SSL support - MyMedsAndMe/marco_polo GitHub Wiki

The SSL docs for OrientDB are here. Most of the steps to follow, however, come from the cqerl documentation on using SSL with Cassandra.

All these steps are executed inside $ORIENTDB_HOME for convenience.

Generating a keystore

First, we generate a keystore for the OrientDB server using keytool:

keytool -genkeypair -alias orientdb -keyalg RSA -keysize 2048 -keystore orientdb.jks

The command above is very similar to the one shown in the OrientDB documentation. This command will create an orientdb.jks file (in the current working directory): this is the keystore (jks stands for Java keystore) that the server will use. As the Cassandra documentation suggests, enter the personal details that the above command asks as Erlang can have problems is everything is left as a default (usually of Unknown). Use password as the password if you're going to copy the XML configuration below.

After doing this, we have to setup the OrientDB server to use the newly created keystore. First, let's move the keystore inside config/cert:

mv orientdb.jks ./config/cert/

Making the server use the keystore

We now have to change the server configuration in config/orientdb-server-config.xml. Here, the relevant section from the OrientDB docs is accurate: we tweak the configuration of the ssl socket:

<socket implementation="com.orientechnologies.orient.server.network.OServerSSLSocketFactory" name="ssl">
  <parameters>
    <parameter value="false" name="network.ssl.clientAuth"/>
    <parameter value="config/cert/orientdb.jks" name="network.ssl.keyStore"/>
    <parameter value="password" name="network.ssl.keyStorePassword"/>
    <parameter value="config/cert/orientdb.jks" name="network.ssl.trustStore"/>
    <parameter value="password" name="network.ssl.trustStorePassword"/>
  </parameters>
</socket>

and then we add an SSL listener (conventionally on port 2434) to the same configuration:

<listener protocol="binary" ip-address="0.0.0.0" port-range="2434-2440" socket="ssl"/>

Generating a PEM key

We're ready to generate a PEM key that MarcoPolo can use. Run this command inside config/cert/:

keytool -exportcert -rfc -alias orientdb -file orientdb.pem -keystore orientdb.jks

This will generate the orientdb.pem file from the orientdb.jks keystore. You can move this file anywhere you want; let's assume you moved it to the root of the marco_polo project.

Using SSL

Now, you can use SSL when connecting to the server. The option you have to specify is :cacertfile, in the :ssl_opts you pass to MarcoPolo.start_link/1.

MarcoPolo.start_link(user: "root",
                     password: "root",
                     connection: {:db, "MarcoPoloTest"},
                     ssl: true,
                     ssl_opts: [cacertfile: './orientdb.pem'])
#=> {:ok, #PID<...>}
⚠️ **GitHub.com Fallback** ⚠️