4.13.2 Configuring the Graph Server (PGX)
You can configure the graph server (PGX) by modifying the
/etc/oracle/graph/server.conf
file. The following table shows the valid
configuration options, which can be specified in JSON format.
Table 4-8 Configuration Parameters for the Graph Server (PGX)
Parameter | Type | Description | Default |
---|---|---|---|
ca_certs |
array of string |
List of files storing trusted certificates (PEM format). If enable_tls is set to false , this field has no effect.
|
[] |
ciphers |
array of string |
List of cipher suites to be used by the server. For example, [cipher1, cipher2.] | ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DH_DSS_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DH_DSS_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_DH_DSS_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"] |
context_path |
string |
This can be used to change the context path. For example, if you specify port as 7007 and context path as /pgx , the server will listen on https://localhost:7007/pgx |
/ |
enable_tls |
boolean |
If true , the server enables transport layer security (TLS).
|
true |
port |
integer |
Port the graph server (PGX) server should listen on. | 7007 |
server_cert |
string |
The path to the server certificate to be presented to TLS clients (PEM format).
Note: This file must only contain one certificate. If your certificate is a chain and contains a root certificate, add it toca_certs instead.
enable_tls is set to
false , this field has no effect
|
NULL |
server_private_key |
string |
This is the path to the file storing the private key of the server (PEM format). For security reasons, the file must have only Read and Write permissions only for the owner (600 permissions in a POSIX filesystem), otherwise an error will be thrown. If enable_tls is set to false , this field has no effect
|
NULL |
tls_version |
string |
TLS version to be used by the server. For example, TLSv1.2 |
TLSv1.2 |
working_dir |
string |
The working directory used by the server to store temporary files. Needs to be writeable by the process which started the server and should not be touched by any other process while the server is running. |
The graph server (PGX) enables two-way SSL/TLS (Transport Layer Security) by default. The server enforces TLS 1.2 and disables certain cipher suites known to be vulnerable to attacks. Upon a TLS handshake, both the server and the client present certificates to each other, which are used to validate the authenticity of the other party. Client certificates are also used to authorize client applications.
The following is an example server.conf
configuration file:
{
"port": 7007,
"enable_tls": true,
"server_cert": "server_cert.pem",
"server_private_key": "server_key.pem",
"ca_certs": [
"server_cert.pem"
]
}
Parent topic: Starting the Graph Server (PGX)