r := httptest.NewRequest(http.MethodGet, "/graph/v1beta1/roleManagement/permissions/roleDefinitions/unknown-role-id", nil)
+			r = r.WithContext(ctx)
+			svc.ServeHTTP(rr, r)
+
+			Expect(rr.Code).To(Equal(http.StatusNotFound))
+		})
+	})
+})
+
+// findRoleByID returns the first role with the given ID from the slice, or nil.
+func findRoleByID(roles []libregraph.UnifiedRoleDefinition, id string) *libregraph.UnifiedRoleDefinition {
+	for i := range roles {
+		if roles[i].GetId() == id {
+			return &roles[i]
+		}
+	}
+	return nil
+}
--- a/services/graph/pkg/unifiedrole/roles.go
+++ b/services/graph/pkg/unifiedrole/roles.go
@@ -6,11 +6,11 @@ import (
 	"strings"

 	libregraph "github.com/opencloud-eu/libre-graph-api-go"
+	"github.com/opencloud-eu/reva/v2/pkg/conversions"
 	"google.golang.org/protobuf/proto"

-	"github.com/opencloud-eu/reva/v2/pkg/conversions"
-
 	"github.com/opencloud-eu/opencloud/pkg/l10n"
+	graphl10n "github.com/opencloud-eu/opencloud/services/graph/pkg/l10n"
 )

 const (
@@ -546,6 +546,46 @@ func weightRoles(roleSet []*libregraph.UnifiedRoleDefinition, constraints string
 	return roleSet
 }

+// cloneRole returns a shallow struct copy of r with independent allocations for
+// the Description and DisplayName pointer fields — the only fields mutated by
+// TranslateEntity. All other fields (Id, LibreGraphWeight, RolePermissions) are
+// either read-only or stripped before rendering, so sharing their values is safe.
+func cloneRole(r *libregraph.UnifiedRoleDefinition) libregraph.UnifiedRoleDefinition {
+	c := *r
+	if r.Description != nil {
+		s := *r.Description
+		c.Description = &s
+	}
+	if r.DisplayName != nil {
+		s := *r.DisplayName
+		c.DisplayName = &s
+	}
+	return c
+}
+
+// LocalizeRole returns a translated, independent copy of a single role definition.
+// The global buildInRoles singleton is never modified.
+func LocalizeRole(r *libregraph.UnifiedRoleDefinition, locale string) libregraph.UnifiedRoleDefinition {
+	c := cloneRole(r)
+	if locale != "" && locale != "en" {
+		_ = graphl10n.TranslateEntity(locale, "en", &c,
+			l10n.TranslateField("Description"),
+			l10n.TranslateField("DisplayName"),
+		)
+	}
+	return c
+}
+
+// LocalizeRoles returns a translated, independent copy of each role definition.
+// The global buildInRoles singleton is never modified.
+func LocalizeRoles(roles []*libregraph.UnifiedRoleDefinition, locale string) []libregraph.UnifiedRoleDefinition {
+	out := make([]libregraph.UnifiedRoleDefinition, len(roles))
+	for i, r := range roles {
+		out[i] = LocalizeRole(r, locale)
+	}
+	return out
+}
+
 // GetAllowedResourceActions returns the allowed resource actions for the provided role by condition
 func GetAllowedResourceActions(role *libregraph.UnifiedRoleDefinition, condition string) []string {
 	if role == nil {
--- a/services/graph/pkg/unifiedrole/roles_test.go
+++ b/services/graph/pkg/unifiedrole/roles_test.go
@@ -2,6 +2,7 @@ package unifiedrole_test

 import (
 	"slices"
+	"sync"
 	"testing"

 	. "github.com/onsi/gomega"
@@ -267,3 +268,84 @@ func TestGetAllowedResourceActions(t *testing.T) {
 		})
 	}
 }
+
+func TestLocalizeRole_English(t *testing.T) {
+	g := NewWithT(t)
+	original := unifiedrole.RoleViewer
+
+	result := unifiedrole.LocalizeRole(original, "en")
+
+	// Strings are unchanged for English
+	g.Expect(result.GetDisplayName()).To(Equal(original.GetDisplayName()))
+	g.Expect(result.GetDescription()).To(Equal(original.GetDescription()))
+
+	// Result is an independent copy — mutating it must not touch the global
+	translated := "mutated"
+	result.DisplayName = &translated
+	g.Expect(original.GetDisplayName()).NotTo(Equal("mutated"))
+}
+
+func TestLocalizeRole_German(t *testing.T) {
+	g := NewWithT(t)
+	original := unifiedrole.RoleViewer
+
+	result := unifiedrole.LocalizeRole(original, "de")
+
+	g.Expect(result.GetDisplayName()).To(Equal("Kann anzeigen"))
+	g.Expect(result.GetDescription()).To(Equal("Ansehen und herunterladen."))
+
+	// Global singleton must be untouched
+	g.Expect(original.GetDisplayName()).NotTo(Equal("Kann anzeigen"))
+	g.Expect(original.GetDescription()).NotTo(Equal("Ansehen und herunterladen."))
+}
+
+func TestLocalizeRole_EmptyLocale(t *testing.T) {
+	g := NewWithT(t)
+	original := unifiedrole.RoleViewer
+
+	result := unifiedrole.LocalizeRole(original, "")
+
+	// Empty locale falls back to source strings
+	g.Expect(result.GetDisplayName()).To(Equal(original.GetDisplayName()))
+	g.Expect(result.GetDescription()).To(Equal(original.GetDescription()))
+}
+
+func TestLocalizeRoles_German(t *testing.T) {
+	g := NewWithT(t)
+	roles := unifiedrole.BuildInRoles
+
+	results := unifiedrole.LocalizeRoles(roles, "de")
+
+	g.Expect(results).To(HaveLen(len(roles)))
+
+	// Every result is a value (not a pointer)
+	for i, r := range results {
+		// Id is preserved
+		g.Expect(r.GetId()).To(Equal(roles[i].GetId()))
+		// Global singleton is not mutated
+		g.Expect(roles[i].GetDisplayName()).NotTo(Equal(r.GetDisplayName()),
+			"global displayName for role %s was mutated", r.GetId())
+	}
+}
+
+func TestLocalizeRole_ConcurrentCallsDoNotRace(t *testing.T) {
+	// Run with -race to detect data races on the global buildInRoles strings.
+	const goroutines = 20
+	var wg sync.WaitGroup
+	wg.Add(goroutines)
+	for i := 0; i < goroutines; i++ {
+		locale := "de"
+		if i%2 == 0 {
+			locale = "fr"
+		}
+		go func(loc string) {
+			defer wg.Done()
+			_ = unifiedrole.LocalizeRoles(unifiedrole.BuildInRoles, loc)
+		}(locale)
+	}
+	wg.Wait()
+
+	// After all concurrent translations the globals must still hold English strings
+	g := NewWithT(t)
+	g.Expect(unifiedrole.RoleViewer.GetDisplayName()).To(Equal("Can view"))
+}
--- a/services/nats/pkg/server/debug/server.go
+++ b/services/nats/pkg/server/debug/server.go
@@ -6,6 +6,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -14,12 +15,17 @@ import (
 func Server(opts ...Option) (*http.Server, error) {
 	options := newOptions(opts...)

+	secureOption := nats.Secure(
+		options.Config.Nats.EnableTLS,
+		options.Config.Nats.TLSSkipVerifyClientCert,
+		options.Config.Nats.TLSCert,
+	)
 	// For nats readiness and liveness checks are identical
 	// the nats server will neither be healthy nor ready when it can not reach the nats server/cluster
 	checkHandler := handlers.NewCheckHandler(
 		handlers.NewCheckHandlerConfiguration().
 			WithLogger(options.Logger).
-			WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Nats.Host+":"+strconv.Itoa(options.Config.Nats.Port))),
+			WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Nats.Host+":"+strconv.Itoa(options.Config.Nats.Port), secureOption)),
 	)

 	return debug.NewService(
--- a/services/notifications/pkg/command/server.go
+++ b/services/notifications/pkg/command/server.go
@@ -130,6 +130,9 @@ func Server(cfg *config.Config) *cobra.Command {
 				microstore.Database(cfg.Store.Database),
 				microstore.Table(cfg.Store.Table),
 				store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword),
+				store.TLSEnabled(cfg.Store.EnableTLS),
+				store.TLSInsecure(cfg.Store.TLSInsecure),
+				store.TLSRootCA(cfg.Store.TLSRootCACertificate),
 			)

 			svc := service.NewEventsNotifier(evts, channel, logger, gatewaySelector, valueService,
--- a/services/notifications/pkg/config/config.go
+++ b/services/notifications/pkg/config/config.go
@@ -70,11 +70,14 @@ type ServiceAccount struct {

 // Store configures the store to use
 type Store struct {
-	Store        string        `yaml:"store" env:"OC_PERSISTENT_STORE;NOTIFICATIONS_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes        []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;NOTIFICATIONS_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database     string        `yaml:"database" env:"NOTIFICATIONS_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table        string        `yaml:"table" env:"NOTIFICATIONS_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL          time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;NOTIFICATIONS_STORE_TTL" desc:"Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	AuthUsername string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;NOTIFICATIONS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;NOTIFICATIONS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_PERSISTENT_STORE;NOTIFICATIONS_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;NOTIFICATIONS_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"NOTIFICATIONS_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	Table                string        `yaml:"table" env:"NOTIFICATIONS_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;NOTIFICATIONS_STORE_TTL" desc:"Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;NOTIFICATIONS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;NOTIFICATIONS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;NOTIFICATIONS_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;NOTIFICATIONS_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;NOTIFICATIONS_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }
--- a/services/notifications/pkg/server/debug/server.go
+++ b/services/notifications/pkg/server/debug/server.go
@@ -6,6 +6,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -14,9 +15,14 @@ import (
 func Server(opts ...Option) (*http.Server, error) {
 	options := newOptions(opts...)

+	secureOption := nats.Secure(
+		options.Config.Notifications.Events.EnableTLS,
+		options.Config.Notifications.Events.TLSInsecure,
+		options.Config.Notifications.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration().
 		WithLogger(options.Logger).
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Notifications.Events.Endpoint)).
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Notifications.Events.Endpoint, secureOption)).
 		WithCheck("smtp-check", checks.NewTCPCheck(options.Config.Notifications.SMTP.Host+":"+strconv.Itoa(options.Config.Notifications.SMTP.Port)))

 	return debug.NewService(
--- a/services/ocm/pkg/revaconfig/config.go
+++ b/services/ocm/pkg/revaconfig/config.go
@@ -81,6 +81,7 @@ func OCMConfigFromStruct(cfg *config.Config, logger log.Logger) map[string]any {
 					"events": map[string]any{
 						"natsaddress":          cfg.Events.Endpoint,
 						"natsclusterid":        cfg.Events.Cluster,
+						"enabletls":            cfg.Events.EnableTLS,
 						"tlsinsecure":          cfg.Events.TLSInsecure,
 						"tlsrootcacertificate": cfg.Events.TLSRootCACertificate,
 						"authusername":         cfg.Events.AuthUsername,
--- a/services/ocm/pkg/server/debug/server.go
+++ b/services/ocm/pkg/server/debug/server.go
@@ -5,6 +5,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr))

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := healthHandlerConfiguration.
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)).
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)).
 		WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr))

 	return debug.NewService(
--- a/services/ocs/pkg/config/config.go
+++ b/services/ocs/pkg/config/config.go
@@ -31,9 +31,12 @@ type Config struct {

 // SigningKeys is a store configuration.
 type SigningKeys struct {
-	Store        string        `yaml:"store" env:"OC_CACHE_STORE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes        []string      `yaml:"addresses" env:"OC_CACHE_STORE_NODES;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	TTL          time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	AuthUsername string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_CACHE_STORE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"addresses" env:"OC_CACHE_STORE_NODES;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }
--- a/services/ocs/pkg/server/debug/server.go
+++ b/services/ocs/pkg/server/debug/server.go
@@ -21,6 +21,7 @@ func Server(opts ...Option) (*http.Server, error) {
 	readyHandlerConfiguration := healthHandlerConfiguration.
 		WithCheck("nats reachability", func(ctx context.Context) error {
 			if len(options.Config.SigningKeys.Nodes) > 0 {
+				// no secureOption because we cannot configure it
 				return checks.NewNatsCheck(options.Config.SigningKeys.Nodes[0])(ctx)
 			}
 			return nil
--- a/services/ocs/pkg/server/http/server.go
+++ b/services/ocs/pkg/server/http/server.go
@@ -44,6 +44,9 @@ func Server(opts ...Option) (http.Service, error) {
 		microstore.Database("proxy"),
 		microstore.Table("signing-keys"),
 		store.Authentication(options.Config.SigningKeys.AuthUsername, options.Config.SigningKeys.AuthPassword),
+		store.TLSEnabled(options.Config.SigningKeys.EnableTLS),
+		store.TLSInsecure(options.Config.SigningKeys.TLSInsecure),
+		store.TLSRootCA(options.Config.SigningKeys.TLSRootCACertificate),
 	)

 	handle := svc.NewService(
--- a/services/policies/pkg/server/debug/server.go
+++ b/services/policies/pkg/server/debug/server.go
@@ -5,6 +5,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr))

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := healthHandlerConfiguration.
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))

 	return debug.NewService(
 		debug.Logger(options.Logger),
--- a/services/postprocessing/pkg/command/server.go
+++ b/services/postprocessing/pkg/command/server.go
@@ -56,6 +56,9 @@ func Server(cfg *config.Config) *cobra.Command {
 					microstore.Database(cfg.Store.Database),
 					microstore.Table(cfg.Store.Table),
 					store.Authentication(cfg.Store.AuthUsername, cfg.Store.AuthPassword),
+					store.TLSEnabled(cfg.Store.EnableTLS),
+					store.TLSInsecure(cfg.Store.TLSInsecure),
+					store.TLSRootCA(cfg.Store.TLSRootCACertificate),
 				)

 				svc, err := service.NewPostprocessingService(ctx, logger, st, traceProvider, cfg)
--- a/services/postprocessing/pkg/config/config.go
+++ b/services/postprocessing/pkg/config/config.go
@@ -59,11 +59,14 @@ type Debug struct {

 // Store configures the store to use
 type Store struct {
-	Store        string        `yaml:"store" env:"OC_PERSISTENT_STORE;POSTPROCESSING_STORE" desc:"The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes        []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;POSTPROCESSING_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database     string        `yaml:"database" env:"POSTPROCESSING_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table        string        `yaml:"table" env:"POSTPROCESSING_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL          time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;POSTPROCESSING_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	AuthUsername string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;POSTPROCESSING_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;POSTPROCESSING_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_PERSISTENT_STORE;POSTPROCESSING_STORE" desc:"The type of the store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;POSTPROCESSING_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"POSTPROCESSING_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	Table                string        `yaml:"table" env:"POSTPROCESSING_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;POSTPROCESSING_STORE_TTL" desc:"Time to live for events in the store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;POSTPROCESSING_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;POSTPROCESSING_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;POSTPROCESSING_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;POSTPROCESSING_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;POSTPROCESSING_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }
--- a/services/postprocessing/pkg/server/debug/server.go
+++ b/services/postprocessing/pkg/server/debug/server.go
@@ -5,6 +5,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -13,9 +14,14 @@ import (
 func Server(opts ...Option) (*http.Server, error) {
 	options := newOptions(opts...)

+	secureOption := nats.Secure(
+		options.Config.Postprocessing.Events.EnableTLS,
+		options.Config.Postprocessing.Events.TLSInsecure,
+		options.Config.Postprocessing.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration().
 		WithLogger(options.Logger).
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Postprocessing.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Postprocessing.Events.Endpoint, secureOption))

 	return debug.NewService(
 		debug.Logger(options.Logger),
--- a/services/proxy/pkg/command/server.go
+++ b/services/proxy/pkg/command/server.go
@@ -66,6 +66,9 @@ func Server(cfg *config.Config) *cobra.Command {
 				microstore.Table(cfg.OIDC.UserinfoCache.Table),
 				store.DisablePersistence(cfg.OIDC.UserinfoCache.DisablePersistence),
 				store.Authentication(cfg.OIDC.UserinfoCache.AuthUsername, cfg.OIDC.UserinfoCache.AuthPassword),
+				store.TLSEnabled(cfg.OIDC.UserinfoCache.EnableTLS),
+				store.TLSInsecure(cfg.OIDC.UserinfoCache.TLSInsecure),
+				store.TLSRootCA(cfg.OIDC.UserinfoCache.TLSRootCACertificate),
 			)

 			signingKeyStore := store.Create(
@@ -76,6 +79,9 @@ func Server(cfg *config.Config) *cobra.Command {
 				microstore.Table("signing-keys"),
 				store.DisablePersistence(cfg.PreSignedURL.SigningKeys.DisablePersistence),
 				store.Authentication(cfg.PreSignedURL.SigningKeys.AuthUsername, cfg.PreSignedURL.SigningKeys.AuthPassword),
+				store.TLSEnabled(cfg.PreSignedURL.SigningKeys.EnableTLS),
+				store.TLSInsecure(cfg.PreSignedURL.SigningKeys.TLSInsecure),
+				store.TLSRootCA(cfg.PreSignedURL.SigningKeys.TLSRootCACertificate),
 			)

 			logger := log.Configure(cfg.Service.Name, cfg.Commons, cfg.LogLevel)
--- a/services/proxy/pkg/config/config.go
+++ b/services/proxy/pkg/config/config.go
@@ -132,14 +132,17 @@ type JWKS struct {

 // Cache is a TTL cache configuration.
 type Cache struct {
-	Store              string        `yaml:"store" env:"OC_CACHE_STORE;PROXY_OIDC_USERINFO_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes              []string      `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_OIDC_USERINFO_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database           string        `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table              string        `yaml:"table" env:"PROXY_OIDC_USERINFO_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL                time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_OIDC_USERINFO_CACHE_TTL" desc:"Default time to live for user info in the user info cache. This value is only applied when the token expiration cannot be extracted from the access tokens (e.g. when non-JWT access tokes are used). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	DisablePersistence bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
-	AuthUsername       string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword       string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_CACHE_STORE;PROXY_OIDC_USERINFO_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_OIDC_USERINFO_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	Table                string        `yaml:"table" env:"PROXY_OIDC_USERINFO_CACHE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_OIDC_USERINFO_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	DisablePersistence   bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;PROXY_OIDC_USERINFO_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;PROXY_OIDC_USERINFO_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided PROXY_OIDC_USERINFO_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }

 // RoleAssignment contains the configuration for how to assign roles to users during login
@@ -189,12 +192,15 @@ type PreSignedURL struct {

 // SigningKeys is a store configuration.
 type SigningKeys struct {
-	Store              string        `yaml:"store" env:"OC_CACHE_STORE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details." introductionVersion:"1.0.0"`
-	Nodes              []string      `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	TTL                time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	DisablePersistence bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE" desc:"Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true." introductionVersion:"1.0.0"`
-	AuthUsername       string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword       string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_CACHE_STORE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE" desc:"The type of the signing key store. Supported values are: 'redis-sentinel', 'nats-js-kv' and 'opencloudstoreservice' (deprecated). See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"addresses" env:"OC_CACHE_STORE_NODES;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES" desc:"A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL" desc:"Default time to live for signing keys. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	DisablePersistence   bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE" desc:"Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }

 // ClaimsSelectorConf is the config for the claims-selector
--- a/services/proxy/pkg/middleware/create_home.go
+++ b/services/proxy/pkg/middleware/create_home.go
@@ -11,6 +11,7 @@ import (
 	provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1"
 	"github.com/opencloud-eu/opencloud/pkg/log"
 	"github.com/opencloud-eu/opencloud/services/graph/pkg/errorcode"
+	"github.com/opencloud-eu/opencloud/services/proxy/pkg/router"
 	revactx "github.com/opencloud-eu/reva/v2/pkg/ctx"
 	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/status"
 	"github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool"
@@ -48,9 +49,13 @@ func (m createHome) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	ctx, span := m.tracer.Start(req.Context(), fmt.Sprintf("%s %s", req.Method, req.URL.Path), trace.WithSpanKind(trace.SpanKindServer))
 	req = req.WithContext(ctx)
 	defer span.End()
-	if !m.shouldServe(req) {
+	next := func() {
 		span.End()
 		m.next.ServeHTTP(w, req)
+	}
+
+	if !m.shouldServe(req) {
+		next()
 		return
 	}

@@ -63,6 +68,10 @@ func (m createHome) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	createHomeReq := &provider.CreateHomeRequest{}
 	u, ok := revactx.ContextGetUser(ctx)
 	if ok {
+		if u.GetId().GetType() == userv1beta1.UserType_USER_TYPE_LIGHTWEIGHT || u.GetId().GetType() == userv1beta1.UserType_USER_TYPE_SERVICE {
+			next()
+			return
+		}
 		roleIDs, err := m.getUserRoles(u)
 		if err != nil {
 			m.logger.Error().Err(err).Str("userid", u.Id.OpaqueId).Msg("failed to get roles for user")
@@ -88,12 +97,12 @@ func (m createHome) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 			}
 		}
 	}
-	span.End()
-	m.next.ServeHTTP(w, req)
+	next()
 }

 func (m createHome) shouldServe(req *http.Request) bool {
-	return req.Header.Get(revactx.TokenHeader) != ""
+	ri := router.ContextRoutingInfo(req.Context())
+	return req.Header.Get(revactx.TokenHeader) != "" && !ri.IsRouteUnprotected()
 }

 func (m createHome) getUserRoles(user *userv1beta1.User) ([]string, error) {
--- a/services/proxy/pkg/server/debug/server.go
+++ b/services/proxy/pkg/server/debug/server.go
@@ -8,6 +8,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 	"github.com/opencloud-eu/opencloud/services/proxy/pkg/config"
@@ -21,8 +22,13 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr))

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := healthHandlerConfiguration.
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))

 	var configDumpFunc http.HandlerFunc = configDump(options.Config)
 	return debug.NewService(
--- a/services/search/pkg/search/service.go
+++ b/services/search/pkg/search/service.go
@@ -535,7 +535,7 @@ func (s *Service) IndexSpace(spaceID *provider.StorageSpaceId, forceRescan bool)
 // TrashItem marks the item as deleted.
 func (s *Service) TrashItem(rID *provider.ResourceId) {
 	if err := s.engine.Delete(storagespace.FormatResourceID(rID)); err != nil {
-		s.logger.Error().Err(err).Interface("Id", rID).Msg("failed to remove item from index")
+		s.logger.Info().Err(err).Interface("Id", rID).Msg("failed to remove item from index")
 	}
 }

--- a/services/search/pkg/server/debug/server.go
+++ b/services/search/pkg/server/debug/server.go
@@ -7,6 +7,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -19,8 +20,13 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr))

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := healthHandlerConfiguration.
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint)).
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption)).
 		WithCheck("tika-check", func(ctx context.Context) error {
 			if options.Config.Extractor.Type == "tika" {
 				u, err := url.Parse(options.Config.Extractor.Tika.TikaURL)
--- a/services/settings/pkg/config/config.go
+++ b/services/settings/pkg/config/config.go
@@ -55,13 +55,16 @@ type Metadata struct {

 // Cache configures the cache of the Metadata store
 type Cache struct {
-	Store              string        `yaml:"store" env:"OC_CACHE_STORE;SETTINGS_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes              []string      `yaml:"addresses" env:"OC_CACHE_STORE_NODES;SETTINGS_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database           string        `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	FileTable          string        `yaml:"files_table" env:"SETTINGS_FILE_CACHE_TABLE" desc:"The database table the store should use for the file cache." introductionVersion:"1.0.0"`
-	DirectoryTable     string        `yaml:"directories_table" env:"SETTINGS_DIRECTORY_CACHE_TABLE" desc:"The database table the store should use for the directory cache." introductionVersion:"1.0.0"`
-	TTL                time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;SETTINGS_CACHE_TTL" desc:"Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	DisablePersistence bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;SETTINGS_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
-	AuthUsername       string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;SETTINGS_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword       string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;SETTINGS_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_CACHE_STORE;SETTINGS_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"addresses" env:"OC_CACHE_STORE_NODES;SETTINGS_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	FileTable            string        `yaml:"files_table" env:"SETTINGS_FILE_CACHE_TABLE" desc:"The database table the store should use for the file cache." introductionVersion:"1.0.0"`
+	DirectoryTable       string        `yaml:"directories_table" env:"SETTINGS_DIRECTORY_CACHE_TABLE" desc:"The database table the store should use for the directory cache." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;SETTINGS_CACHE_TTL" desc:"Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	DisablePersistence   bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;SETTINGS_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;SETTINGS_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;SETTINGS_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;SETTINGS_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;SETTINGS_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;SETTINGS_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SETTINGS_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }
--- a/services/settings/pkg/store/metadata/cache.go
+++ b/services/settings/pkg/store/metadata/cache.go
@@ -140,6 +140,9 @@ func (c *CachedMDC) Init(ctx context.Context, id string) error {
 		microstore.Table(c.cfg.Metadata.Cache.DirectoryTable),
 		store.DisablePersistence(c.cfg.Metadata.Cache.DisablePersistence),
 		store.Authentication(c.cfg.Metadata.Cache.AuthUsername, c.cfg.Metadata.Cache.AuthPassword),
+		store.TLSEnabled(c.cfg.Metadata.Cache.EnableTLS),
+		store.TLSInsecure(c.cfg.Metadata.Cache.TLSInsecure),
+		store.TLSRootCA(c.cfg.Metadata.Cache.TLSRootCACertificate),
 	)
 	c.filesCache = store.Create(
 		store.Store(c.cfg.Metadata.Cache.Store),
@@ -149,6 +152,9 @@ func (c *CachedMDC) Init(ctx context.Context, id string) error {
 		microstore.Table(c.cfg.Metadata.Cache.FileTable),
 		store.DisablePersistence(c.cfg.Metadata.Cache.DisablePersistence),
 		store.Authentication(c.cfg.Metadata.Cache.AuthUsername, c.cfg.Metadata.Cache.AuthPassword),
+		store.TLSEnabled(c.cfg.Metadata.Cache.EnableTLS),
+		store.TLSInsecure(c.cfg.Metadata.Cache.TLSInsecure),
+		store.TLSRootCA(c.cfg.Metadata.Cache.TLSRootCACertificate),
 	)
 	return c.next.Init(ctx, id)
 }
--- a/services/sharing/pkg/config/config.go
+++ b/services/sharing/pkg/config/config.go
@@ -155,6 +155,7 @@ type Events struct {
 	EnableTLS         bool   `yaml:"enable_tls" env:"OC_EVENTS_ENABLE_TLS;SHARING_EVENTS_ENABLE_TLS" desc:"Enable TLS for the connection to the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"`
 	AuthUsername      string `yaml:"auth_username" env:"OC_EVENTS_AUTH_USERNAME;SHARING_EVENTS_AUTH_USERNAME" desc:"Username for the events broker." introductionVersion:"1.0.0"`
 	AuthPassword      string `yaml:"auth_password" env:"OC_EVENTS_AUTH_PASSWORD;SHARING_EVENTS_AUTH_PASSWORD" desc:"Password for the events broker." introductionVersion:"1.0.0"`
+	// TODO use TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false." introductionVersion:"1.0.0"`
 }

 // PasswordPolicy configures reva password policy
--- a/services/sharing/pkg/revaconfig/config.go
+++ b/services/sharing/pkg/revaconfig/config.go
@@ -83,6 +83,7 @@ func SharingConfigFromStruct(cfg *config.Config, logger log.Logger) (map[string]
 							"events": map[string]any{
 								"natsaddress":          cfg.Events.Addr,
 								"natsclusterid":        cfg.Events.ClusterID,
+								"enabletls":            cfg.Events.EnableTLS,
 								"tlsinsecure":          cfg.Events.TLSInsecure,
 								"tlsrootcacertificate": cfg.Events.TLSRootCaCertPath,
 								"authusername":         cfg.Events.AuthUsername,
--- a/services/sharing/pkg/server/debug/server.go
+++ b/services/sharing/pkg/server/debug/server.go
@@ -5,6 +5,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -13,9 +14,14 @@ import (
 func Server(opts ...Option) (*http.Server, error) {
 	options := newOptions(opts...)

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCaCertPath,
+	)
 	readyHandlerConfiguration := handlers.NewCheckHandlerConfiguration().
 		WithLogger(options.Logger).
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr)).
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr, secureOption)).
 		WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr))

 	return debug.NewService(
--- a/services/sse/pkg/server/debug/server.go
+++ b/services/sse/pkg/server/debug/server.go
@@ -5,6 +5,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr))

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := healthHandlerConfiguration.
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))

 	return debug.NewService(
 		debug.Logger(options.Logger),
--- a/services/sse/pkg/service/service.go
+++ b/services/sse/pkg/service/service.go
@@ -49,17 +49,19 @@ func (s SSE) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 // ListenForEvents listens for events
 func (s SSE) ListenForEvents() {
 	for e := range s.evChannel {
-		switch ev := e.Event.(type) {
-		default:
-			s.l.Error().Interface("event", ev).Msg("unhandled event")
-		case events.SendSSE:
-			for _, uid := range ev.UserIDs {
-				s.sse.Publish(uid, &sse.Event{
-					Event: []byte(ev.Type),
-					Data:  ev.Message,
-				})
+		go func() {
+			switch ev := e.Event.(type) {
+			default:
+				s.l.Error().Interface("event", ev).Msg("unhandled event")
+			case events.SendSSE:
+				for _, uid := range ev.UserIDs {
+					s.sse.Publish(uid, &sse.Event{
+						Event: []byte(ev.Type),
+						Data:  ev.Message,
+					})
+				}
 			}
-		}
+		}()
 	}
 }

--- a/services/storage-system/pkg/config/config.go
+++ b/services/storage-system/pkg/config/config.go
@@ -77,11 +77,14 @@ type DecomposedDriver struct {

 // Cache holds cache config
 type Cache struct {
-	Store              string        `yaml:"store" env:"OC_CACHE_STORE;STORAGE_SYSTEM_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes              []string      `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_SYSTEM_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database           string        `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	TTL                time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_SYSTEM_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	DisablePersistence bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
-	AuthUsername       string        `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_SYSTEM_CACHE_AUTH_USERNAME" desc:"Username for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword       string        `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_SYSTEM_CACHE_AUTH_PASSWORD" desc:"Password for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_CACHE_STORE;STORAGE_SYSTEM_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_SYSTEM_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_SYSTEM_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	DisablePersistence   bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"auth_username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_SYSTEM_CACHE_AUTH_USERNAME" desc:"Username for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"auth_password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_SYSTEM_CACHE_AUTH_PASSWORD" desc:"Password for the configured store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;STORAGE_SYSTEM_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;STORAGE_SYSTEM_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;STORAGE_SYSTEM_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_SYSTEM_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }
--- a/services/storage-system/pkg/revaconfig/config.go
+++ b/services/storage-system/pkg/revaconfig/config.go
@@ -165,13 +165,16 @@ func metadataDrivers(localEndpoint string, cfg *config.Config) map[string]any {
 			"cache_database": "system",
 		},
 		"filemetadatacache": map[string]any{
-			"cache_store":               cfg.FileMetadataCache.Store,
-			"cache_nodes":               cfg.FileMetadataCache.Nodes,
-			"cache_database":            cfg.FileMetadataCache.Database,
-			"cache_ttl":                 cfg.FileMetadataCache.TTL,
-			"cache_disable_persistence": cfg.FileMetadataCache.DisablePersistence,
-			"cache_auth_username":       cfg.FileMetadataCache.AuthUsername,
-			"cache_auth_password":       cfg.FileMetadataCache.AuthPassword,
+			"cache_store":                   cfg.FileMetadataCache.Store,
+			"cache_nodes":                   cfg.FileMetadataCache.Nodes,
+			"cache_database":                cfg.FileMetadataCache.Database,
+			"cache_ttl":                     cfg.FileMetadataCache.TTL,
+			"cache_disable_persistence":     cfg.FileMetadataCache.DisablePersistence,
+			"cache_auth_username":           cfg.FileMetadataCache.AuthUsername,
+			"cache_auth_password":           cfg.FileMetadataCache.AuthPassword,
+			"cache_tls_enabled":             cfg.FileMetadataCache.EnableTLS,
+			"cache_tls_insecure":            cfg.FileMetadataCache.TLSInsecure,
+			"cache_tls_root_ca_certificate": cfg.FileMetadataCache.TLSRootCACertificate,
 		},
 	}

--- a/services/storage-users/pkg/config/config.go
+++ b/services/storage-users/pkg/config/config.go
@@ -223,27 +223,35 @@ type Events struct {
 	NumConsumers      int    `yaml:"num_consumers" env:"STORAGE_USERS_EVENTS_NUM_CONSUMERS" desc:"The amount of concurrent event consumers to start. Event consumers are used for post-processing files. Multiple consumers increase parallelisation, but will also increase CPU and memory demands. The setting has no effect when the OC_ASYNC_UPLOADS is set to false. The default and minimum value is 1." introductionVersion:"1.0.0"`
 	AuthUsername      string `yaml:"username" env:"OC_EVENTS_AUTH_USERNAME;STORAGE_USERS_EVENTS_AUTH_USERNAME" desc:"The username to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"`
 	AuthPassword      string `yaml:"password" env:"OC_EVENTS_AUTH_PASSWORD;STORAGE_USERS_EVENTS_AUTH_PASSWORD" desc:"The password to authenticate with the events broker. The events broker is the OpenCloud service which receives and delivers events between the services." introductionVersion:"1.0.0"`
+	// TODO use TLSRootCACertificate string `yaml:"tls_root_ca_certificate" env:"OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false." introductionVersion:"1.0.0"`
 }

 // FilemetadataCache holds cache config
 type FilemetadataCache struct {
-	Store              string        `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_FILEMETADATA_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes              []string      `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database           string        `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	TTL                time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_USERS_FILEMETADATA_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	DisablePersistence bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
-	AuthUsername       string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword       string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_FILEMETADATA_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"OC_CACHE_DATABASE;STORAGE_USERS_FILEMETADATA_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_USERS_FILEMETADATA_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	DisablePersistence   bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;STORAGE_USERS_FILEMETADATA_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_FILEMETADATA_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_FILEMETADATA_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }

 // IDCache holds cache config
 type IDCache struct {
-	Store              string   `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_ID_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes              []string `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_ID_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database           string   `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	DisablePersistence bool     `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
-	AuthUsername       string   `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_ID_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword       string   `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_ID_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_CACHE_STORE;STORAGE_USERS_ID_CACHE_STORE" desc:"The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_CACHE_STORE_NODES;STORAGE_USERS_ID_CACHE_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"OC_CACHE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_CACHE_TTL;STORAGE_USERS_ID_CACHE_TTL" desc:"Default time to live for user info in the user info cache. Only applied when access tokens have no expiration. Defaults to 300s which is derived from the underlaying package though not explicitly set as default. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	DisablePersistence   bool          `yaml:"disable_persistence" env:"OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE" desc:"Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_CACHE_AUTH_USERNAME;STORAGE_USERS_ID_CACHE_AUTH_USERNAME" desc:"The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_ID_CACHE_AUTH_PASSWORD" desc:"The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_CACHE_ENABLE_TLS;STORAGE_USERS_ID_CACHE_ENABLE_TLS" desc:"Enable TLS for the connection to file metadata cache." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_CACHE_TLS_INSECURE;STORAGE_USERS_ID_CACHE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_CACHE_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_ID_CACHE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided STORAGE_USERS_ID_CACHE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }

 // EOSDriver is the storage driver configuration when using 'eos' storage driver
--- a/services/storage-users/pkg/revaconfig/drivers.go
+++ b/services/storage-users/pkg/revaconfig/drivers.go
@@ -109,21 +109,28 @@ func Posix(cfg *config.Config, enableFSScan, enableFSWatch bool) map[string]any
 		"lock_cycle_duration_factor": cfg.Drivers.Posix.LockCycleDurationFactor,
 		"max_concurrency":            cfg.Drivers.Posix.MaxConcurrency,
 		"idcache": map[string]any{
-			"cache_store":               cfg.IDCache.Store,
-			"cache_nodes":               cfg.IDCache.Nodes,
-			"cache_database":            cfg.IDCache.Database,
-			"cache_disable_persistence": cfg.IDCache.DisablePersistence,
-			"cache_auth_username":       cfg.IDCache.AuthUsername,
-			"cache_auth_password":       cfg.IDCache.AuthPassword,
+			"cache_store":                   cfg.IDCache.Store,
+			"cache_nodes":                   cfg.IDCache.Nodes,
+			"cache_database":                cfg.IDCache.Database,
+			"cache_ttl":                     cfg.IDCache.TTL,
+			"cache_disable_persistence":     cfg.IDCache.DisablePersistence,
+			"cache_auth_username":           cfg.IDCache.AuthUsername,
+			"cache_auth_password":           cfg.IDCache.AuthPassword,
+			"cache_tls_enabled":             cfg.IDCache.EnableTLS,
+			"cache_tls_insecure":            cfg.IDCache.TLSInsecure,
+			"cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate,
 		},
 		"filemetadatacache": map[string]any{
-			"cache_store":               cfg.FilemetadataCache.Store,
-			"cache_nodes":               cfg.FilemetadataCache.Nodes,
-			"cache_database":            cfg.FilemetadataCache.Database,
-			"cache_ttl":                 cfg.FilemetadataCache.TTL,
-			"cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence,
-			"cache_auth_username":       cfg.FilemetadataCache.AuthUsername,
-			"cache_auth_password":       cfg.FilemetadataCache.AuthPassword,
+			"cache_store":                   cfg.FilemetadataCache.Store,
+			"cache_nodes":                   cfg.FilemetadataCache.Nodes,
+			"cache_database":                cfg.FilemetadataCache.Database,
+			"cache_ttl":                     cfg.FilemetadataCache.TTL,
+			"cache_disable_persistence":     cfg.FilemetadataCache.DisablePersistence,
+			"cache_auth_username":           cfg.FilemetadataCache.AuthUsername,
+			"cache_auth_password":           cfg.FilemetadataCache.AuthPassword,
+			"cache_tls_enabled":             cfg.FilemetadataCache.EnableTLS,
+			"cache_tls_insecure":            cfg.FilemetadataCache.TLSInsecure,
+			"cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate,
 		},
 		"events": map[string]any{
 			"numconsumers": cfg.Events.NumConsumers,
@@ -205,21 +212,28 @@ func Decomposed(cfg *config.Config) map[string]any {
 		"disable_versioning":          cfg.Drivers.Decomposed.DisableVersioning,
 		"multi_tenant_enabled":        cfg.Commons.MultiTenantEnabled,
 		"filemetadatacache": map[string]any{
-			"cache_store":               cfg.FilemetadataCache.Store,
-			"cache_nodes":               cfg.FilemetadataCache.Nodes,
-			"cache_database":            cfg.FilemetadataCache.Database,
-			"cache_ttl":                 cfg.FilemetadataCache.TTL,
-			"cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence,
-			"cache_auth_username":       cfg.FilemetadataCache.AuthUsername,
-			"cache_auth_password":       cfg.FilemetadataCache.AuthPassword,
+			"cache_store":                   cfg.FilemetadataCache.Store,
+			"cache_nodes":                   cfg.FilemetadataCache.Nodes,
+			"cache_database":                cfg.FilemetadataCache.Database,
+			"cache_ttl":                     cfg.FilemetadataCache.TTL,
+			"cache_disable_persistence":     cfg.FilemetadataCache.DisablePersistence,
+			"cache_auth_username":           cfg.FilemetadataCache.AuthUsername,
+			"cache_auth_password":           cfg.FilemetadataCache.AuthPassword,
+			"cache_tls_enabled":             cfg.FilemetadataCache.EnableTLS,
+			"cache_tls_insecure":            cfg.FilemetadataCache.TLSInsecure,
+			"cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate,
 		},
 		"idcache": map[string]any{
-			"cache_store":               cfg.IDCache.Store,
-			"cache_nodes":               cfg.IDCache.Nodes,
-			"cache_database":            cfg.IDCache.Database,
-			"cache_disable_persistence": cfg.IDCache.DisablePersistence,
-			"cache_auth_username":       cfg.IDCache.AuthUsername,
-			"cache_auth_password":       cfg.IDCache.AuthPassword,
+			"cache_store":                   cfg.IDCache.Store,
+			"cache_nodes":                   cfg.IDCache.Nodes,
+			"cache_database":                cfg.IDCache.Database,
+			"cache_ttl":                     cfg.IDCache.TTL,
+			"cache_disable_persistence":     cfg.IDCache.DisablePersistence,
+			"cache_auth_username":           cfg.IDCache.AuthUsername,
+			"cache_auth_password":           cfg.IDCache.AuthPassword,
+			"cache_tls_enabled":             cfg.IDCache.EnableTLS,
+			"cache_tls_insecure":            cfg.IDCache.TLSInsecure,
+			"cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate,
 		},
 		"events": map[string]any{
 			"numconsumers": cfg.Events.NumConsumers,
@@ -259,21 +273,28 @@ func DecomposedNoEvents(cfg *config.Config) map[string]any {
 		"disable_versioning":          cfg.Drivers.Decomposed.DisableVersioning,
 		"multi_tenant_enabled":        cfg.Commons.MultiTenantEnabled,
 		"filemetadatacache": map[string]any{
-			"cache_store":               cfg.FilemetadataCache.Store,
-			"cache_nodes":               cfg.FilemetadataCache.Nodes,
-			"cache_database":            cfg.FilemetadataCache.Database,
-			"cache_ttl":                 cfg.FilemetadataCache.TTL,
-			"cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence,
-			"cache_auth_username":       cfg.FilemetadataCache.AuthUsername,
-			"cache_auth_password":       cfg.FilemetadataCache.AuthPassword,
+			"cache_store":                   cfg.FilemetadataCache.Store,
+			"cache_nodes":                   cfg.FilemetadataCache.Nodes,
+			"cache_database":                cfg.FilemetadataCache.Database,
+			"cache_ttl":                     cfg.FilemetadataCache.TTL,
+			"cache_disable_persistence":     cfg.FilemetadataCache.DisablePersistence,
+			"cache_auth_username":           cfg.FilemetadataCache.AuthUsername,
+			"cache_auth_password":           cfg.FilemetadataCache.AuthPassword,
+			"cache_tls_enabled":             cfg.FilemetadataCache.EnableTLS,
+			"cache_tls_insecure":            cfg.FilemetadataCache.TLSInsecure,
+			"cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate,
 		},
 		"idcache": map[string]any{
-			"cache_store":               cfg.IDCache.Store,
-			"cache_nodes":               cfg.IDCache.Nodes,
-			"cache_database":            cfg.IDCache.Database,
-			"cache_disable_persistence": cfg.IDCache.DisablePersistence,
-			"cache_auth_username":       cfg.IDCache.AuthUsername,
-			"cache_auth_password":       cfg.IDCache.AuthPassword,
+			"cache_store":                   cfg.IDCache.Store,
+			"cache_nodes":                   cfg.IDCache.Nodes,
+			"cache_database":                cfg.IDCache.Database,
+			"cache_ttl":                     cfg.IDCache.TTL,
+			"cache_disable_persistence":     cfg.IDCache.DisablePersistence,
+			"cache_auth_username":           cfg.IDCache.AuthUsername,
+			"cache_auth_password":           cfg.IDCache.AuthPassword,
+			"cache_tls_enabled":             cfg.IDCache.EnableTLS,
+			"cache_tls_insecure":            cfg.IDCache.TLSInsecure,
+			"cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate,
 		},
 	}
 }
@@ -315,21 +336,28 @@ func DecomposedS3(cfg *config.Config) map[string]any {
 		"multi_tenant_enabled":        cfg.Commons.MultiTenantEnabled,
 		"asyncfileuploads":            cfg.Drivers.DecomposedS3.AsyncUploads,
 		"filemetadatacache": map[string]any{
-			"cache_store":               cfg.FilemetadataCache.Store,
-			"cache_nodes":               cfg.FilemetadataCache.Nodes,
-			"cache_database":            cfg.FilemetadataCache.Database,
-			"cache_ttl":                 cfg.FilemetadataCache.TTL,
-			"cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence,
-			"cache_auth_username":       cfg.FilemetadataCache.AuthUsername,
-			"cache_auth_password":       cfg.FilemetadataCache.AuthPassword,
+			"cache_store":                   cfg.FilemetadataCache.Store,
+			"cache_nodes":                   cfg.FilemetadataCache.Nodes,
+			"cache_database":                cfg.FilemetadataCache.Database,
+			"cache_ttl":                     cfg.FilemetadataCache.TTL,
+			"cache_disable_persistence":     cfg.FilemetadataCache.DisablePersistence,
+			"cache_auth_username":           cfg.FilemetadataCache.AuthUsername,
+			"cache_auth_password":           cfg.FilemetadataCache.AuthPassword,
+			"cache_tls_enabled":             cfg.FilemetadataCache.EnableTLS,
+			"cache_tls_insecure":            cfg.FilemetadataCache.TLSInsecure,
+			"cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate,
 		},
 		"idcache": map[string]any{
-			"cache_store":               cfg.IDCache.Store,
-			"cache_nodes":               cfg.IDCache.Nodes,
-			"cache_database":            cfg.IDCache.Database,
-			"cache_disable_persistence": cfg.IDCache.DisablePersistence,
-			"cache_auth_username":       cfg.IDCache.AuthUsername,
-			"cache_auth_password":       cfg.IDCache.AuthPassword,
+			"cache_store":                   cfg.IDCache.Store,
+			"cache_nodes":                   cfg.IDCache.Nodes,
+			"cache_database":                cfg.IDCache.Database,
+			"cache_ttl":                     cfg.IDCache.TTL,
+			"cache_disable_persistence":     cfg.IDCache.DisablePersistence,
+			"cache_auth_username":           cfg.IDCache.AuthUsername,
+			"cache_auth_password":           cfg.IDCache.AuthPassword,
+			"cache_tls_enabled":             cfg.IDCache.EnableTLS,
+			"cache_tls_insecure":            cfg.IDCache.TLSInsecure,
+			"cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate,
 		},
 		"events": map[string]any{
 			"numconsumers": cfg.Events.NumConsumers,
@@ -373,21 +401,28 @@ func DecomposedS3NoEvents(cfg *config.Config) map[string]any {
 		"multi_tenant_enabled":        cfg.Commons.MultiTenantEnabled,
 		"lock_cycle_duration_factor":  cfg.Drivers.DecomposedS3.LockCycleDurationFactor,
 		"filemetadatacache": map[string]any{
-			"cache_store":               cfg.FilemetadataCache.Store,
-			"cache_nodes":               cfg.FilemetadataCache.Nodes,
-			"cache_database":            cfg.FilemetadataCache.Database,
-			"cache_ttl":                 cfg.FilemetadataCache.TTL,
-			"cache_disable_persistence": cfg.FilemetadataCache.DisablePersistence,
-			"cache_auth_username":       cfg.FilemetadataCache.AuthUsername,
-			"cache_auth_password":       cfg.FilemetadataCache.AuthPassword,
+			"cache_store":                   cfg.FilemetadataCache.Store,
+			"cache_nodes":                   cfg.FilemetadataCache.Nodes,
+			"cache_database":                cfg.FilemetadataCache.Database,
+			"cache_ttl":                     cfg.FilemetadataCache.TTL,
+			"cache_disable_persistence":     cfg.FilemetadataCache.DisablePersistence,
+			"cache_auth_username":           cfg.FilemetadataCache.AuthUsername,
+			"cache_auth_password":           cfg.FilemetadataCache.AuthPassword,
+			"cache_tls_enabled":             cfg.FilemetadataCache.EnableTLS,
+			"cache_tls_insecure":            cfg.FilemetadataCache.TLSInsecure,
+			"cache_tls_root_ca_certificate": cfg.FilemetadataCache.TLSRootCACertificate,
 		},
 		"idcache": map[string]any{
-			"cache_store":               cfg.IDCache.Store,
-			"cache_nodes":               cfg.IDCache.Nodes,
-			"cache_database":            cfg.IDCache.Database,
-			"cache_disable_persistence": cfg.IDCache.DisablePersistence,
-			"cache_auth_username":       cfg.IDCache.AuthUsername,
-			"cache_auth_password":       cfg.IDCache.AuthPassword,
+			"cache_store":                   cfg.IDCache.Store,
+			"cache_nodes":                   cfg.IDCache.Nodes,
+			"cache_database":                cfg.IDCache.Database,
+			"cache_ttl":                     cfg.IDCache.TTL,
+			"cache_disable_persistence":     cfg.IDCache.DisablePersistence,
+			"cache_auth_username":           cfg.IDCache.AuthUsername,
+			"cache_auth_password":           cfg.IDCache.AuthPassword,
+			"cache_tls_enabled":             cfg.IDCache.EnableTLS,
+			"cache_tls_insecure":            cfg.IDCache.TLSInsecure,
+			"cache_tls_root_ca_certificate": cfg.IDCache.TLSRootCACertificate,
 		},
 	}
 }
--- a/services/storage-users/pkg/server/debug/server.go
+++ b/services/storage-users/pkg/server/debug/server.go
@@ -5,6 +5,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -13,9 +14,14 @@ import (
 func Server(opts ...Option) (*http.Server, error) {
 	options := newOptions(opts...)

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCaCertPath,
+	)
 	readyHandler := handlers.NewCheckHandler(handlers.NewCheckHandlerConfiguration().
 		WithLogger(options.Logger).
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr)).
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Addr, secureOption)).
 		WithCheck("grpc reachability", checks.NewGRPCCheck(options.Config.GRPC.Addr)),
 	)

--- a/services/thumbnails/pkg/thumbnail/mimetypes_vips.go
+++ b/services/thumbnails/pkg/thumbnail/mimetypes_vips.go
@@ -2,15 +2,6 @@

 package thumbnail

-import "github.com/davidbyttow/govips/v2/vips"
-
-func init() {
-	// temporary remove TIFF and JP2K from go-vips' list of supported
-	// imagetypes
-	delete(vips.ImageTypes, vips.ImageTypeTIFF)
-	delete(vips.ImageTypes, vips.ImageTypeJP2K)
-}
-
 var (
 	// SupportedMimeTypes contains an all mimetypes which are supported by the thumbnailer.
 	SupportedMimeTypes = map[string]struct{}{
@@ -20,6 +11,7 @@ var (
 		"image/gif":                         {},
 		"image/bmp":                         {},
 		"image/x-ms-bmp":                    {},
+		"image/tiff":                        {},
 		"text/plain":                        {},
 		"audio/flac":                        {},
 		"audio/mpeg":                        {},
--- a/services/userlog/pkg/command/server.go
+++ b/services/userlog/pkg/command/server.go
@@ -92,6 +92,9 @@ func Server(cfg *config.Config) *cobra.Command {
 				microstore.Database(cfg.Persistence.Database),
 				microstore.Table(cfg.Persistence.Table),
 				store.Authentication(cfg.Persistence.AuthUsername, cfg.Persistence.AuthPassword),
+				store.TLSEnabled(cfg.Persistence.EnableTLS),
+				store.TLSInsecure(cfg.Persistence.TLSInsecure),
+				store.TLSRootCA(cfg.Persistence.TLSRootCACertificate),
 			)

 			tm, err := pool.StringToTLSMode(cfg.GRPCClientTLS.Mode)
--- a/services/userlog/pkg/config/config.go
+++ b/services/userlog/pkg/config/config.go
@@ -39,13 +39,16 @@ type Config struct {

 // Persistence configures the store to use
 type Persistence struct {
-	Store        string        `yaml:"store" env:"OC_PERSISTENT_STORE;USERLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
-	Nodes        []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;USERLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	Database     string        `yaml:"database" env:"USERLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
-	Table        string        `yaml:"table" env:"USERLOG_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
-	TTL          time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;USERLOG_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
-	AuthUsername string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;USERLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
-	AuthPassword string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;USERLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	Store                string        `yaml:"store" env:"OC_PERSISTENT_STORE;USERLOG_STORE" desc:"The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details." introductionVersion:"1.0.0"`
+	Nodes                []string      `yaml:"nodes" env:"OC_PERSISTENT_STORE_NODES;USERLOG_STORE_NODES" desc:"A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	Database             string        `yaml:"database" env:"USERLOG_STORE_DATABASE" desc:"The database name the configured store should use." introductionVersion:"1.0.0"`
+	Table                string        `yaml:"table" env:"USERLOG_STORE_TABLE" desc:"The database table the store should use." introductionVersion:"1.0.0"`
+	TTL                  time.Duration `yaml:"ttl" env:"OC_PERSISTENT_STORE_TTL;USERLOG_STORE_TTL" desc:"Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details." introductionVersion:"1.0.0"`
+	AuthUsername         string        `yaml:"username" env:"OC_PERSISTENT_STORE_AUTH_USERNAME;USERLOG_STORE_AUTH_USERNAME" desc:"The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	AuthPassword         string        `yaml:"password" env:"OC_PERSISTENT_STORE_AUTH_PASSWORD;USERLOG_STORE_AUTH_PASSWORD" desc:"The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"1.0.0"`
+	EnableTLS            bool          `yaml:"enable_tls" env:"OC_PERSISTENT_STORE_ENABLE_TLS;USERLOG_STORE_ENABLE_TLS" desc:"Enable TLS for the connection to the store. Only applies when store type 'nats-js-kv' is configured." introductionVersion:"%%NEXT%%"`
+	TLSInsecure          bool          `yaml:"tls_insecure" env:"OC_INSECURE;OC_PERSISTENT_STORE_TLS_INSECURE;USERLOG_STORE_TLS_INSECURE" desc:"Whether to verify the server TLS certificates." introductionVersion:"%%NEXT%%"`
+	TLSRootCACertificate string        `yaml:"tls_root_ca_certificate" env:"OC_PERSISTENT_STORE_TLS_ROOT_CA_CERTIFICATE;USERLOG_STORE_TLS_ROOT_CA_CERTIFICATE" desc:"The root CA certificate used to validate the server's TLS certificate. If provided USERLOG_STORE_TLS_INSECURE will be seen as false." introductionVersion:"%%NEXT%%"`
 }

 // Events combines the configuration options for the event bus.
--- a/services/userlog/pkg/server/debug/server.go
+++ b/services/userlog/pkg/server/debug/server.go
@@ -5,6 +5,7 @@ import (

 	"github.com/opencloud-eu/opencloud/pkg/checks"
 	"github.com/opencloud-eu/opencloud/pkg/handlers"
+	"github.com/opencloud-eu/opencloud/pkg/nats"
 	"github.com/opencloud-eu/opencloud/pkg/service/debug"
 	"github.com/opencloud-eu/opencloud/pkg/version"
 )
@@ -17,8 +18,13 @@ func Server(opts ...Option) (*http.Server, error) {
 		WithLogger(options.Logger).
 		WithCheck("web reachability", checks.NewHTTPCheck(options.Config.HTTP.Addr))

+	secureOption := nats.Secure(
+		options.Config.Events.EnableTLS,
+		options.Config.Events.TLSInsecure,
+		options.Config.Events.TLSRootCACertificate,
+	)
 	readyHandlerConfiguration := healthHandlerConfiguration.
-		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint))
+		WithCheck("nats reachability", checks.NewNatsCheck(options.Config.Events.Endpoint, secureOption))

 	return debug.NewService(
 		debug.Logger(options.Logger),
--- a/services/userlog/pkg/service/service.go
+++ b/services/userlog/pkg/service/service.go
@@ -101,7 +101,7 @@ func (ul *UserlogService) MemorizeEvents(ch <-chan events.Event) {
 	for i := 0; i < ul.cfg.MaxConcurrency; i++ {
 		go func(ch <-chan events.Event) {
 			for event := range ch {
-				ul.processEvent(event)
+				go ul.processEvent(event)
 			}
 		}(ch)
 	}
--- a/tests/acceptance/bootstrap/GraphContext.php
+++ b/tests/acceptance/bootstrap/GraphContext.php
@@ -287,9 +287,7 @@ class GraphContext implements Context {
 	public function adminDeletesUserUsingTheGraphApi(string $user, ?string $byUser = null): ?ResponseInterface {
 		$credentials = $this->getAdminOrUserCredentials($byUser);
 		$userId = $this->featureContext->getAttributeOfCreatedUser($user, 'id');
-		if ($userId === null) {
-			throw new \RuntimeException("Cannot delete user '$user': no userId found");
-		}
+		$userId = $userId ?: $user;
 		return GraphHelper::deleteUserByUserId(
 			$this->featureContext->getBaseUrl(),
 			$this->featureContext->getStepLineRef(),
--- a/tests/acceptance/bootstrap/Provisioning.php
+++ b/tests/acceptance/bootstrap/Provisioning.php
@@ -469,6 +469,80 @@ trait Provisioning {
 		$this->ldapCreatedUsers[] = $setting["userid"];
 	}

+	/**
+	 * Creates a user through the Graph API and replaces a stale existing user if needed.
+	 *
+	 * @param string $userName
+	 * @param string $password
+	 * @param string|null $email
+	 * @param string|null $displayName
+	 * @param string|null $byUser
+	 *
+	 * @return string
+	 * @throws Exception|GuzzleException
+	 */
+	private function createGraphUserWithReplacement(
+		string $userName,
+		string $password,
+		?string $email,
+		?string $displayName,
+		?string $byUser = null
+	): string {
+		$userName = $this->getActualUsername($userName);
+		$userName = \trim($userName);
+		if ($displayName === null) {
+			$displayName = $this->getDisplayNameForUser($userName);
+			if ($displayName === null) {
+				$displayName = $this->getDisplayNameForUser('regularuser');
+			}
+		}
+		if ($email === null) {
+			$email = $this->getEmailAddressForUser($userName);
+			if ($email === null) {
+				$email = \str_replace(["@", " "], "", $userName) . '@opencloud.eu';
+			}
+		}
+		$reqUser = $byUser ? $this->getActualUsername($byUser) : $this->getAdminUsername();
+		$response = GraphHelper::createUser(
+			$this->getBaseUrl(),
+			$this->getStepLineRef(),
+			$reqUser,
+			$this->getPasswordForUser($reqUser),
+			$userName,
+			$password,
+			$email,
+			$displayName,
+		);
+
+		if ($response->getStatusCode() === 409) {
+			$responseBody = $this->getJsonDecodedResponse($response);
+			if (($responseBody['error']['code'] ?? null) === 'nameAlreadyExists') {
+				$deleteResponse = $this->deleteUser($userName);
+				$this->theHTTPStatusCodeShouldBe(204, "", $deleteResponse);
+
+				$response = GraphHelper::createUser(
+					$this->getBaseUrl(),
+					$this->getStepLineRef(),
+					$reqUser,
+					$this->getPasswordForUser($reqUser),
+					$userName,
+					$password,
+					$email,
+					$displayName,
+				);
+			}
+		}
+
+		Assert::assertEquals(
+			201,
+			$response->getStatusCode(),
+			__METHOD__ . " cannot create user '$userName'.\nResponse:" .
+			json_encode($this->getJsonDecodedResponse($response))
+		);
+
+		return (string)$this->getJsonDecodedResponse($response)['id'];
+	}
+
 	/**
 	 * @param string $group group name
 	 *
@@ -581,37 +655,7 @@ trait Provisioning {
 					);
 				}
 			} else {
-				// Use the same logic as userHasBeenCreated for email generation
-				if ($email === null) {
-					$email = $this->getEmailAddressForUser($userName);
-					if ($email === null) {
-						// escape @ & space if present in userId
-						$email = \str_replace(["@", " "], "", $userName) . '@opencloud.eu';
-					}
-				}
-
-				$userName = $this->getActualUsername($userName);
-				$userName = \trim($userName);
-
-				$response = GraphHelper::createUser(
-					$this->getBaseUrl(),
-					$this->getStepLineRef(),
-					$this->getAdminUsername(),
-					$this->getAdminPassword(),
-					$userName,
-					$password,
-					$email,
-					$displayName,
-				);
-
-				Assert::assertEquals(
-					201,
-					$response->getStatusCode(),
-					__METHOD__ . " cannot create user '$userName'.\nResponse:" .
-					json_encode($this->getJsonDecodedResponse($response))
-				);
-
-				$userId = $this->getJsonDecodedResponse($response)['id'];
+				$userId = $this->createGraphUserWithReplacement($userName, $password, $email, $displayName);
 			}

 			$this->addUserToCreatedUsersList($userName, $password, $displayName, $email, $userId ?? null);
@@ -1069,24 +1113,7 @@ trait Provisioning {
 				);
 			}
 		} else {
-			$reqUser = $byUser ? $this->getActualUsername($byUser) : $this->getAdminUsername();
-			$response = GraphHelper::createUser(
-				$this->getBaseUrl(),
-				$this->getStepLineRef(),
-				$reqUser,
-				$this->getPasswordForUser($reqUser),
-				$user,
-				$password,
-				$email,
-				$displayName,
-			);
-			Assert::assertEquals(
-				201,
-				$response->getStatusCode(),
-				__METHOD__ . " cannot create user '$user'.\nResponse:" .
-				json_encode($this->getJsonDecodedResponse($response))
-			);
-			$userId = $this->getJsonDecodedResponse($response)['id'];
+			$userId = $this->createGraphUserWithReplacement($user, $password, $email, $displayName, $byUser);
 		}

 		$this->addUserToCreatedUsersList($user, $password, $displayName, $email, $userId);
@@ -1709,7 +1736,6 @@ trait Provisioning {
 				$this->ocsApiVersion
 			);
 		} else {
-			// users can be deleted using the username in the GraphApi too
 			$response = $this->graphContext->adminDeletesUserUsingTheGraphApi($user);
 		}
 		return $response;