Connecting remote databases
This section describes the steps required to guarantee a secure connection to a remote database.
In the following example, a remote alias in DBMS A will connect to a remote database named Db1 in DBMS B.
A remote alias defines:
-
Which user of the remote
DBMS Bis used. -
Where the remote database is located.
-
How we connect to the remote database using driver settings.
|
In order to guarantee a secure connection, the following steps are required:
1. Configuration needed on the remote DBMS (Administrator B)
-
Create the user to share with Administrator A. Currently, only user and password based authentication such as native authentication are supported.
-
Define the permissions for the user as you see fit.
-
Securely transmit the credentials to Administrator A, setting up the link to database
Db1.
|
2. Configuration needed on the DBMS with the remote database alias (Administrator A)
2.1. Generate an encryption key
To authorize anyone to be able to access a remote database alias, the credentials of a user of DBMS B are reversibly encrypted and stored in the system database of DBMS A.
The algorithm used is AES/GCM.
Therefore, an AES encryption key needs to be provided.
It should have length 256, and be stored in a password protected keystore of format pkcs12.
The key can be generated using the following keytool command, which requires a password:
keytool -genseckey -keyalg aes -keysize 256 -storetype pkcs12 -keystore [key-store-name] -alias [key-name] -storepass [password]|
It is recommended to generate the keystore on the same Java version on which Neo4j is run, as the supported encryption algorithms may vary. For details on the version of Java required by Neo4j, see Java. |
2.2. Set configuration
The following configuration is necessary for creating a remote database alias:
| Configuration | Description |
|---|---|
The path to the keystore file |
|
The password to the keystore file |
|
The name of the secret key |
To protect the symmetric key to ensure the integrity of the connection to the remote database, the keystore should be stored in a trusted location, which should be accessible only by admins and readable by the Neo4j user.
In a cluster the keystore file needs to be shared over all servers.
2.3. Managing remote database aliases
Use the alias commands to manage remote database aliases.
It is encouraged to connect to a remote database alias with a secured connection.
Please note that only client-side SSL is supported.
By default, remote aliases require a secured URI scheme such as neo4j+s.
This can be disabled by setting the driver setting ssl_enforced to false.
In order to do so, either database management or alias management privileges are required. Grant the access privileges to use the remote database alias.
If a transaction modifies an alias, other transactions concurrently executing against that alias may be aborted and rolled back for safety. This prevents issues such as a transaction executing against multiple target databases for the same alias.
Was this page helpful?