You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the certificate is a different path outside of NEO4J_HOME, then set the absolute path for the certificates directory.
847
+
If the certificate is located outside of `NEO4J_HOME`, then set the absolute path for the certificates directory.
839
848
====
840
849
841
-
.. Set the cluster client authentication to `REQUIRE` to enable the mutual authentication, which means that both ends of a channel have to authenticate:
850
+
. Set the cluster client authentication to `REQUIRE` to enable the mutual authentication, which means that both ends of a channel have to authenticate:
842
851
+
843
852
[source, properties]
844
853
----
@@ -852,14 +861,16 @@ The actual xref:security/ssl-framework.adoc#term-ssl-cryptographic-objects[crypt
852
861
The trusted CA certificate will be shared however.
853
862
====
854
863
855
-
.. Verify that the intra-cluster communication is encrypted.
864
+
==== Verify that the intra-cluster communication is encrypted
865
+
866
+
Once the intra-cluster encryption is enabled, you can verify that the communication is encrypted.
856
867
You may use an external tooling, such as Nmap (https://nmap.org/download.html):
The hostname and port have to be adjusted according to your configuration.
@@ -876,24 +887,47 @@ For more details on securing the comunication between the cluster servers, see x
876
887
[[ssl-backup-config]]
877
888
=== Configure SSL for backup communication
878
889
879
-
In a single instance, by default the backup communication happens on port `6362`.
880
-
In a cluster topology, it is possible to take a backup from any server, and each server has two configurable ports capable of serving a backup.
881
-
These ports are configured by `dbms.backup.listen.address` (port `6362`) and `server.cluster.listen_address` (port `6000`) respectively.
882
-
If the intra-cluster encryption is enabled and the backup communication is using port `6000`, then your communication channels are already encrypted.
883
-
The following steps assumes that your backup is set up on a different port.
890
+
In a single instance, the backup communication happens on port `6362` by default. +
891
+
In a cluster topology, it is possible to take a backup from any server, and each server has two configurable ports capable of serving a backup:
892
+
893
+
* `dbms.backup.listen.address` (port `6362`)
894
+
* `server.cluster.listen_address` (port `6000`)
895
+
896
+
If the <<ssl-cluster-config, intra-cluster encryption>> is enabled and the backup communication uses port `6000`, then the communication channels are already encrypted.
897
+
898
+
However, if your backup communication uses a different port, you need to enable SSL for it by creating a separate SSL policy.
899
+
900
+
When setting up SSL for backup communication, you can choose between two options for certificates:
901
+
902
+
* self-signed certificates -- This is typically the case where you control both ends of the connection, and the distribution of certificates can be automated and secured.
903
+
However, self-signed certificates do not verify the identity of the server, so they cannot be trusted by clients and are vulnerable to man-in-the-middle attacks.
904
+
* certificates signed by a certificate authority (CA) -- more secure option, because a known trusted authority verifies the identity of the server, ensuring authenticity and preventing impersonation.
905
+
906
+
907
+
You can configure SSL for backup communication in one of the following ways:
908
+
909
+
* Use the same certificates in the _trusted_dir_ on both the backup server and client. +
910
+
This approach is simpler to configure but less secure, as both ends share the same identity and trust the same certificate.
911
+
912
+
* Mirror the certificates on the backup server and client to achieve mutual authentication. +
913
+
Add the server certificate to the client's _trusted_dir_ and the client certificate to the server's _trusted_dir_.
914
+
This way, the server validates the client's certificate in addition to the typical normal TLS where only the client validates the server's certificate.
915
+
916
+
* Use a certificate authority (CA) to sign both the client's and server's certificates.
917
+
In this case, the _trusted_dir_ must contain only the CA or intermediate certificates.
884
918
885
-
To set up SSL for backup communication, create the folder structure and place the key file and the certificates under those.
886
-
Then, you need to configure the SSL backup policies in the _neo4j.conf_ file.
919
+
==== Set up SSL certificates for backup
887
920
888
-
. Set up the _backup_ folder under _certificates_.
889
-
.. Create a directory _backup_ under _<NEO4J_HOME>/certificates_ folder:
921
+
Create the folder structure and place the key and certificate files under it.
922
+
923
+
. Create a directory _backup_ under _<NEO4J_HOME>/certificates_ folder:
890
924
+
891
925
[source, shell]
892
926
----
893
927
mkdir certificates/backup
894
928
----
895
929
896
-
.. Create a directory _trusted_ and _revoked_ under _<NEO4J_HOME>/certificates/backup_ folder:
930
+
. Create a directory _trusted_ and _revoked_ under _<NEO4J_HOME>/certificates/backup_ folder:
If the certificate is a different path outside of NEO4J_HOME, then set the absolute path for the certificates directory.
1040
+
If the certificate is located outside of `NEO4J_HOME`, then set the absolute path for the certificates directory.
1003
1041
====
1004
1042
1005
-
.. Set the backup client authentication to `REQUIRE` to enable the mutual authentication, which means that both ends of a channel have to authenticate:
1043
+
. Set the backup client authentication to `REQUIRE` to enable the mutual authentication, which means that both ends of a channel have to authenticate:
1006
1044
+
1007
1045
[source, properties]
1008
1046
----
1009
1047
dbms.ssl.policy.backup.client_auth=REQUIRE
1010
1048
----
1011
1049
1050
+
[NOTE]
1051
+
====
1052
+
Neo4j does not validate the `setting-suffix` and if it is misspelled or incorrect, it will be ignored.
1053
+
See <<ssl-configuration, Configuration>> for more details.
1054
+
====
1055
+
1056
+
[ssl-backup-client-config]
1057
+
=== Configure the backup client for SSL
1058
+
1059
+
When using `neo4j-admin backup` command, the backup client needs to be configured to use SSL as well.
1060
+
Regardless of which backup port you are targeting (see <<ssl-backup-config>>), the backup client uses the SSL policy specified in `dbms.ssl.policy.backup.*`, given the same SSL policy name matches between server and client.
1061
+
1062
+
If the backup client is on a different machine from the backup server, you must install SSL certificates and keys on the backup client machine as well, so that the backup client can authenticate the server and vice versa.
1063
+
1064
+
The following steps assume that you have already set up the SSL certificates and keys on the backup server machine and you are using the self-signed certificates.
1065
+
1066
+
For example, if you have set up the backup SSL policy described in section <<ssl-backup-config>>, then you need to set the following in the _neo4j-admin.conf_ file on the backup client machine:
0 commit comments