Configuring the Dgraph for SSL mutual authentication

This topic describes high level steps required to configure an SSL mutual authentication between the Dgraph and an external machine. The authentication uses certificates signed by a certificate authority (CA). This setup may apply if your Dgraph and external machines are hosted outside the firewall, or if a two-way authentication is required between them.

An SSL-enabled client (such as the Integrator component of Oracle Endeca Information Discovery) may need to access the Dgraph securely. In such cases, a secure connection must be established between these servers by configuring the Dgraph for authentication with SSL certificates.

This procedure is an example of how you can establish a mutual (two-way) authentication. Treat this procedure as a high-level recommendation rather than the only way to establish a secure connection. Other steps may be required depending on your specific security requirements.

In this procedure, you create two signed certificates. First, you create a private key and send a Certificate Signing Request (CSR) to a CA from the external server. Next, you create a private key and send a CSR from the Dgraph. You can then start the Dgraph referencing the sslcertfile, which contains the Dgraph private key and the signed certificate.

To configure an SSL mutual authentication between the Dgraph and an external client:

  1. Create a private key and send a Certificate Signing Request (CSR) from the external server. You can create a private key and issue a CSR by using one of these methods:
    • Use the keytool utility shipped with Endeca Server. For details, see Creating a keystore.
    • Use openssl commands.
    • Consult your security and server administrator for assistance.
    Note: Some CA vendors require that the CSR be generated from 2046-bit length private keys and not from 1024-bit length keys. Please confirm with your CA vendor before issuing the CSR.
  2. Send the CSR to a CA for signing.
    A CA provides a bundled key file (including intermediate keys) along with a signed certificate.
    Note: You will need the bundled key file for the Dgraph --sslcafile startup flag later on in this procedure.
  3. Add the signed certificate to the keystore of the external client.
    For information, refer to the client's documentation or your security administrator.
  4. Create a private key and certificate for the Dgraph using the openssl utility.
    For example, the following command creates a 2048-bit RSA key that is valid for a year:
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout MyCert.pem -out MyCert.pem

    The resulting MyCert.pem file stores both the private key and the certificate.

  5. Create a Certificate Signing Request (CSR) from the MyCert.pem file, as follows:
    openssl req -new -key MyCert.pem -out MyCertCSR.pem
  6. Send the MyCertCSR.pem file to the CA for signing.
  7. Obtain from the CA a bundled key file (including intermediate keys) along with a signed certificate.
  8. Create an empty file, such as MySSLCert.pem, to store the combination of the Dgraph private key and the signed certificate.
    You can do this by copying the entry for the private key (step 4) into the empty file, and appending the contents of the signed certificate (Step 7) underneath the private key entry in the new file.
  9. Reference the file MyCert.pem created in the previous step in the --sslcertfile startup flag for the Dgraph.
  10. Add both the sslcafile and sslcertfile flags to your Dgraph startup options, as follows:
    --sslcafile <full_path_to_location_of_bundled_key_file_in_step2>
    
    --sslcertfile <full_path_to_location_of_MySSLCert.pem>
  11. (Optional) If the external client requires the bundled keys for the Dgraph that you obtained in step 7, add them accordingly to its keystore.