Update the ssl config for backup #2610
Conversation
renetapopova
force-pushed
the
dev-backup-ssl
branch
from
d16d56b to
695ea41
Compare
renetapopova
added
auto-cherry-pick-to-main
auto-cherry-pick-to-5.x
clustering
and removed
WIP
labels
renetapopova
force-pushed
the
dev-backup-ssl
branch
from
695ea41 to
522b951
Compare
renetapopova
added
cherry-pick-this-to-5.x
cherry-pick-this-to-main
and removed
auto-cherry-pick-to-main
auto-cherry-pick-to-5.x
labels
renetapopova
force-pushed
the
dev-backup-ssl
branch
from
522b951 to
7b76645
Compare
renetapopova
requested review from
rhysemmas and
thelonelyvulpes
and removed request for
rhysemmas
renetapopova
force-pushed
the
dev-backup-ssl
branch
from
477121b to
61e7f49
Compare
|
This PR includes documentation updates Updated pages: |
| === Configure the backup client for SSL | ||
| When using `neo4j-admin backup` command, you need to specify the SSL policy to be used by the backup client. |
There was a problem hiding this comment.
I think this doesn't make it entirely clear that you can back up against the cluster endpoint(6000 default) and its SSL policy dbms.ssl.policy.cluster.*, or the backup endpoint(6362 default) and its SSL policy dbms.ssl.policy.backup.*, but regardless of which you do back up against, the admin client will use the SSL policy specified for backups dbms.ssl.policy.backup.*
| === Configure the backup client for SSL | ||
| When using `neo4j-admin backup` command, you need to specify the SSL policy to be used by the backup client. | ||
| You can do this by setting a matching SSL configuration in the _neo4j.conf_ and _neo4j-admin.conf_ files. |
There was a problem hiding this comment.
It is not entirely true that they must match, but be sympathetic of/mirror one another.
i.e., if they want mutualTLS with self-signed certificates, the server must have the client's certificate in its trusted_dir, and the client must have the server's certificate in its trusted_dir
There was a problem hiding this comment.
However, when they use a certificate authority to signs both the client's and server's certificates, the trusted_dir only needs to contain an intermediate CA cert.
| dbms.ssl.policy.backup.client_auth=REQUIRE | ||
| ---- | ||
| === Configure the backup client for SSL |
There was a problem hiding this comment.
bit of a meta comment, but it might be worth including in the documentation, we do not the validate the keys of ssl policy values so
dbms.ssl.policy.backup.foo will parse happily but will not help, so it is important that users validate the config keys when configuring SSL, dbms.ssl.policy.backup.trusted_directory got me as it must be dbms.ssl.policy.backup.trusted_dir which is inconsistent with *.base_directory
No description provided.