How to set up SSL communcation when running Neo4j within a Docker Container
Neo4j 3.2 added a Unified SSL Framework to setup secure connections for Bolt, HTTPS and Intra-Cluster Encryption. Details on this framework can be found at: https://neo4j.com/docs/operations-manual/current/security/ssl-framework/
Setting up secure Bolt and HTTPS communications when running Neo4j within a Docker Container requires some specific steps and configuration settings:
The below steps assume you’ve followed the process outlined in the above documentation link and have created your public cert and private key.
The Neo4j Docker image exposes a /ssl volume for mounting a directory on the host machine for storage of the certs:
In the above example, a local folder ($HOME/neo4j/ssl) will be used to store the cert and key.
The Neo4j Docker container allows for use of a /conf volumn so that you are able to setup configuration settings in a Neo4j.conf file:
Using the above setting, we can modify the settings in a the Neo4j.conf file and place that file in the $HOME/neo4j/conf folder.
Alternatively, Environment variables can be used to set the configuration settings, as outlined here:
To configure secure Bolt and HTTPs communication, the following configuration parameters are required:
A key note here is that base_directory setting starts with
/ssl - this will be mapped to the mounted drive and look for
client_policy directory in the
With the above settings, the following folder structure and files on the host will be required:
$HOME/neo4j/ssl/client_policy/ $HOME/neo4j/ssl/client_policy/private.key $HOME/neo4j/ssl/client_policy/public.crt $HOME/neo4j/ssl/client_policy/trusted/ $HOME/neo4j/ssl/client_policy/revoked/
If the key/crt files are named something other then the default, the following settings will be required:
The following is a sample Command to start the Docker container with the above settings:
$ docker run --publish=7473:7473 --publish=7687:7687 --volume=$HOME/neo4j/ssl:/ssl --volume=$HOME/neo4j/conf:/conf --env=NEO4J_ACCEPT_LICENSE_AGREEMENT=yes neo4j:3.4-enterprise
Was this page helpful?