Introduction
Communication with the AllegroGraph server is via AllegroGraph’s RESTful interface. All commands to the server are translated into HTTP statements which are transmitted to the server, and responses are transmitted back in the same fashion.
Administrators have the option of specifying that communication occurs with just ordinary security (usernames and passwords, and users having specified permissions which permit or deny access and actions) or all that plus enhanced security.
Enhanced security comes from using a SSL/TLS interface. AllegroGraph supports two way SSL/TLS, with certificates on both sides.
In this document we describe how to set up an AllegroGraph server to use SSL/TLS and to be accessed with an https URL.
(Some programs that are run on the same machine and by the same user as the server do communicate directly with the server rather than through the REST interface.)
Assumptions
We assume that
- You have a server certificate and a private key.
- You have configured your clients to trust the server certificate.
Configuration steps
Copy the PEM-encoded server certificate and unencrypted private key into a single file.
Ensure the configuration file (normally lib/agraph.cfg) includes values for the following (configuration directives are documented in the Server Configuration and Control document):
# The port number to use for HTTPS.
SSLPort [Integer suitable as a port number]
# The path to the file containing the PEM-encoded server
# certificate and private key.
SSLCertificate [PATH TO SERVER-CERT-AND-KEY.PEM]
The SSL Port will be active when you start (or restart) the AllegroGraph server.
You can have both a SSLPort and a regular port, such as having these lines in the agraph.cfg file:
SSLPort 10036
Port 10035
The server will listen on both ports, the first accessed with https and the second with http.
Testing
Assuming the SSLPort number is 10036, i.e. agraph.cfg contains the line
SSLPort 10036
execute the following curl command (replacing 10036 with the actual SSLPort number if different):
curl -k https://[HOST]:10036/version
where [HOST] identifies the machine running the server (use localhost
if running curl on the same machine as the server). If the SSL/TLS connection is working, the version of AllegroGraph (8.1.0) will be printed.
Other SSL/TLS configuration directives
See the section Top-level directives for SSL client certificate authentication in the Server Configuration and Control document for other configuration directives associated with SSL/TLS.