14.4.1 Using a Self-Signed Server Keystore

This section describes the steps to generate a self-signed keystore into /etc/oracle/graph and configure the graph server (PGX) and client to use the keystore.

Parent topic: Setting Up Transport Layer Security

14.4.1.1 Generating a Self-Signed Server Keystore

You can create a server key store using the keytool command.

The following steps show how to create a server keystore with a self-signed certificate:
  1. Go to the following directory:
    cd /etc/oracle/graph
  2. Run the following command:
    keytool -genkey -alias pgx -keyalg RSA -keystore server_keystore.jks
  3. Provide the requested details. For example: 
    Enter keystore password:
Re-enter new password:
What is your first and last name?
  [Unknown]:  localhost
What is the name of your organizational unit?
  [Unknown]:  OU
What is the name of your organization?
  [Unknown]:  MyOrganization
What is the name of your City or Locality?
  [Unknown]:  MyTown
What is the name of your State or Province?
  [Unknown]:  MyState
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=localhost, OU=OU, O=MyOrganization, L=MyTown, ST=MyState, C=US correct?
  [no]:  yes
    The server_keystore.jks is created successfully in cd /etc/oracle/graph.

Parent topic: Using a Self-Signed Server Keystore

14.4.1.2 Configuring the Graph Server (PGX) When Using a Server Keystore

You must specify the path to the server keystore in the graph server (PGX) configuration file.

Note:

If you deploy the graph server into your web server using the web applications download package, then this section does not apply. Please refer to the manual of your web server for instructions on how to configure TLS.
  1. Edit the file at /etc/oracle/graph/server.conf to specify server keystore alias, server keystore provider, server keystore type and the path to the server keystore as shown:
    {
  "port": 7007,
  "enable_tls": true,
  "server_keystore": "/etc/oracle/graph/server_keystore.jks",
  "server_keystore_alias": "pgx",
  "server_keystore_type": "PKCS12",
  "server_keystore_provider": "SUN",
  "ca_certs": [],
  "working_dir": "/opt/oracle/graph/pgx/tmp_data"
}
  2. Set the keystore password using an OS environment variable called PGX_SERVER_KEYSTORE_PASSWORD or with a java property called pgx.SERVER_KEYSTORE_PASSWORD.

    For example, to set the keystore password in PGX_SERVER_KEYSTORE_PASSWORD, edit the file at /etc/systemd/system/pgx.service as shown: 

    [Service]
Environment="PGX_SERVER_KEYSTORE_PASSWORD=<keystore_password>"
  3. Reload the systemd configuration by running the following command:
    sudo systemctl daemon-reload
  4. Optionally, if the keystore is vaild for a different host (other than the localhost), then update the base_url parameter for the pgx_realm configuration in the pgx.conf file with the matching host details.
     ...
  "pgx_realm": {
    "implementation": "oracle.pg.identity.DatabaseRealm",
    "options": {
      ...
      "base_url": "<request-scheme>://localhost:<request-port>"
    }
  }
  ...
    In the preceding configuration:
    • request-scheme: Value can be either HTTP or HTTPS. If not specified, then the graph server will fetch the corresponding value automatically from the browser.
    • request-port: Port number to be used. If not specified, then the graph server will fetch the corresponding value automatically from the browser.

    Replace the default localhost to the required host name.

  5. Restart the graph server.

    Caution:

    • Always use a valid certificate issued by a certificate authority (CA) which is trusted by your organization. If you do not have a CA certificate, you can temporarily create a self-signed certificate and get started. However, it is not recommended to use self-signed certificates for production environments.
    • The steps to generate a self-signed server certificate can modify the Java installation on your client-system. Only perform these steps if you are fully aware of the implications of accepting the self-signed certificates system-wide.
    • Consider carefully when using commands with sudo.

Parent topic: Using a Self-Signed Server Keystore

14.4.1.3 Configuring a Client to Trust the Self-Signed Keystore

You must configure your client application to accept the self-signed keystore.

To configure a client to trust the self-signed keystore, the root certificate must be imported to your Java installation local trust store.
  • For a Java or a Python client, you must import the root certificate to all the Java installations used by all the clients.
  • For the Graph Visualization application, you must import the root certificate to the system Java installation of the environment running the graph server (PGX) or the web server serving the graph visualization application. That is, the JDK installation which is used by the OS user running the server that serves the Graph Visualization application.

You can import the root certificate as shown in the following step:

  1. Ensure JAVA_HOME is set and run the following command as a root user or with sudo.
    sudo keytool -importkeystore -srckeystore /etc/oracle/graph/server_keystore.jks -destkeystore $JAVA_HOME/lib/security/cacerts -deststorepass changeit -srcstorepass changeit -noprompt
    where changeit is the sample keystore password. You can change this password to a password of your choice. Be sure to remember this password as you will need it to modify the certificate.

    If you are upgrading the graph server from a previous release, then you must first delete the existing certificate before importing the new certificate. Run the following command using sudo or as a root user to delete the certificate: 

    sudo keytool -delete -alias pgx -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit

Parent topic: Using a Self-Signed Server Keystore