4.13.2 Configuring the Graph Server (PGX)
You can configure the graph server (PGX) by modifying the
/etc/oracle/graph/server.conf
file. The following table shows the valid
configuration options, which can be specified in JSON format.
Table 4-10 Configuration Parameters for the Graph Server (PGX)
Parameter | Type | Description | Default |
---|---|---|---|
ca_certs |
array of string |
List of files storing trusted certificates (PEM format). If enable_tls is set to false , this field has no effect.
|
[] |
ciphers |
array of string |
List of cipher suites to be used by the server. For example, [cipher1, cipher2.] | ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384",
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256",
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA",
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA",
"TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256",
"TLS_DH_DSS_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_DH_DSS_WITH_AES_256_GCM_SHA384",
"TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256",
"TLS_DH_DSS_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256",
"TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_DH_DSS_WITH_AES_256_CBC_SHA256",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA",
"TLS_DH_DSS_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA",
"TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_DH_DSS_WITH_AES_256_CBC_SHA",
"TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"] |
context_path |
string |
This can be used to change the context path. For example, if you specify port as 7007 and context path as /pgx , the server will listen on https://localhost:7007/pgx |
/ |
enable_tls |
boolean |
If true , the server enables transport layer security (TLS).
|
true |
port |
integer |
Port the graph server (PGX) server should listen on. | 7007 |
server_cert |
string |
The path to the server certificate to be presented to TLS clients (PEM format).
This file must only contain one certificate. If your certificate is a chain and
contains a root certificate, add it to ca_certs instead. If
enable_tls is set to false , this field has no
effect
Note: Starting from Graph Server and Client Release 22.3
onwards, this field is deprecated. Use |
NULL |
server_keystore |
string |
The path to the keystore to be used for server connections. If this
field is present along with server_cert or
server_private_key , then an error will be raised.
If
|
NULL |
server_keystore_alias |
string |
This is the server keystore alias of
server_keystore .
|
NULL |
server_keystore_provider |
string |
This is the server keystore provider of
server_keystore .
|
SunJSSE |
server_keystore_type |
string |
This is the server keystore type of
server_keystore .
|
JKS |
server_private_key |
string |
This is the path to the file storing the private key of the server (PEM format).
For security reasons, the file must have only Read and Write permissions only for the
owner (600 permissions in a POSIX filesystem), otherwise an error
will be thrown. If enable_tls is set to false , this
field has no effect.
Note: Starting from Graph Server and Client Release 22.3
onwards, this field is deprecated. Use |
NULL |
tls_version |
string |
TLS version to be used by the server. For example, TLSv1.2 |
TLSv1.2 |
working_dir |
string |
The working directory used by the server to store temporary files. Needs to be writable by the process which started the server and should not be touched by any other process while the server is running. |
The graph server (PGX) enables two-way SSL/TLS (Transport Layer Security) by default. The server enforces TLS 1.2 and disables certain cipher suites known to be vulnerable to attacks. Upon a TLS handshake, both the server and the client present certificates to each other, which are used to validate the authenticity of the other party. Client certificates are also used to authorize client applications.
Example Configuration of server.conf
File
{
"port": 7007,
"enable_tls": true,
"server_cert": "server_cert.pem",
"server_private_key": "server_key.pem",
"ca_certs": [
"server_cert.pem"
]
}
Example Configuration of server.conf
File Using a Keystore
{
"port": 7007,
"enable_tls": true,
"enable_client_authentication": true,
"server_keystore": "/pgx/cert/server_keystore.rsa",
"server_keystore_alias": "pgx",
"server_keystore_provider": "JsafeJCE",
"server_keystore_type": "PKCS12"
}
Parent topic: Starting the Graph Server (PGX)