14.4 Setting Up Transport Layer Security

The graph server (PGX), by default, allows only encrypted connections using Transport Layer Security (TLS). TLS requires the server to present a server certificate to the client and the client must be configured to trust the issuer of that certificate.

In this release of Graph Server and Client, the RPM file installation, will generate a self-signed server keystore file by default. This server_keystore.jks file contains the server certificate and server private key and is generated into /etc/oracle/graph, for the server to enable TLS. Note that the default password for the generated keystore is changeit and this is configured using an environment variable PGX_SERVER_KEYSTORE_PASSWORD in /etc/systemd/system/pgx.service file as shown:

[Service]
Environment="PGX_SERVER_KEYSTORE_PASSWORD=changeit"

If this default keystore configuration is sufficient for you to get started and if your connections are only to localhost, you can skip to Configuring a Client to Trust the Self-Signed Keystore.

If you prefer to use a self-signed server certificate, then refer to Using a Self-Signed Server Certificate for more information. However, it is important to note that the server configuration fields, server_cert and server_private_key are deprecated and will be desupported in a future release. After that, you will be required to use the server keystore to store the server certificate and the server private key.

• Using a Self-Signed Server Keystore
  This section describes the steps to generate a self-signed keystore into /etc/oracle/graph and configure the graph server (PGX) and client to use the keystore.
• Using a Self-Signed Server Certificate
  This section describes the steps to generate a self-signed certificate into /etc/oracle/graph and configure the graph server (PGX) to use this certificate.