1.4 Setting Up Transport Layer Security

The graph server (PGX), by default, allows only encrypted connections using Transport Layer Security (TLS). TLS requires the server to present a server certificate to the client and the client must be configured to trust the issuer of that certificate.

Starting with Graph Server and Client Release 22.3, you can create a server keystore to contain the server certificate and server private key. You can then configure the graph server to use this keystore.

In this release of Graph Server and Client, the RPM file installation will continue to generate a self-signed certificate into /etc/oracle/graph, as the default option for the server to enable TLS. However, it is important to note that the server configuration fields, server_cert and server_private_key are deprecated in the current Graph Server and Client Release 22.3 and will be desupported in a future release. After that, you will be required to use the server keystore to store the server certificate and the server private key.

• Using a Self-Signed Server Keystore
  This section describes the steps to generate a self-signed keystore into /etc/oracle/graph and configure the graph server (PGX) and client to use the keystore.
• Using a Self-Signed Server Certificate
  Starting with Graph Server and Client Release 21.1, the RPM file installation generates a self-signed certificate into /etc/oracle/graph, which the server uses to enable TLS by default.