Head's Up! These forums are read-only. All users and content have migrated. Please join us at community.neo4j.com.
01-20-2020 11:59 PM
How do we inject an SSL cert with the standalone version (and the Standalone bash script shown here)?
I've done this in the past using Azure Key Vault
with an Ubuntu VM and NGINX. But I dont know what kind of web server is hosting the Azure Neo4j Enterprise Standalone verson.
Thanks
01-21-2020 04:20 AM
This article covers how to set up SSL simply with Neo4j using LetsEncrypt certificates.
If you have other certificates already, then you'll need to follow the Neo4j docs, which are here:
https://neo4j.com/docs/operations-manual/current/security/ssl-framework/#ssl-configuration
Basically, you have to automate the placement of the key & cert files into a particular directory, and then write content into the /etc/neo4j/neo4j.template file (assuming you're using the Azure VM image) to refer to those.
01-21-2020 09:50 PM
Thanks for the prompt response Mr. Allen. Here is a first stab at putting a script together for self-signed SSL certs using Azure Key Vault (my preferred method). Perhaps you or someone in the forums could look this over and provide advice / insights on where to improve.
I'm specifically stuck on how to get the neo4j.template
information into the file during deployment.
Fairly certain I need to use --custom-data
, but unsure how to do this.
Sample script
#!/bin/bash
# Enter variables below.
# Change script file to executable. Run (on Linux) with ./AzureServiceScriptName.sh > AzureServiceSetupLog.txt
export SUBSCRIPTION=mySubscriptionID
# Deployment information
export LOCATION=westus
export RESOURCE_GROUP_NAME=neo4jj-rg
# Network information
export NETWORK_SEC_GROUP=neo4jj-nsg
export IP_ADDRESS_TYPE=static
export SOURCE_IP_ADDRESS=my.ip.address.here/32
# VM information
export SVC_PUBLISHER=neo4j
export SVC_OFFER=neo4j-enterprise-3_5
export SVC_SKU=neo4j_3_5_5_apoc
export SVC_VERSION=latest
export VM_NAME=neo4jj-vm
export VM_SIZE=Standard_A2m_v2
export VM_IMAGE=$SVC_PUBLISHER:$SVC_OFFER:$SVC_SKU:$SVC_VERSION
# UN PW's
export VM_ADMIN_USERNAME=myAdminUN
export VM_ADMIN_PASSWORD=myAdminPW
export SVC_PASSWORD=myAdminPW
# Keyvault SSL information
export KEYVAULT_NAME=neo4jKeyvault
export SSL_CERT_NAME=neo4jSSL
# Create a resource group
az group create \
--name $RESOURCE_GROUP_NAME \
--location $LOCATION
# Create a network security group
az network nsg create \
--resource-group $RESOURCE_GROUP_NAME \
--location $LOCATION \
--name $NETWORK_SEC_GROUP
# Assign NSG rules to allow inbound traffic on Neo4j ports
prio=1000
for port in 7473 7474 7687;
do
az network nsg rule create \
--resource-group $RESOURCE_GROUP_NAME \
--nsg-name "$NETWORK_SEC_GROUP" \
--source-address-prefixes $SOURCE_IP_ADDRESS \
--name neo4j-allow-$port \
--protocol tcp \
--priority $prio \
--destination-port-range $port
prio=$(($prio+1))
done
# Create a keyvault in the resource group
keyvault_name=$KEYVAULT_NAME \
az keyvault create \
--resource-group $RESOURCE_GROUP_NAME \
--name $KEYVAULT_NAME \
--enabled-for-deployment
# Create an SSL cert in the keyvault (takes a few mins to generate)
az keyvault certificate create \
--vault-name $KEYVAULT_NAME \
--name $SSL_CERT_NAME \
--policy "$(az keyvault certificate get-default-policy)"
# Prepare the SSL cert for use in the VM
secret=$(az keyvault secret list-versions \
--vault-name $KEYVAULT_NAME \
--name $SSL_CERT_NAME \
--query "[?attributes.enabled].id" --output tsv)
VM_SECRET=$(az vm secret format --secrets "$SECRET")
# Create a `neo4j.template` file in the current directory with the following content
touch neo4j.template
cat > neo4j.template <<EOF
dbms.connectors.default_listen_address=0.0.0.0
dbms.connectors.default_advertised_address=your.domain.com
bolt.ssl_policy=default
dbms.ssl.policy.default.base_directory=/var/lib/neo4j/certificates
dbms.ssl.policy.default.allow_key_generation=false
dbms.ssl.policy.default.private_key=/var/lib/neo4j/certificates/neo4j.key
dbms.ssl.policy.default.public_certificate=/var/lib/neo4j/certificates/neo4j.cert
dbms.ssl.policy.default.revoked_dir=/var/lib/neo4j/certificates/revoked
dbms.ssl.policy.default.client_auth=NONE
EOF
# Create the actual VM and inject the SSL cert
az vm create \
--resource-group $RESOURCE_GROUP_NAME \
--name $VM_NAME \
--image $VM_IMAGE \
--vnet-name $VM_NAME-vnet \
--subnet $VM_NAME-subnet \
--admin-username $VM_ADMIN_USERNAME \
--public-ip-address-allocation $IP_ADDRESS_TYPE \
--size $VM_SIZE \
--generate-ssh-keys \
--custom-data neo4j.template \
--secrets "$VM_SECRET"
# Use default assigned NIC name
az network nic update \
--resource-group "$RESOURCE_GROUP_NAME" \
--name "${VM_NAME}VMNic" \
--network-security-group "$NETWORK_SEC_GROUP"
# Open port 443 of the VM
az vm open-port \
--resource-group $RESOURCE_GROUP_NAME \
--name $VM_NAME \
--priority 900 \
--port 443
# Open port 22 of the VM
az vm open-port \
--resource-group $RESOURCE_GROUP_NAME \
--name $VM_NAME \
--priority 901 \
--port 22
01-22-2020 04:29 AM
If you're not familiar with Azure, this is going to take some learning curve because what you're trying to do here is fairly advanced, but I can give you the sketch of what needs to happen.
First -- make sure that you have read this entire documentation page. The rest of what I'm going to say won't make sense without it. In particular take note of the systemctl bits, and make sure you understand what neo4j.template is and what it's doing. https://neo4j.com/developer/neo4j-cloud-vms/
Second -- the rough approach that you should use is like this:
az vm run-command
(documented here: https://docs.microsoft.com/en-us/cli/azure/vm/run-command?view=azure-cli-latest) to run a shell script that you wrote.sed
to do the edits that you need to /etc/neo4j/neo4j.template, and at the very end of the script when your edits are done, execute systemctl restart neo4j
to restart neo4j.Using az vm run-command
you can do whatever you want with the VM after the fact, so this is probably how I would approach it, and the result will be automate-able.
01-27-2020 07:31 PM
Hi David,
Do you have a default neo4j.template
file handy?
01-28-2020 04:27 AM
It's baked into the Azure image itself. Just launch a test image stand-alone in any configuration, and copy the file right out of the image.
12-10-2022 07:02 AM
This does not work anymore.
All the sessions of the conference are now available online