14.4.1 Using a Self-Signed Server Keystore

This section describes the steps to generate a self-signed keystore into /etc/oracle/graph and configure the graph server (PGX) and client to use the keystore. Generating a Self-Signed Server Keystore

You can create a server key store using the keytool command.

The following steps show how to create a server keystore with a self-signed certificate:
  1. Go to the following directory:
    cd /etc/oracle/graph
  2. Run the following command:
    keytool -genkey -alias pgx -keyalg RSA -keystore server_keystore.jks
  3. Provide the requested details. For example:
    Enter keystore password:
    Re-enter new password:
    What is your first and last name?
      [Unknown]:  localhost
    What is the name of your organizational unit?
      [Unknown]:  OU
    What is the name of your organization?
      [Unknown]:  MyOrganization
    What is the name of your City or Locality?
      [Unknown]:  MyTown
    What is the name of your State or Province?
      [Unknown]:  MyState
    What is the two-letter country code for this unit?
      [Unknown]:  US
    Is CN=localhost, OU=OU, O=MyOrganization, L=MyTown, ST=MyState, C=US correct?
      [no]:  yes
    The server_keystore.jks is created successfully in cd /etc/oracle/graph. Configuring the Graph Server (PGX) When Using a Server Keystore

You must specify the path to the server keystore in the graph server (PGX) configuration file.


If you deploy the graph server into your web server using the web applications download package, then this section does not apply. Please refer to the manual of your web server for instructions on how to configure TLS.
  1. Edit the file at /etc/oracle/graph/server.conf to specify server keystore alias, server keystore provider, server keystore type and the path to the server keystore as shown:
      "port": 7007,
      "enable_tls": true,
      "enable_client_authentication": false,
      "server_keystore": "/etc/oracle/graph/server_keystore.jks",
      "server_keystore_alias": "pgx",
      "server_keystore_type": "PKCS12",
      "server_keystore_provider": "SUN",
      "ca_certs": [],
      "working_dir": "/opt/oracle/graph/pgx/tmp_data"
  2. Set the keystore password using an OS environment variable called PGX_SERVER_KEYSTORE_PASSWORD or with a java property called pgx.SERVER_KEYSTORE_PASSWORD.

    For example, to set the keystore password in PGX_SERVER_KEYSTORE_PASSWORD, edit the file at /etc/systemd/system/pgx.service as shown:

  3. Reload the systemd configuration by running the following command:
    sudo systemctl daemon-reload
  4. Restart the graph server.


    • Always use a valid certificate issued by a certificate authority (CA) which is trusted by your organization. If you do not have a CA certificate, you can temporarily create a self-signed certificate and get started. However, it is not recommended to use self-signed certificates for production environments.
    • The steps to generate a self-signed server certificate can modify the Java installation on your client-system. Only perform these steps if you are fully aware of the implications of accepting the self-signed certificates system-wide.
    • Consider carefully when using commands with sudo. Configuring a Client to Trust the Self-Signed Keystore

You must configure your client application to accept the self-signed keystore.

To configure a client to trust the self-signed keystore, the root certificate must be imported to your Java installation local trust store.
  • For a Java or a Python client, you must import the root certificate to all the Java installations used by all the clients.


    The JShell client requires Java 11 or later.
  • For the Graph Visualization application, you must import the root certificate to the system Java installation of the environment running the graph server (PGX) or the web server serving the graph visualization application. That is, the JDK installation which is used by the OS user running the server that serves the Graph Visualization application.

You can import the root certificate as shown in the following step:

  1. Ensure JAVA_HOME is set and run the following command as a root user or with sudo.
    sudo keytool -importkeystore -srckeystore /etc/oracle/graph/server_keystore.jks -destkeystore $JAVA_HOME/lib/security/cacerts -deststorepass changeit -srcstorepass changeit -noprompt
    where changeit is the sample keystore password. You can change this password to a password of your choice. Be sure to remember this password as you will need it to modify the certificate.

    If you are upgrading the graph server from a previous release, then you must first delete the existing certificate before importing the new certificate. Run the following command using sudo or as a root user to delete the certificate:

    sudo keytool -delete -alias pgx -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit