Skip to content

SSL encryption

NebulaGraph supports data transmission with SSL encryption between clients, the Graph service, the Meta service, and the Storage service. This topic describes how to enable SSL encryption.

Precaution

Enabling SSL encryption will slightly affect the performance, such as causing operation latency.

Parameters

Parameter Default value Description
cert_path - The path to the PEM certification.
key_path - The path to the key certification.
password_path - The path to the password file certification.
ca_path - The path to the trusted CA file.
enable_ssl false Whether to enable SSL encryption.
enable_graph_ssl false Whether to enable SSL encryption in the Graph service only.
enable_meta_ssl false Whether to enable SSL encryption in the Meta service only.

Certificate modes

To use SSL encryption, SSL certificates are required. NebulaGraph supports two certificate modes.

  • Self-signed certificate mode

    In this mode, users need to make the signed certificate by themselves and set cert_path, key_path, and password_path in the corresponding file according to encryption policies.

  • CA-signed certificate mode

    In this mode, users need to apply for the signed certificate from a certificate authority and set cert_path, key_path, and password_path in the corresponding file according to encryption policies.

Encryption policies

NebulaGraph supports three encryption policies. For details, see Usage explanation.

  • Encrypt the data transmission between clients, the Graph service, the Meta service, and the Storage service.

    Add enable_ssl = true to the configuration files of nebula-graphd.conf, nebula-metad.conf, and nebula-storaged.conf.

  • Encrypt the data transmission between clients and the Graph service.

    This policy applies to the case that the clusters are set in the same server room. Only the port of the Graph service is open to the outside because other services can communicate over the internal network without encryption. Add enable_graph_ssl = true to the configuration file of nebula-graphd.conf.

  • Encrypt the data transmission related to the Meta service in the cluster.

    This policy applies to transporting classified information to the Meta service. Add enable_meta_ssl = true to the configuration files of nebula-graphd.conf, nebula-metad.conf, and nebula-storaged.conf.

Steps

  1. Ensure the certificate mode and the encryption policy.

  2. Add the certificate configuration and the policy configuration in corresponding files.

    For example, the three configuration files need to be set as follows when using a self-signed certificate and encrypt data transmission between clients, the Graph service, the Meta service, and the Storage service.

    --cert_path=xxxxxx
--key_path=xxxxx
--password_path=xxxxxx
--enable_ssl=true

  3. Set the SSL and the trusted CA in clients. For code examples, see nebula-test-run.py.

Last update: February 19, 2024