I need to secure the replication data stream between two Neo4J nodes (eg. using SSL or TLS). Both are running in embedded mode in two JBoss instances.
Is it possible and how can I do that ?
Thanks
AFAIK Neo4j replication is not encrypted by itself. The most easy way would be connecting the cluster members using a VPN (e.g. using openvpn) and configure Neo4j to use the virtual network interface provided by the VPN.
An alternative might be stunnel.
Update:
there is a nice blog post on using openvpn for encrypting Neo4j cluster replication by John Russell. Please note that this uses Neo4j <= 1.8, in Neo4j 1.9.x there is no Zookeeper any more.
Related
I am having difficulties deploying Neo4j official docker image https://hub.docker.com/_/neo4j to an OpenShift environment and accessing it from outside (from my local machine)
I have performed the following steps:
oc new-app neo4j
Created route for port 7474
Set up the environment variable NEO4J_dbms_connector_bolt_listen__address to 0.0.0.0:7687 which is the equivalent of seting up the dbms.connector.bolt.listen_address=0.0.0.0:7687 in the neo4j.conf file.
Access the route url from local machine which will open the neo4j browser which requires authentication. At this point I am blocked because any combination of urls I try are unsuccessful.
As a workaround I have managed to forward 7687 port to my local machine, install Neo4j Desktop solution and connect via bolt://localhost:7687 but this is not the ideal solution.
Therefore there are two questions:
1. How can I connect from the neo4j browser to it's own database
How can I connect from external environment (trough OpenShift route) to the Neo4j DB
I have no experience with the OpenShift, but try to add the following config:
dbms.default_listen_address=0.0.0.0
Is there any other way for you to connect to Neo4j, so that you could further inspect the issue?
Short answer:
To connect to the DB that is most likely a configuration issue, maybe Tomaž Brataničs answer is the solution. As for accessing the DB from outside, you will most likely need a NodePort.
Long answer:
Note that OpenShift Routes are for HTTP / HTTPS traffic and not for any other kind of traffic. Typically, the "Routers" of an OpenShift cluster listen only on Port 80 and 443, so connecting to your database on any other port will most likely not work (although this heavily depends on your cluster configuration).
The solution for non-HTTP(S) traffic is to use NodePorts as described in the OpenShift documentation: https://docs.openshift.com/container-platform/3.11/dev_guide/expose_service/expose_internal_ip_nodeport.html
Note that also for NodePorts, you might need to have your cluster administrator add additional ports to the loadbalancer or you might need to connect to the OpenShift Nodes directly. Refer to the documentation on how to use NodePorts.
Current it seems we cannot run both Neo4J Server and Gremlin Server at the same time. Is there any way to have run both?
NEO4J is running and I try to start to Gremlin Server then I get the following error
java.lang.RuntimeException: GraphFactory could not instantiate this
Graph implementation [class
org.apache.tinkerpop.gremlin.neo4j.structure.Neo4jGraph].......................(truncated)
Gremlin Server is running and I try to start NEO4J Server then I get the following error
Caused by: org.neo4j.kernel.StoreLockException: Store and its lock
file has been locked by another process:
/home/galaxia/Documents/neo4j-gremlin/data/databases/graph.db/store_lock.
Please ensure no other process is using this database, and that the
directory is writable (required even for read-only access)
Versions
Neo4J 3.3.1
Gremlin 3.3.1
I realize it has been a while, but I finally figured this out and thought others should know. As Stephen Mallette said, you can use the Bolt implementation. To configure this for Gremlin Server, use the included gremlin-server-neo4j.yaml file and make the following change:
graphs: {
graph: conf/neo4j-bolt.properties}
Then create the neo4j-bolt.properties file with this content:
gremlin.graph=com.steelbridgelabs.oss.neo4j.structure.Neo4JGraph
#neo4j.graph.name=graph.db
neo4j.identifier=dummy
neo4j.url=bolt://localhost:7687
neo4j.username=neo4j
neo4j.password=<password>
neo4j.readonly=false
neo4j.vertexIdProvider=com.steelbridgelabs.oss.neo4j.structure.providers.Neo4JNativeElementIdProvider
neo4j.edgeIdProvider=com.steelbridgelabs.oss.neo4j.structure.providers.Neo4JNativeElementIdProvider
Remember to replace the password, and any other property with the correct values.
You cannot run them together that way (i.e. embedded mode), but it should be possible to run them together, if you either:
Configure the Neo4j graph in Gremlin Server to use HA mode as described here
Configure the Neo4j graph in Gremlin Server to use the Bolt implementation found here
Enable the Bolt protocol in the Neo4j properties file provided to Gremlin Server.
As an example of the third option, given the default Gremlin Server packaged configuration files for Neo4j, you can edit conf/neo4j-empty.properties to include:
gremlin.graph=org.apache.tinkerpop.gremlin.neo4j.structure.Neo4jGraph
gremlin.neo4j.directory=/tmp/neo4j
gremlin.neo4j.conf.dbms.connector.0.type=BOLT
gremlin.neo4j.conf.dbms.connector.0.enabled=true
gremlin.neo4j.conf.dbms.connector.0.address=localhost:7687
and then start Gremlin Server with bin/gremlin-server.sh conf/gremlin-server-neo4j.yaml at which point you can use standard TinkerPop drivers as well as standard Bolt connectivity against the same graph instance.
Could anyone explain what type of connections are between the nodes?
Are they anyhow encrypted? I cannot find anything in the official documentation.
Update:
http://developer.couchbase.com/documentation/server/current/security/security-comm-encryption.html
Depending on the version you are running and the deployment topology you have chosen with services, Couchbase Server has a number of connections between nodes. You can find the list here for the ports we use for internal communication between nodes under "node to node";
http://developer.couchbase.com/documentation/server/4.5/install/install-ports.html
Couchbase Server does not encrypt communication between nodes today. You can use other solutions like IPSec to do that. Couchbase Server does encrypt data access, web console and cluster to cluster communication with XDCR.
I created a datastax cassandra Enterprise cluster with 2 cassandra nodes, 2 search nodes and 2 Analytics nodes.
Everything seems to work correctly EXCEPT, I can't connect to it from outside. If I'm on node0 server I can run the cassandra-cli and connect to the cassandra nodes on port 9160 but when I tried to connect using datastax-rails gem, I get "No live servers" I also tried datastax devCenter which tries to connect to the native port 9042 but also didn't work. I'm really puzzled, any help is appreciated.
So after some digging I found some issues
1. Port 9160 is connected and I can connect to it from telnet node0_ip 9160
2. when I run rake ds:migrate, I get No live servers in node0_ip
3. I tried to connect to 'cassandra' gem instead from IRB and tried
a. client = Cassandra.new('example', 'node0_ip:9160')
b. client.insert(:users, "5", {'screen_name' => "buttonscat4"})
I got a similar error with ThriftClient::NoServersAvailable: No live servers but this time with all the IPs of all the nodes in the cluster
4. I tried adding "client.disable_node_auto_discovery!" and I was able to connect and add stuff using 'cassandra' Gem.
5. I also found on https://github.com/cassandra-rb/cassandra/issues/171 that I need to change your server to bind on a non-loopback address but have no idea what does that mean
The question now is how
Sounds like you need to open up your EC2 security group to the outside on port 9160. Specifically the security group that your node0 is using.
You can find more information about them here:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
I was getting the same error and got this to work by using disable_node_auto_discovery!
You can see in the documentation for this method that it says "This is primarily helpful when the cassandra cluster is communicating internally on a different ip address than what you are using to connect. A prime example of this would be when using EC2 to host a cluster. Typically, the cluster would be communicating over the local ip addresses issued by Amazon, but any clients connecting from outside EC2 would need to use the public ip."
http://rdoc.info/github/cassandra-rb/cassandra/master/Cassandra:disable_node_auto_discovery!
I'm trying to setup backup for a Neo4j cluster with 3 instances. Neo4j is embedded.
If I run:
./neo4j-backup -from ha://10.106.4.80:5001,10.106.4.203:5001,10.106.14.164:5001 -to /tmp/neobak2/
from a host outside the 10.106.4.0 network, I get this error:
Could not find backup server in cluster neo4j.ha at 10.106.4.80:5001,10.106.4.203:5001,10.106.14.164:5001, operation timed out.
If I run it from a cluster member it works just fine. Also if I run the backup script with single instead of ha works fine from anywhere.
Below the basic cluster config I'm using:
ha.server_id: 1
ha.initial_hosts:10.106.4.80:5001,10.106.4.203:5001,10.106.14.164:5001
ha.tx_push_factor: 2
I already checked for firewall issues, there aren't any. Neo4j version used is 1.9.5.
The webadmin interface shows the cluster has online backup enabled and listening to the default port.
Any help will be appreciated.
According to RFC 5735 IP Adresses 10.0.0.0/8 are private. So I assume they're not routed from an external host.