Configuring HugeGraphServer to Use HTTPS Protocol

Overview

By default, HugeGraphServer uses the HTTP protocol. However, if you have security requirements for your requests, you can configure it to use HTTPS.

Server Configuration

Modify the conf/rest-server.properties configuration file and change the schema part of restserver.url to https.

  1. # Set the protocol to HTTPS
  2. restserver.url=https://127.0.0.1:8080
  3. # Server keystore file path. This default value is automatically effective when using HTTPS, and you can modify it as needed.
  4. ssl.keystore_file=conf/hugegraph-server.keystore
  5. # Server keystore file password. This default value is automatically effective when using HTTPS, and you can modify it as needed.
  6. ssl.keystore_password=******

The server’s conf directory already includes a keystore file named hugegraph-server.keystore, and the password for this file is hugegraph. These are the default values when enabling the HTTPS protocol. Users can generate their own keystore file and password, and then modify the values of ssl.keystore_file and ssl.keystore_password.

Client Configuration

Using HTTPS in HugeGraph-Client

When constructing a HugeClient, pass the HTTPS-related configurations. Here’s an example in Java:

  1. String url = "https://localhost:8080";
  2. String graphName = "hugegraph";
  3. HugeClientBuilder builder = HugeClient.builder(url, graphName);
  4. // Client keystore file path
  5. String trustStoreFilePath = "hugegraph.truststore";
  6. // Client keystore password
  7. String trustStorePassword = "******";
  8. builder.configSSL(trustStoreFilePath, trustStorePassword);
  9. HugeClient hugeClient = builder.build();

Note: Before version 1.9.0, HugeGraph-Client was created directly using the new keyword and did not support the HTTPS protocol. Starting from version 1.9.0, it changed to use the builder pattern and supports configuring the HTTPS protocol.

Using HTTPS in HugeGraph-Loader

When starting an import task, add the following options in the command line:

  1. # HTTPS
  2. --protocol https
  3. # Client certificate file path. When specifying --protocol as https, the default value conf/hugegraph.truststore is automatically used, and you can modify it as needed.
  4. --trust-store-file {file}
  5. # Client certificate file password. When specifying --protocol as https, the default value hugegraph is automatically used, and you can modify it as needed.
  6. --trust-store-password {password}

Under the conf directory of hugegraph-loader, there is already a default client certificate file named hugegraph.truststore, and its password is hugegraph.

Using HTTPS in HugeGraph-Tools

When executing commands, add the following options in the command line:

  1. # Client certificate file path. When using the HTTPS protocol in the URL, the default value conf/hugegraph.truststore is automatically used, and you can modify it as needed.
  2. --trust-store-file {file}
  3. # Client certificate file password. When using the HTTPS protocol in the URL, the default value hugegraph is automatically used, and you can modify it as needed.
  4. --trust-store-password {password}
  5. # When executing migration commands and using the --target-url with the HTTPS protocol, the default value conf/hugegraph.truststore is automatically used, and you can modify it as needed.
  6. --target-trust-store-file {target-file}
  7. # When executing migration commands and using the --target-url with the HTTPS protocol, the default value hugegraph is automatically used, and you can modify it as needed.
  8. --target-trust-store-password {target-password}

Under the conf directory of hugegraph-tools, there is already a default client certificate file named hugegraph.truststore, and its password is hugegraph.

How to Generate Certificate Files

This section provides an example of generating certificates. If the default certificate is sufficient or if you already know how to generate certificates, you can skip this section.

Server

  1. Generate the server’s private key and import it into the server’s keystore file. The server.keystore is for the server’s use and contains its private key.
  1. keytool -genkey -alias serverkey -keyalg RSA -keystore server.keystore

During the process, fill in the description information according to your requirements. The description information for the default certificate is as follows:

  1. First and Last Name: hugegraph
  2. Organizational Unit Name: hugegraph
  3. Organization Name: hugegraph
  4. City or Locality Name: BJ
  5. State or Province Name: BJ
  6. Country Code: CN
  1. Export the server certificate based on the server’s private key.
  1. keytool -export -alias serverkey -keystore server.keystore -file server.crt

server.crt is the server’s certificate.

Client

  1. keytool -import -alias serverkey -file server.crt -keystore client.truststore

client.truststore is for the client’s use and contains the trusted certificate.

Last modified May 19, 2023: Update config-https.md (#239) (484cbff5)