SSL encryption¶

NebulaGraph supports SSL encrypted transfers between the Client, Graph Service, Meta Service, and Storage Service, and this topic describes how to set up SSL encryption.

Precaution¶

Enabling SSL encryption will slightly affect the performance, such as causing operation latency.

Certificate modes¶

To use SSL encryption, SSL certificates are required. NebulaGraph supports two certificate modes.

Self-signed certificate mode

A certificate that is generated by the server itself and signed by itself. In the self-signed certificate mode, the server needs to generate its own SSL certificate and key, and then use its own private key to sign the certificate. It is suitable for building secure communications for systems and applications within a LAN.

CA-signed certificate mode

A certificate granted by a trusted third-party Certificate Authority (CA). In the CA signed certificate mode, the server needs to apply for an SSL certificate from a trusted CA and ensure the authenticity and trustworthiness of the certificate through the auditing and signing of the certificate authority center. It is suitable for public network environment, especially for websites, e-commerce and other occasions that need to protect user information security.

Authentication policies¶

Policies for the NebulaGraph community edition.

Scene	TLS
External device access to Graph	Modify the Graph configuration file to add the following parameters: `--enable_graph_ssl = true` `--ca_path=xxxxxx` `--cert_path=xxxxxx` `--key_path=xxxxxx`
Graph access Meta	In the Graph/Meta configuration file, add the following parameters: `--enable_meta_ssl = true` `--ca_path=xxxxxx` `--cert_path=xxxxxx` `--key_path=xxxxxx`
Graph access Storage Meta access Storage	In the Graph/Meta/Storage configuration file, add the following parameters: `--enable_storage_ssl = true` `--ca_path=xxxxxx` `--cert_path=xxxxxx` `--key_path=xxxxxx`
Graph access Meta/Storage Meta access Storage	In the Graph/Meta/Storage configuration file, add the following parameters: `--enable_meta_ssl = true` `--enable_storage_ssl = true` `--ca_path=xxxxxx` `--cert_path=xxxxxx` `--key_path=xxxxxx`
External device access to Graph Graph access Meta/Storage Meta access Storage	In the Graph/Meta/Storage configuration file, add the following parameters: `--enable_ssl = true` `--ca_path=xxxxxx` `--cert_path=xxxxxx` `--key_path=xxxxxx`

The parameters are described below.

Parameter	Default value	Description
`cert_path`	-	The path to the SSL public key certificate. This certificate is usually a `.pem` or `.crt` file, which is used to prove the identity of the server side, and contains information such as the public key, certificate owner, digital signature, and so on.
`key_path`	-	The path to the SSL key. The SSL key is usually a `.key` file.
`password_path`	-	(Optional) The path to the password file for the SSL key. Some SSL keys are encrypted and require a corresponding password to decrypt. We need to store the password in a separate file and use this parameter to specify the path to the password file.
`ca_path`	-	The path to the SSL root certificate. The root certificate is a special SSL certificate that is considered the highest level in the SSL trust chain and is used to validate and authorize other SSL certificates.
`enable_ssl`	`false`	Whether to enable SSL encryption in all services. only.
`enable_graph_ssl`	`false`	Whether to enable SSL encryption in the Graph service only.
`enable_meta_ssl`	`false`	Whether to enable SSL encryption in the Meta service only.
`enable_storage_ssl`	`false`	Whether to enable SSL encryption in the Storage service only.

Example of TLS¶

For example, using self-signed certificates and TLS for data transfers between the client NebulaGraph Python, the Graph service, the Meta service, and the Storage service. You need to set up all three Graph/Meta/Storage configuration files as follows:
```
--enable_ssl=true
--ca_path=xxxxxx
--cert_path=xxxxxx
--key_path=xxxxxx
```
When the changes are complete, restart these services to make the configuration take effect.
To connect to the Graph service using NebulaGraph Python, you need to set up a secure socket and add a trusted CA. For code examples, see nebula-test-run.py.

Last update: October 24, 2023