14.4.1 Using a Self-Signed Server Keystore

This section describes the steps to generate a self-signed keystore into /etc/oracle/graph and configure the graph server (PGX) and client to use the keystore.

• Generating a Self-Signed Server Keystore
  You can create a server key store using the keytool command.
• Configuring the Graph Server (PGX) When Using a Server Keystore
  You must specify the path to the server keystore in the graph server (PGX) configuration file.
• Configuring a Client to Trust the Self-Signed Keystore
  You must configure your client application to accept the self-signed keystore.

14.4.1.1 Generating a Self-Signed Server Keystore

You can create a server key store using the keytool command.

The following steps show how to create a server keystore with a self-signed certificate:

1. Go to the following directory:

   cd /etc/oracle/graph

2. Run the following command:

   keytool -genkey -alias pgx -keyalg RSA -keystore server_keystore.jks

3. Provide the requested details. For example:

   Enter keystore password:
   Re-enter new password:
   What is your first and last name?
     [Unknown]:  localhost
   What is the name of your organizational unit?
     [Unknown]:  OU
   What is the name of your organization?
     [Unknown]:  MyOrganization
   What is the name of your City or Locality?
     [Unknown]:  MyTown
   What is the name of your State or Province?
     [Unknown]:  MyState
   What is the two-letter country code for this unit?
     [Unknown]:  US
   Is CN=localhost, OU=OU, O=MyOrganization, L=MyTown, ST=MyState, C=US correct?
     [no]:  yes

   The server_keystore.jks is created successfully in cd /etc/oracle/graph.

14.4.1.2 Configuring the Graph Server (PGX) When Using a Server Keystore

You must specify the path to the server keystore in the graph server (PGX) configuration file.

Note:

If you deploy the graph server into your web server using the web applications download package, then this section does not apply. Please refer to the manual of your web server for instructions on how to configure TLS.

1. Edit the file at /etc/oracle/graph/server.conf to specify server keystore alias, server keystore provider, server keystore type and the path to the server keystore as shown:

   {
     "port": 7007,
     "enable_tls": true,
     "enable_client_authentication": false,
     "server_keystore": "/etc/oracle/graph/server_keystore.jks",
     "server_keystore_alias": "pgx",
     "server_keystore_type": "PKCS12",
     "server_keystore_provider": "SUN",
     "ca_certs": [],
     "working_dir": "/opt/oracle/graph/pgx/tmp_data"
   }

2. Set the keystore password using an OS environment variable called PGX_SERVER_KEYSTORE_PASSWORD or with a java property called pgx.SERVER_KEYSTORE_PASSWORD.

   For example, to set the keystore password in PGX_SERVER_KEYSTORE_PASSWORD, edit the file at /etc/systemd/system/pgx.service as shown:

   [Service]
   Environment="PGX_SERVER_KEYSTORE_PASSWORD=<keystore_password>"

3. Reload the systemd configuration by running the following command:

   sudo systemctl daemon-reload

4. Restart the graph server.

   Note:

   • You should use a certificate issued by a certificate authority (CA) which is trusted by your organization. If you do not have a CA certificate, you can temporarily create a self-signed certificate and get started.
   • Always use a valid certificate trusted by your organization. We do not recommend the usage of self-signed certificates for production environments.

14.4.1.3 Configuring a Client to Trust the Self-Signed Keystore

You must configure your client application to accept the self-signed keystore.

To configure a client to trust the self-signed keystore, the root certificate must be imported to your Java installation local trust store.

• For a Java or a Python client, you must import the root certificate to all the Java installations used by all the clients.

  Note:

  The JShell client requires Java 11 or later.
• For the Graph Visualization application, you must import the root certificate to the system Java installation of the environment running the graph server (PGX) or the web server serving the graph visualization application. That is, the JDK installation which is used by the OS user running the server that serves the Graph Visualization application.
• For the Graph Zeppelin interpreter client, you must import the root certificate to the Java installation used by the Zeppelin server.

You can import the root certificate as shown in the following step:

1. Run the following command as a root user or with sudo:
   1. For Java 8 (make sure JAVA_HOME is set):

      sudo keytool -importkeystore -srckeystore /etc/oracle/graph/server_keystore.jks -destkeystore $JAVA_HOME/jre/lib/security/cacerts -deststorepass changeit -srcstorepass changeit -noprompt

   2. For Java 11 or later (make sure JAVA_HOME is set):

      sudo keytool -importkeystore -srckeystore /etc/oracle/graph/server_keystore.jks -destkeystore $JAVA_HOME/lib/security/cacerts -deststorepass changeit -srcstorepass changeit -noprompt

   where changeit is the sample keystore password. You can change this password to a password of your choice. Be sure to remember this password as you will need it to modify the certificate.
   1. If you are upgrading the graph server from a previous release, you must first delete the certificate by running the following command appropriate to your Java version. You must run the command using sudo or as a root user:

      For Java 8:

      sudo keytool -delete -alias pgx -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

      For Java 11 or later:

      sudo keytool -delete -alias pgx -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit

   2. Import the new certificate as shown in the preceding step.