You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the certificate is a different path outside of NEO4J_HOME, then set the absolute path for the certificates directory.
794
+
If the certificate is located outside of `NEO4J_HOME`, then set the absolute path for the certificates directory.
786
795
====
787
796
788
-
.. Set the cluster client authentication to `REQUIRE` to enable the mutual authentication, which means that both ends of a channel have to authenticate:
797
+
. Set the cluster client authentication to `REQUIRE` to enable the mutual authentication, which means that both ends of a channel have to authenticate:
789
798
+
790
799
[source, properties]
791
800
----
@@ -799,14 +808,16 @@ The actual xref:security/ssl-framework.adoc#term-ssl-cryptographic-objects[crypt
799
808
The trusted CA certificate will be shared however.
800
809
====
801
810
802
-
.. Verify that the intra-cluster communication is encrypted.
811
+
==== Verify that the intra-cluster communication is encrypted
812
+
813
+
Once the intra-cluster encryption is enabled, you can verify that the communication is encrypted.
803
814
You may use an external tooling, such as Nmap (https://nmap.org/download.html):
The hostname and port have to be adjusted according to your configuration.
@@ -823,24 +834,47 @@ For more details on securing the comunication between the cluster servers, see x
823
834
[[ssl-backup-config]]
824
835
=== Configure SSL for backup communication
825
836
826
-
In a single instance, by default the backup communication happens on port `6362`.
827
-
In a cluster topology, it is possible to take a backup from any server, and each server has two configurable ports capable of serving a backup.
828
-
These ports are configured by `dbms.backup.listen.address` (port `6362`) and `server.cluster.listen_address` (port `6000`) respectively.
829
-
If the intra-cluster encryption is enabled and the backup communication is using port `6000`, then your communication channels are already encrypted.
830
-
The following steps assumes that your backup is set up on a different port.
837
+
In a single instance, the backup communication happens on port `6362` by default. +
838
+
In a cluster topology, it is possible to take a backup from any server, and each server has two configurable ports capable of serving a backup:
839
+
840
+
* `dbms.backup.listen.address` (port `6362`)
841
+
* `server.cluster.listen_address` (port `6000`)
842
+
843
+
If the <<ssl-cluster-config, intra-cluster encryption>> is enabled and the backup communication uses port `6000`, then the communication channels are already encrypted.
844
+
845
+
However, if your backup communication uses a different port, you need to enable SSL for it by creating a separate SSL policy.
846
+
847
+
When setting up SSL for backup communication, you can choose between two options for certificates:
848
+
849
+
* self-signed certificates -- This is typically the case where you control both ends of the connection, and the distribution of certificates can be automated and secured.
850
+
However, self-signed certificates do not verify the identity of the server, so they cannot be trusted by clients and are vulnerable to man-in-the-middle attacks.
851
+
* certificates signed by a certificate authority (CA) -- more secure option, because a known trusted authority verifies the identity of the server, ensuring authenticity and preventing impersonation.
852
+
853
+
854
+
You can configure SSL for backup communication in one of the following ways:
855
+
856
+
* Use the same certificates in the _trusted_dir_ on both the backup server and client. +
857
+
This approach is simpler to configure but less secure, as both ends share the same identity and trust the same certificate.
858
+
859
+
* Mirror the certificates on the backup server and client to achieve mutual authentication. +
860
+
Add the server certificate to the client's _trusted_dir_ and the client certificate to the server's _trusted_dir_.
861
+
This way, the server validates the client's certificate in addition to the typical normal TLS where only the client validates the server's certificate.
862
+
863
+
* Use a certificate authority (CA) to sign both the client's and server's certificates.
864
+
In this case, the _trusted_dir_ must contain only the CA or intermediate certificates.
831
865
832
-
To set up SSL for backup communication, create the folder structure and place the key file and the certificates under those.
833
-
Then, you need to configure the SSL backup policies in the _neo4j.conf_ file.
866
+
==== Set up SSL certificates for backup
834
867
835
-
. Set up the _backup_ folder under _certificates_.
836
-
.. Create a directory _backup_ under _<NEO4J_HOME>/certificates_ folder:
868
+
Create the folder structure and place the key and certificate files under it.
869
+
870
+
. Create a directory _backup_ under _<NEO4J_HOME>/certificates_ folder:
837
871
+
838
872
[source, shell]
839
873
----
840
874
mkdir certificates/backup
841
875
----
842
876
843
-
.. Create a directory _trusted_ and _revoked_ under _<NEO4J_HOME>/certificates/backup_ folder:
877
+
. Create a directory _trusted_ and _revoked_ under _<NEO4J_HOME>/certificates/backup_ folder:
If the certificate is a different path outside of NEO4J_HOME, then set the absolute path for the certificates directory.
987
+
If the certificate is located outside of `NEO4J_HOME`, then set the absolute path for the certificates directory.
950
988
====
951
989
952
-
.. Set the backup client authentication to `REQUIRE` to enable the mutual authentication, which means that both ends of a channel have to authenticate:
990
+
. Set the backup client authentication to `REQUIRE` to enable the mutual authentication, which means that both ends of a channel have to authenticate:
953
991
+
954
992
[source, properties]
955
993
----
956
994
dbms.ssl.policy.backup.client_auth=REQUIRE
957
995
----
958
996
997
+
[NOTE]
998
+
====
999
+
Neo4j does not validate the `setting-suffix` and if it is misspelled or incorrect, it will be ignored.
1000
+
See <<ssl-configuration, Configuration>> for more details.
1001
+
====
1002
+
1003
+
[ssl-backup-client-config]
1004
+
=== Configure the backup client for SSL
1005
+
1006
+
When using `neo4j-admin backup` command, the backup client needs to be configured to use SSL as well.
1007
+
Regardless of which backup port you are targeting (see <<ssl-backup-config>>), the backup client uses the SSL policy specified in `dbms.ssl.policy.backup.*`, given the same SSL policy name matches between server and client.
1008
+
1009
+
If the backup client is on a different machine from the backup server, you must install SSL certificates and keys on the backup client machine as well, so that the backup client can authenticate the server and vice versa.
1010
+
1011
+
The following steps assume that you have already set up the SSL certificates and keys on the backup server machine and you are using the self-signed certificates.
1012
+
1013
+
For example, if you have set up the backup SSL policy described in section <<ssl-backup-config>>, then you need to set the following in the _neo4j-admin.conf_ file on the backup client machine:
@@ -1162,7 +1229,7 @@ This means that while new connections will use new certificates, the existing co
1162
1229
Even if a certificate expires, active connections remain unaffected because the certificates are only used during the initial connection handshake.
1163
1230
1164
1231
. Verify that the intra-cluster communication is still encrypted using external tooling, such as Nmap, described in <<ssl-cluster-config, Configuring SSL for intra-cluster communications>>.
0 commit comments