Skip to content

SSL encryption

NebulaGraph supports SSL encrypted transfers between the Client, Graph Service, Meta Service, and Storage Service, and this topic describes how to set up SSL encryption.

Precaution

Enabling SSL encryption will slightly affect the performance, such as causing operation latency.

Certificate modes

To use SSL encryption, SSL certificates are required. NebulaGraph supports two certificate modes.

  • Self-signed certificate mode

    A certificate that is generated by the server itself and signed by itself. In the self-signed certificate mode, the server needs to generate its own SSL certificate and key, and then use its own private key to sign the certificate. It is suitable for building secure communications for systems and applications within a LAN.

  • CA-signed certificate mode

    A certificate granted by a trusted third-party Certificate Authority (CA). In the CA signed certificate mode, the server needs to apply for an SSL certificate from a trusted CA and ensure the authenticity and trustworthiness of the certificate through the auditing and signing of the certificate authority center. It is suitable for public network environment, especially for websites, e-commerce and other occasions that need to protect user information security.

Authentication policies

Policies for the NebulaGraph community edition.

Scene TLS
External device access to Graph Modify the Graph configuration file to add the following parameters:
--enable_graph_ssl = true
--ca_path=xxxxxx
--cert_path=xxxxxx
--key_path=xxxxxx
Graph access Meta In the Graph/Meta configuration file, add the following parameters:
--enable_meta_ssl = true
--ca_path=xxxxxx
--cert_path=xxxxxx
--key_path=xxxxxx
Graph access Storage
Meta access Storage
In the Graph/Meta/Storage configuration file, add the following parameters:
--enable_storage_ssl = true
--ca_path=xxxxxx
--cert_path=xxxxxx
--key_path=xxxxxx
Graph access Meta/Storage
Meta access Storage
In the Graph/Meta/Storage configuration file, add the following parameters:
--enable_meta_ssl = true
--enable_storage_ssl = true
--ca_path=xxxxxx
--cert_path=xxxxxx
--key_path=xxxxxx
External device access to Graph
Graph access Meta/Storage
Meta access Storage
In the Graph/Meta/Storage configuration file, add the following parameters:
--enable_ssl = true
--ca_path=xxxxxx
--cert_path=xxxxxx
--key_path=xxxxxx

The parameters are described below.

Parameter Default value Description
cert_path - The path to the SSL public key certificate. This certificate is usually a .pem or .crt file, which is used to prove the identity of the server side, and contains information such as the public key, certificate owner, digital signature, and so on.
key_path - The path to the SSL key. The SSL key is usually a .key file.
password_path - (Optional) The path to the password file for the SSL key. Some SSL keys are encrypted and require a corresponding password to decrypt. We need to store the password in a separate file and use this parameter to specify the path to the password file.
ca_path - The path to the SSL root certificate. The root certificate is a special SSL certificate that is considered the highest level in the SSL trust chain and is used to validate and authorize other SSL certificates.
enable_ssl false Whether to enable SSL encryption in all services. only.
enable_graph_ssl false Whether to enable SSL encryption in the Graph service only.
enable_meta_ssl false Whether to enable SSL encryption in the Meta service only.
enable_storage_ssl false Whether to enable SSL encryption in the Storage service only.

Example of TLS

  1. For example, using self-signed certificates and TLS for data transfers between the client NebulaGraph Python, the Graph service, the Meta service, and the Storage service. You need to set up all three Graph/Meta/Storage configuration files as follows:

    --enable_ssl=true
    --ca_path=xxxxxx
    --cert_path=xxxxxx
    --key_path=xxxxxx
    
  2. When the changes are complete, restart these services to make the configuration take effect.

  3. To connect to the Graph service using NebulaGraph Python, you need to set up a secure socket and add a trusted CA. For code examples, see nebula-test-run.py.


Last update: October 24, 2023