The graph server (PGX), by default, allows only encrypted connections using Transport Layer Security (TLS). TLS requires the server to present a server certificate to the client and the client must be configured to trust the issuer of that certificate.

In this release of Graph Server and Client, the RPM file installation, will generate a self-signed server keystore file by default. This server_keystore.jks file contains the server certificate and server private key and is generated into /etc/oracle/graph, for the server to enable TLS. Note that the default password for the generated keystore is changeit and this is configured using an environment variable PGX_SERVER_KEYSTORE_PASSWORD in /etc/systemd/system/pgx.service file as shown:

[Service]
Environment="PGX_SERVER_KEYSTORE_PASSWORD=changeit"

If this default keystore configuration is sufficient for you to get started and if your connections are only to localhost, you can skip to Configuring a Client to Trust the Self-Signed Keystore.

• Using a Self-Signed Server Keystore
  This section describes the steps to generate a self-signed keystore into /etc/oracle/graph and configure the graph server (PGX) and client to use the keystore.
• Using a CA-Signed SSL Certificate
  The graph server (PGX) and client installation allows you to use your own CA-signed SSL (Secure Sockets Layer) certificate.