From 555aa3af3f998e7798b8d74becf210d66f40ffed Mon Sep 17 00:00:00 2001 From: Nick Giles Date: Wed, 19 Jun 2024 11:29:31 +0100 Subject: [PATCH 1/2] Add a tip about needing server and client usage in intra-cluster TLS certificates Servers act as both servers and clients, and will complain if they only have one of the modes --- .../pages/clustering/setup/encryption.adoc | 19 +++++++++++++++++++ .../ROOT/pages/security/ssl-framework.adoc | 18 ++++++++++++++++++ 2 files changed, 37 insertions(+) diff --git a/modules/ROOT/pages/clustering/setup/encryption.adoc b/modules/ROOT/pages/clustering/setup/encryption.adoc index ba1c00105..4b61413bc 100644 --- a/modules/ROOT/pages/clustering/setup/encryption.adoc +++ b/modules/ROOT/pages/clustering/setup/encryption.adoc @@ -39,6 +39,25 @@ The generation of xref:security/ssl-framework.adoc#term-ssl-cryptographic-object It generally requires having a PKI with a xref:security/ssl-framework.adoc#term-ssl-certificate-authority[Certificate Authority (CA)] within the organization and they should be able to advise here. Note that the information in this manual relating to the PKI is mainly for illustrative purposes. +[TIP] +==== +If setting up intra-cluster encryption as part of a cluster configuration, do ensure that the certificates used on the cluster endpoint supports both Server and Client usage. +This is because when connecting between the Neo4j servers for clustering, each server will use its own certificate to authenticate as a client on the connection to another server. + +This could be verified from within the certificate details: + +``` +openssl x509 -in public.crt -noout -text +``` +We should see that the X509v3 Extended Key Usage section shows both the usages listed: + +``` +X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication +``` +==== + + When the certificates and private keys are obtained they can be installed on each of the servers. Each server has a certificate of its own, signed by a CA, and the corresponding private key. The certificate of the CA is installed into the `trusted` directory, and any certificate signed by the CA is thus trusted. diff --git a/modules/ROOT/pages/security/ssl-framework.adoc b/modules/ROOT/pages/security/ssl-framework.adoc index 2a26d4f01..4eb2deafe 100644 --- a/modules/ROOT/pages/security/ssl-framework.adoc +++ b/modules/ROOT/pages/security/ssl-framework.adoc @@ -100,6 +100,24 @@ If the same certificates are used across all instances of the cluster, make sure Multi-host and wildcard certificates are also supported. ==== +[TIP] +==== +If setting up intra-cluster encryption as part of a cluster configuration, do ensure that the certificates used on the cluster endpoint supports both Server and Client usage. +This is because when connecting between the Neo4j servers for clustering, each server will use its own certificate to authenticate as a client on the connection to another server. + +This could be verified from within the certificate details: + +``` +openssl x509 -in public.crt -noout -text +``` +We should see that the X509v3 Extended Key Usage section shows both the usages listed: + +``` +X509v3 Extended Key Usage: + TLS Web Server Authentication, TLS Web Client Authentication +``` +==== + ==== Transformations Neo4j requires all SSL certificates to be in the `PEM` format. From 58a2f5c5eb26cc91aeb610f161383e9572b4ce2f Mon Sep 17 00:00:00 2001 From: Nick Giles Date: Wed, 19 Jun 2024 12:03:06 +0100 Subject: [PATCH 2/2] Apply review suggestions --- modules/ROOT/pages/clustering/setup/encryption.adoc | 12 ++++++------ modules/ROOT/pages/security/ssl-framework.adoc | 12 ++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/modules/ROOT/pages/clustering/setup/encryption.adoc b/modules/ROOT/pages/clustering/setup/encryption.adoc index 4b61413bc..080681f3a 100644 --- a/modules/ROOT/pages/clustering/setup/encryption.adoc +++ b/modules/ROOT/pages/clustering/setup/encryption.adoc @@ -41,20 +41,20 @@ Note that the information in this manual relating to the PKI is mainly for illus [TIP] ==== -If setting up intra-cluster encryption as part of a cluster configuration, do ensure that the certificates used on the cluster endpoint supports both Server and Client usage. -This is because when connecting between the Neo4j servers for clustering, each server will use its own certificate to authenticate as a client on the connection to another server. +If setting up intra-cluster encryption as part of a cluster configuration, ensure that the certificates used on the cluster endpoint support server and client usage. +This is because when connecting between the Neo4j servers for clustering, each server uses its own certificate to authenticate as a client on the connection to another server. This could be verified from within the certificate details: -``` +---- openssl x509 -in public.crt -noout -text -``` +---- We should see that the X509v3 Extended Key Usage section shows both the usages listed: -``` +---- X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication -``` +---- ==== diff --git a/modules/ROOT/pages/security/ssl-framework.adoc b/modules/ROOT/pages/security/ssl-framework.adoc index 4eb2deafe..648348e07 100644 --- a/modules/ROOT/pages/security/ssl-framework.adoc +++ b/modules/ROOT/pages/security/ssl-framework.adoc @@ -102,20 +102,20 @@ Multi-host and wildcard certificates are also supported. [TIP] ==== -If setting up intra-cluster encryption as part of a cluster configuration, do ensure that the certificates used on the cluster endpoint supports both Server and Client usage. -This is because when connecting between the Neo4j servers for clustering, each server will use its own certificate to authenticate as a client on the connection to another server. +If setting up intra-cluster encryption as part of a cluster configuration, ensure that the certificates used on the cluster endpoint support server and client usage. +This is because when connecting between the Neo4j servers for clustering, each server uses its own certificate to authenticate as a client on the connection to another server. This could be verified from within the certificate details: -``` +---- openssl x509 -in public.crt -noout -text -``` +---- We should see that the X509v3 Extended Key Usage section shows both the usages listed: -``` +---- X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication -``` +---- ==== ==== Transformations