Update the ssl config for backup

modules/ROOT/pages/backup-restore/online-backup.adoc

@@ -317,12 +317,22 @@ The SSL configuration policy has the key of `dbms.ssl.policy.backup`.
 
 As an example, add the following content to your _neo4j.conf_ and _neo4j-admin.conf_ files:
 
+.Server configuration in _neo4j.conf_
 [source, properties]
 ----
 dbms.ssl.policy.backup.enabled=true
-dbms.ssl.policy.backup.tls_versions=TLSv1.2
-dbms.ssl.policy.backup.ciphers=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
 dbms.ssl.policy.backup.client_auth=REQUIRE
+dbms.ssl.policy.backup.tls_versions=TLSv1.2,TLSv1.3
+dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+----
+
+.Client configuration in _neo4j-admin.conf_
+[source, properties]
+----
+dbms.ssl.policy.backup.enabled=true
+dbms.ssl.policy.backup.client_auth=REQUIRE
+dbms.ssl.policy.backup.tls_versions=TLSv1.2,TLSv1.3
+dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
 ----
 
 [TIP]

modules/ROOT/pages/security/ssl-framework.adoc

@@ -928,7 +928,7 @@ The owner/group should be configured to the user/group that will be running the
 Default user/group is neo4j/neo4j.
 ====
 
-. Set the backup SSL configuration in _neo4j.conf_.
+. Set the backup SSL configuration in the _neo4j.conf_ file.
 .. Set the backup SSL policy to `true`:
 +
 [source, properties]
@@ -956,6 +956,29 @@ If the certificate is a different path outside of NEO4J_HOME, then set the absol
 dbms.ssl.policy.backup.client_auth=REQUIRE
 ----
 
+=== Configure the backup client for SSL
+
+When using `neo4j-admin backup` command, you need to specify the SSL policy to be used by the backup client.
+You can do this by setting a matching SSL configuration in the _neo4j.conf_ and _neo4j-admin.conf_ files.
+This is crucial for the backup to work properly.
+For example, if you have set up the backup SSL policy described in section <<ssl-backup-config>>, then you need to set the following in the _neo4j-admin.conf_ file:
+
+[source, properties]
+----
+dbms.ssl.policy.backup.enabled=true
+dbms.ssl.policy.backup.base_directory=/path/to/certificates/backup
+dbms.ssl.policy.backup.private_key=private.key
+dbms.ssl.policy.backup.public_certificate=public.crt
+dbms.ssl.policy.backup.client_auth=REQUIRE
+dbms.ssl.policy.backup.tls_versions=TLSv1.2,TLSv1.3
+dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+----
+
+[NOTE]
+====
+Keep in mind that if the backup client is on a different machine from the Neo4j server, you must install the same SSL certs and keys on the backup client machine as well, so that the backup client can authenticate the server and vice versa.
+====
+
 [[ssl-other-configs]]
 === Other configurations for SSL
 
@@ -1150,7 +1173,7 @@ This means that while new connections will use new certificates, the existing co
 Even if a certificate expires, active connections remain unaffected because the certificates are only used during the initial connection handshake.
 
 . Verify that the intra-cluster communication is still encrypted using external tooling, such as Nmap, described in <<ssl-cluster-config, Configuring SSL for intra-cluster communications>>.
- 
+
 
 [[ssl-terminology]]
 == Terminology