You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: modules/ROOT/pages/security/ssl-framework.adoc
+18-7
Original file line number
Diff line number
Diff line change
@@ -1108,22 +1108,33 @@ Beware that the SSL debug option logs a new statement every time a client connec
1108
1108
To avoid that scenario, make sure this setting is only enabled for a short term duration.
1109
1109
====
1110
1110
1111
+
[role=label--new-2025.03]
1111
1112
[[certificate-rotation]]
1112
-
== Certificate Rotation
1113
-
It is considered best practice to use certificates with reasonably short duration. This, however, requires the periodic rotation of certificates whereby old certificates are removed and the new ones installed. Previous versions of Neo4j required a the restart of a database instance for changes to be applied. New certificates can now be rotated in and SSL configuration changed without a restart being required. This reduces undesirable effects of transient loss of cluster members.
1113
+
== Certificates rotation
1114
1114
1115
-
. Enable the dynamic reloading of certificates on all cluster members. It is best to do this when the cluster is deployed as changing this configuration requires a restart:
1115
+
It is considered best practice to use certificates with reasonably short duration.
1116
+
This, however, requires the periodic rotation of certificates whereby old certificates are removed and the new ones are installed.
1117
+
Previous versions of Neo4j required a database restart for changes to be applied.
1118
+
Starting from 2025.03, new certificates can be rotated in, and SSL configuration can be updated without requiring a restart.
1119
+
This reduces undesirable effects of transient loss of cluster members.
1120
+
1121
+
Following are the steps of newly introduced certificates rotation.
1122
+
1123
+
. Enable the dynamic reloading of certificates on all cluster members.
1124
+
It is best to do this when the cluster is deployed as changing this configuration requires a restart:
1116
1125
1117
1126
[source, properties]
1118
1127
----
1119
1128
dbms.security.tls_reload=true (default is false)
1120
1129
----
1121
1130
1122
-
. Replace old certificates either by overwriting on the filesystem, or copying them to a new location and updating the required SSL configuration for each effected scope. Both certificates may exist on the filesystem but only one can be referenced in the configuration. New certificates will need to be copied to all cluster members as required.
1131
+
. Replace old certificates either by overwriting on the filesystem or by copying them to a new location and updating the required SSL configuration for each effected scope.
1132
+
Both certificates may exist on the filesystem but only one can be referenced in the configuration.
1133
+
New certificates need to be copied to all cluster members as required.
1123
1134
1124
-
. Make necessary changes to any of the SSL configuration. and/or replace certificates for effected scopes.
1135
+
. Make necessary changes to any of the SSL configuration and/or replace certificates for effected scopes.
1125
1136
1126
-
. Connect to each cluster member in turn using Cypher Shell using a boltscheme and run the reload procedure:
1137
+
. Connect to each cluster member in turn with Cypher Shell using a <<ssl-bolt-connect,`bolt` URI scheme>> and run the reload procedure:
. New settings will take effect immediately, however existing connections will not be pre-emptively terminated.
1134
1145
1135
-
. Verify that the intra-cluster communication is still encrypted using external tooling, such as Nmap, described above.
1146
+
. Verify that the intra-cluster communication is still encrypted using external tooling, such as Nmap, described in <<ssl-cluster-config, Configuring SSL for intra-cluster communications>>.
0 commit comments