Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added comments indicating that if a CA is used to sign the certificat… #160

Merged
merged 1 commit into from
Feb 18, 2025
Merged

Added comments indicating that if a CA is used to sign the certificat… #160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 14 additions & 10 deletions examples/grpc-security/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,22 +1,26 @@
# Configuring cluster gRPC communication with SSL/TLS

This guide provides instructions for configuring GraphDB cluster gRPC communication with SSL/TLS. It details how to
This guide provides instructions for configuring GraphDB cluster gRPC communication with SSL/TLS. It details how to
configure it:
* Using JSSE: By providing keystore and truststore.
* Using OpenSSL: By providing certificate file, certificate chain, private key and truststore.
* Using a certificate without chain path: By providing certificate file, private key and truststore.

**Note:**
The message that indicates that the gRPC cluster security has been set up is logged at DEBUG level so your Logger
should be configured accordingly.
* Using a certificate without chain path: By providing certificate file, private key and truststore.

**Note:**
- The message that indicates that the gRPC cluster security has been set up is logged at DEBUG level so your Logger
should be configured accordingly.
- If using standalone (self-signed) certificates for SSL/TLS configuration without a CA, and
the same certificate is applied across all nodes, that certificate must be added to the truststore.
However, if certificates are signed by a Certificate Authority (CA), the CA's root certificate
(or intermediate certificates, if applicable) should be present in the truststore.
### See more about TLS/SSL set up:
- GraphDB configuration properties : https://graphdb.ontotext.com/documentation/10.8/directories-and-config-properties.html#cluster-properties
- Tomcat documentation: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
- Troubleshooting: https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Troubleshooting

## Warning

If cluster.tls.mode is set to TLS while one or more of the other TLS-related properties are not configured properly,
If cluster.tls.mode is set to TLS while one or more of the other TLS-related properties are not configured properly,
the server may not be able to start.

## Configuring using JSSE
Expand All @@ -26,7 +30,7 @@ the server may not be able to start.
* Keystore that contains both the private key and certificate
* Truststore that contains the certificate to be trusted or the CA

[Configuration example](jsse.yaml)
[Configuration example](jsse.yaml)

## Configuring using OpenSSL

Expand All @@ -35,13 +39,13 @@ the server may not be able to start.
* Valid certificate chain that contains the target certificate
* Truststore that contains the certificate to be trusted or the CA

[Configuration example](openssl.yaml)
[Configuration example](openssl.yaml)

## Configuring using certificate without certificate chain

**Prerequisites:**
* Certificate and certificate private key in PEM format.
* Truststore that contains the certificate to be trusted or the CA

[Configuration example](certWithoutChain.yaml)
[Configuration example](certWithoutChain.yaml)

16 changes: 10 additions & 6 deletions examples/tomcat-security/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,11 +7,15 @@ There are 3 scenarios for configuring the security of the GraphDB instance:
- By providing a truststore - used in cases where GraphDB should trust an external service.

**Note:**
If the Tomcat server is configured with SSL/TLS it will also configure the cluster gRPC communication SSL/TLS.

**Ingress**
If you are using the default nginx ingress controller, you must include the following annotation to ensure proper
communication between the ingress and the backend:
- If the Tomcat server is configured with SSL/TLS it will also configure the cluster gRPC communication SSL/TLS.
- If using standalone (self-signed) certificates for SSL/TLS configuration without a CA, and
the same certificate is applied across all nodes, that certificate must be added to the truststore.
However, if certificates are signed by a Certificate Authority (CA), the CA's root certificate
(or intermediate certificates, if applicable) should be present in the truststore.

**Ingress**
If you are using the default nginx ingress controller, you must include the following annotation to ensure proper
communication between the ingress and the backend:
```yaml
ingress:
annotations:
Expand All @@ -23,7 +27,7 @@ ingress:
- Tomcat documentation: https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html
- Troubleshooting: https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Troubleshooting

## Configuring using keystore and truststore
## Configuring using keystore and truststore

**Prerequisites:**
* Certificate and certificate private key in PEM format.
Expand Down