You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the certificate is a different path outside of NEO4J_HOME, then set the absolute path for the certificates directory.
786
790
====
787
791
788
-
.. Set the cluster client authentication to `REQUIRE` to enable the mutual authentication, which means that both ends of a channel have to authenticate:
792
+
. Set the cluster client authentication to `REQUIRE` to enable the mutual authentication, which means that both ends of a channel have to authenticate:
789
793
+
790
794
[source, properties]
791
795
----
@@ -799,14 +803,16 @@ The actual xref:security/ssl-framework.adoc#term-ssl-cryptographic-objects[crypt
799
803
The trusted CA certificate will be shared however.
800
804
====
801
805
802
-
.. Verify that the intra-cluster communication is encrypted.
806
+
==== Verify that the intra-cluster communication is encrypted
807
+
808
+
Once the intra-cluster encryption is enabled, you can verify that the communication is encrypted.
803
809
You may use an external tooling, such as Nmap (https://nmap.org/download.html):
The hostname and port have to be adjusted according to your configuration.
@@ -823,24 +829,28 @@ For more details on securing the comunication between the cluster servers, see x
823
829
[[ssl-backup-config]]
824
830
=== Configure SSL for backup communication
825
831
826
-
In a single instance, by default the backup communication happens on port `6362`.
827
-
In a cluster topology, it is possible to take a backup from any server, and each server has two configurable ports capable of serving a backup.
828
-
These ports are configured by `dbms.backup.listen.address` (port `6362`) and `server.cluster.listen_address` (port `6000`) respectively.
829
-
If the intra-cluster encryption is enabled and the backup communication is using port `6000`, then your communication channels are already encrypted.
830
-
The following steps assumes that your backup is set up on a different port.
832
+
In a single instance, the backup communication happens on port `6362` by default. +
833
+
In a cluster topology, it is possible to take a backup from any server, and each server has two configurable ports capable of serving a backup:
831
834
832
-
To set up SSL for backup communication, create the folder structure and place the key file and the certificates under those.
833
-
Then, you need to configure the SSL backup policies in the _neo4j.conf_ file.
835
+
* `dbms.backup.listen.address` (port `6362`)
836
+
* `server.cluster.listen_address` (port `6000`)
834
837
835
-
. Set up the _backup_ folder under _certificates_.
836
-
.. Create a directory _backup_ under _<NEO4J_HOME>/certificates_ folder:
838
+
If the <<ssl-cluster-config, intra-cluster encryption>> is enabled and the backup communication uses port `6000`, then the communication channels are already encrypted.
839
+
The following steps assume that your backup is set up on a different port.
840
+
841
+
==== Set up SSL certificates for backup
842
+
843
+
Create the folder structure and place the key and certificate files under it.
844
+
Then, configure the SSL backup policies in the _neo4j.conf_ file.
845
+
846
+
. Create a directory _backup_ under _<NEO4J_HOME>/certificates_ folder:
837
847
+
838
848
[source, shell]
839
849
----
840
850
mkdir certificates/backup
841
851
----
842
852
843
-
.. Create a directory _trusted_ and _revoked_ under _<NEO4J_HOME>/certificates/backup_ folder:
853
+
. Create a directory _trusted_ and _revoked_ under _<NEO4J_HOME>/certificates/backup_ folder:
If the certificate is a different path outside of NEO4J_HOME, then set the absolute path for the certificates directory.
950
963
====
951
964
952
-
.. Set the backup client authentication to `REQUIRE` to enable the mutual authentication, which means that both ends of a channel have to authenticate:
965
+
. Set the backup client authentication to `REQUIRE` to enable the mutual authentication, which means that both ends of a channel have to authenticate:
When using `neo4j-admin backup` command, you need to specify the SSL policy to be used by the backup client.
962
-
You can do this by setting a matching SSL configuration in the _neo4j.conf_ and _neo4j-admin.conf_ files.
963
-
This is crucial for the backup to work properly.
974
+
When using `neo4j-admin backup` command, the backup client needs to be configured to use SSL as well.
975
+
Regardless of which backup port you are targeting (see <<ssl-backup-config>>), the backup client uses the SSL policy specified in `dbms.ssl.policy.backup.*`, given the same SSL policy name matches between server and client.
976
+
977
+
[NOTE]
978
+
====
979
+
If the backup client is on a different machine from the Neo4j server, you must install sympathetic SSL certificates and keys on the backup client machine as well, so that the backup client can authenticate the server and vice versa.
980
+
If you want mutual TLS with self-signed certificates, the server must have the client's certificate in its _trusted_dir_, and the client must have the server's certificate in its _trusted_dir_.
981
+
If you use a certificate authority (CA) to signs both the client's and server's certificates, the _trusted_dir_ must contain only the CA or intermediate certificates.
982
+
983
+
Furthermore, Neo4j does not validate the certificates.
984
+
It is your responsibility to ensure that the certificates are valid.
985
+
See <<ssl-certificates>> for details.
986
+
====
987
+
988
+
Configure the SSL backup policies in the _neo4j-admin.conf_ file on the backup client machine.
989
+
964
990
For example, if you have set up the backup SSL policy described in section <<ssl-backup-config>>, then you need to set the following in the _neo4j-admin.conf_ file:
Keep in mind that if the backup client is on a different machine from the Neo4j server, you must install the same SSL certs and keys on the backup client machine as well, so that the backup client can authenticate the server and vice versa.
0 commit comments