The core tasks to carry out to implement HTTPS and SSL security layers are:
Configure SSL certificates in Nginx
Configure TLS certificates in Nginx to enable secure data exchange through the web server.
About TLS certificates
the Intelligence Center configures Nginx to read the TLS private key and certificate files from the /etc/eclecticiq-nginx/ssl directory.
The TLS private key file for the Intelligence Center is eclecticiq-default.privkey.pem, whereas the certificate file is eclecticiq-default.fullchain.pem.
If these files do not exist when the Intelligence Center is installed, the installation procedure generates a localhost self-signed certificate as a temporary workaround.
Do not use self-signed TSL or SSL certificates in a production environment.
They are meant for development and testing.
They are unsuitable for deployment in a live system.
Set private key and certificate in Nginx
To set your valid TLS private key and certificate files in Nginx:
Overwrite the eclecticiq-default.privkey.pem and the eclecticiq-default.fullchain.pem files, or the self-signed certificate generated during the installation.
If there is a script that takes care of updating certificates located in a different path:
Create symbolic links (symlinks) to the location where Nginx looks for these credentials:
Every time the private key or the certificate files change, reload the Nginx service to make the changes effective:
systemctl reload nginx
Enable client certificate verification
Nginx supports client certificate verification through the following directives:
To enable TLS client certificate verification:
Create the following file:
Add the following lines to the newly created file:
ssl_client_certificate /etc/nginx/certs/ca.crt; ssl_verify_client on;
The ca.crt file is the public key part of the certificate used to sign the client certificates.
You can obtain this file from a certification authority (CA).
Enable HTTP Strict Transport Security (HSTS)
Enforce HTTP Strict Transport Security (HSTS) in Nginx to allow only secure connections through HTTPS and TLS/SSL.
HTTP Strict Transport Security (HSTS) provides an additional security layer by allowing communication only through HTTPS connections.
You can implement it by adding the Strict-Transport-Security HTTP response header to the web server configuration.
Set Strict-Transport-Security in Nginx
To add the the Strict-Transport-Security HTTP response header to the Nginx configuration:
Add the following line to the configuration file:
# max-age=15768000: 6 months
# max-age=31536000: 1 year
# max-age=63072000: 2 years
Save the file and exit.
Enable the service
If necessary, enable, start, and then check the Nginx service:
Enable the Nginx service to automatically start at system boot:
Start the Nginx service:
systemctl start nginx
Verify that Nginx is up and running by checking the service status:
systemctl status nginx
Configure HTTPS and authentication in Neo4j
If Neo4j is hosted on a server that has network access, it is a good idea to enable secure access and user access control through HTTPS/SSL and an authentication mechanism.
Enable secure access
To enable access to Neo4j through a secure connection:
Set the transport protocol to HTTPS.
Set a secure port.
Provide a valid SSL key and certificate pair.
On first-time start, Neo4j automatically generates a self-signed SSL certificate and a private key.
For production environments, replace these files with your own SSL key and certificate.
By default, the neo4j.conf port for HTTPS access is 7473: set it to a different port.
The Neo4j official documentation provides comprehensive instructions and reference on enabling SSL and HTTPS, as well as setting certificates and keys.
These tasks require editing the /etc/eclecticiq-neo4j/neo4j.conf and the /etc/eclecticiq/platform_settings.py configuration files.
neo4j.conf: define a policy with SSL certificate and key.
platform_settings.py: add or edit the following parameters, so that the Intelligence Center is aware that communication with Neo4j flows through HTTP and SSL.
# Replace all sample values with appropriate ones for your environment
# Specify HTTPS and secure port for Neo4j
# Specify SSL cert for Neo4j
The port number you assign to NEO4J_URL must be the same as the port number you set in the dbms.connector.https connector in the neo4j.conf configuration file.
The value you assign to NEO4J_SSL_VERIFY must point to the SSL certificate file whose path you set in the dbms.ssl.policy parameter group, where:
To enable authentication for Neo4j:
Enable authentication in Neo4j.
Set the correct Neo4j login user name and password in the Intelligence Center settings file.
These tasks require editing the /etc/eclecticiq-neo4j/neo4j.conf and the /etc/eclecticiq/platform_settings.py configuration files:
neo4j.conf: enable authentication and authorization.
Optionally, you can set an initial password.
platform_settings.py: add or edit the following parameters, so that the Intelligence Center can log in to Neo4j with the credentials specified in neo4j.conf:
# Default Neo4j user name to log in to Neo4j
# Default Neo4j password to log in to Neo4j
Change any default values for user name and password as appropriate.
If you do not need to enable authentication, remove the NEO4J_USER parameter, or set it to NEO4J_USER = "".
For more information about Neo4j setup and configuration, see:
Disable remote shell
For security reasons, disable the Neo4j remote shell by adding the following line to the /etc/eclecticiq-neo4j/neo4j.conf configuration file:
# Disable Neo4j remote shell dbms.shell.enabled=false
Enable the service
Enable the Neo4j service to automatically start at system boot:
systemctl start neo4j
Check if Neo4j is running:
systemctl status neo4j