Configuring the Graph Server (PGX)

4.13.2 Configuring the Graph Server (PGX)

You can configure the graph server (PGX) by modifying the /etc/oracle/graph/server.conf file. The following table shows the valid configuration options, which can be specified in JSON format.

Table 4-10 Configuration Parameters for the Graph Server (PGX)

Parameter	Type	Description	Default
`ca_certs`	`array of string`	List of files storing trusted certificates (PEM format). If `enable_tls` is set to `false`, this field has no effect.	`[]`
`ciphers`	`array of string`	List of cipher suites to be used by the server. For example, [cipher1, cipher2.]	["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_DH_DSS_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_DH_DSS_WITH_AES_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_DH_DSS_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_DH_DSS_WITH_AES_256_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_DH_DSS_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_256_CBC_SHA", "TLS_DH_DSS_WITH_AES_256_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA"]
`context_path`	`string`	This can be used to change the context path. For example, if you specify `port` as `7007` and `context path` as `/pgx`, the server will listen on `https://localhost:7007/pgx`	`/`
`enable_tls`	`boolean`	If `true`, the server enables transport layer security (TLS).	`true`
`port`	`integer`	Port the graph server (PGX) server should listen on.	`7007`
`server_cert`	`string`	The path to the server certificate to be presented to TLS clients (PEM format). This file must only contain one certificate. If your certificate is a chain and contains a root certificate, add it to `ca_certs` instead. If `enable_tls` is set to `false`, this field has no effect Note: Starting from Graph Server and Client Release 22.3 onwards, this field is deprecated. Use `server_keystore` instead.	`NULL`
`server_keystore`	`string`	The path to the keystore to be used for server connections. If this field is present along with `server_cert` or `server_private_key`, then an error will be raised. If `enable_tls` is set to `false`, then this field has no effect.	`NULL`
`server_keystore_alias`	`string`	This is the server keystore alias of `server_keystore`.	`NULL`
`server_keystore_provider`	`string`	This is the server keystore provider of `server_keystore`.	`SunJSSE`
`server_keystore_type`	`string`	This is the server keystore type of `server_keystore`.	`JKS`
`server_private_key`	`string`	This is the path to the file storing the private key of the server (PEM format). For security reasons, the file must have only Read and Write permissions only for the owner (`600` permissions in a POSIX filesystem), otherwise an error will be thrown. If `enable_tls` is set to `false`, this field has no effect. Note: Starting from Graph Server and Client Release 22.3 onwards, this field is deprecated. Use `server_keystore` instead.	`NULL`
`tls_version`	`string`	TLS version to be used by the server. For example, `TLSv1.2`	`TLSv1.2`
`working_dir`	`string`	The working directory used by the server to store temporary files. Needs to be writable by the process which started the server and should not be touched by any other process while the server is running.

The graph server (PGX) enables two-way SSL/TLS (Transport Layer Security) by default. The server enforces TLS 1.2 and disables certain cipher suites known to be vulnerable to attacks. Upon a TLS handshake, both the server and the client present certificates to each other, which are used to validate the authenticity of the other party. Client certificates are also used to authorize client applications.

Example Configuration of server.conf File

{
  "port": 7007,
  "enable_tls": true,
  "server_cert": "server_cert.pem",
  "server_private_key": "server_key.pem",
  "ca_certs": [
    "server_cert.pem"
  ]
  }

Example Configuration of server.conf File Using a Keystore

{
  "port": 7007,
  "enable_tls": true,
  "enable_client_authentication": true,
  "server_keystore": "/pgx/cert/server_keystore.rsa",
  "server_keystore_alias": "pgx",
  "server_keystore_provider": "JsafeJCE",
  "server_keystore_type": "PKCS12"
}

Parent topic: Starting the Graph Server (PGX)