14.4.2 Using a Self-Signed Server Certificate

This section describes the steps to generate a self-signed certificate into /etc/oracle/graph and configure the graph server (PGX) to use this certificate.

14.4.2.1 Generating a Self-Signed Server Certificate

You can create a self-signed server certificate using the openssl command.

The following steps show how to generate a self-signed server certificate.
  1. Go to the following directory:
    cd /etc/oracle/graph
  2. Execute the following commands:
    openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -subj "/C=US/ST=MyState/L=MyTown/O=MyOrganization/CN=ROOT" -keyout ca_key.pem -out ca_certificate.pem
    openssl genrsa -out server_key_traditional.pem 2048
    openssl pkcs8 -topk8 -in server_key_traditional.pem -inform pem -out server_key.pem -outform pem -nocrypt
    openssl req -new -subj "/C=US/ST=MyState/L=MyTown/O=MyOrganization/CN=localhost" -key server_key.pem -out server.csr
    chmod 600 server_key.pem
    openssl x509 -req -CA ca_certificate.pem -CAkey ca_key.pem -in server.csr -out server_certificate.pem -days 365 -CAcreateserial
    chown oraclegraph:oraclegraph server_key.pem

    Note:

    • The certificate mentioned in the above example will only work for the host localhost. If you have a different domain, you must replace localhost with your domain name.
    • The above self-signed certificate is valid only for 365 days.

14.4.2.2 Configuring the Graph Server (PGX)

You must specify the path to the server certificate and the server's private key in PEM format in the graph server (PGX) configuration file.

Note:

If you deploy the graph server into your web server using the web applications download package, then this section does not apply. Please refer to the manual of your web server for instructions on how to configure TLS.
  1. Edit the file at /etc/oracle/graph/server.conf, and specify the paths to the server certificate and the server's private key in PEM format, as shown:
    {
      "port": 7007,
      "enable_tls": true,
      "server_private_key": "/etc/oracle/graph/server_key.pem",
      "server_cert": "/etc/oracle/graph/server_certificate.pem",
      "enable_client_authentication": false,
      "working_dir": "/opt/oracle/graph/pgx/tmp_data"
    }
  2. Restart the graph server.

    Note:

    • You should use a certificate issued by a certificate authority (CA) which is trusted by your organization. If you do not have a CA certificate, you can temporarily create a self-signed certificate and get started.
    • Always use a valid certificate trusted by your organization. We do not recommend the usage of self-signed certificates for production environments.

14.4.2.3 Configuring a Client to Trust the Self-Signed Certificate

You must configure your client application to accept the self-signed graph server (PGX) certificate.

To configure a client to trust the self-signed certificate, the root certificate must be imported to your Java installation local trust store.
  • For a Java or a Python client, you must import the root certificate to all the Java installations used by all the clients.

    Note:

    The JShell client requires Java 11 or later.
  • For the Graph Visualization application, you must import the root certificate to the system Java installation of the environment running the graph server (PGX) or the web server serving the graph visualization application. That is, the JDK installation which is used by the OS user running the server that serves the Graph Visualization application.
  • For the Graph Zeppelin interpreter client, you must import the root certificate to the Java installation used by the Zeppelin server.

You can import the root certificate as shown in the following step:

  1. Run the following command as a root user or with sudo:
    1. For Java 8 (make sure JAVA_HOME is set):
      sudo keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -alias pgx -file /etc/oracle/graph/ca_certificate.pem -noprompt
    2. For Java 11 or later (make sure JAVA_HOME is set):
      sudo keytool -import -trustcacerts -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit -alias pgx -file /etc/oracle/graph/ca_certificate.pem -noprompt
    where changeit is the sample keystore password. You can change this password to a password of your choice. Be sure to remember this password as you will need it to modify the certificate.
    1. If you are upgrading the graph server from a previous release, you must first delete the certificate by running the following command appropriate to your Java version. You must run the command using sudo or as a root user:

      For Java 8:

      sudo keytool -delete -alias pgx -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

      For Java 11 or later:

      sudo keytool -delete -alias pgx -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
    2. Import the new certificate as shown in the preceding step.