From 5668916d753bfb74389a3e8bde53cf87d7959107 Mon Sep 17 00:00:00 2001 From: joaquin Date: Wed, 6 May 2020 15:49:57 -0700 Subject: [PATCH 1/7] doc fixes for mTLS/TLS dgraph live, dgraph cert, curl --- wiki/content/deploy/index.md | 59 ++++++++++++++++++++++++++++-------- 1 file changed, 46 insertions(+), 13 deletions(-) diff --git a/wiki/content/deploy/index.md b/wiki/content/deploy/index.md index a3f2e8448a1..3dbc11ef3b7 100644 --- a/wiki/content/deploy/index.md +++ b/wiki/content/deploy/index.md @@ -1537,14 +1537,14 @@ $ dgraph cert --help # Create Dgraph Root CA, used to sign all other certificates. $ dgraph cert -# Create node certificate (needed for Dgraph Live Loader using TLS) -$ dgraph cert -n live +# Create node certificate +$ dgraph cert -n localhost -# Create client certificate +# Create client certificate for mTLS $ dgraph cert -c dgraphuser # Combine all in one command -$ dgraph cert -n live -c dgraphuser +$ dgraph cert -n localhost -c dgraphuser # List all your certificates and keys $ dgraph cert ls @@ -1641,22 +1641,54 @@ The following configuration options are available for Alpha: * `--tls_client_auth string` - TLS client authentication used to validate client connection. See [Client authentication](#client-authentication) for details. ```sh +# First, create rootca and node certificates +$ dgraph cert -n localhost # Default use for enabling TLS server (after generating certificates) $ dgraph alpha --tls_dir tls ``` Dgraph Live Loader can be configured with following options: -* `--tls_dir string` - TLS dir path; this enables TLS connections (usually 'tls'). +* `--tls_cacert string` - Dgraph Root CA, such as `.tls/ca.crt` * `--tls_use_system_ca` - Include System CA with Dgraph Root CA. * `--tls_server_name string` - Server name, used for validating the server's TLS host name. ```sh -# First, create a client certificate for live loader. This will create 'tls/client.live.crt' -$ dgraph cert -c live +# Now, connect to server using TLS +$ dgraph live --tls_cacert ./tls/ca.crt --tls_server_name "localhost" -s 21million.schema -f 21million.rdf.gz +``` + +### mTLS (Mutual TLS) options + +The following configuration options are available for Alpha: +* `--tls_dir string` - TLS dir path; this enables TLS connections (usually 'tls'). +* `--tls_use_system_ca` - Include System CA with Dgraph Root CA. +* `--tls_client_auth string` - TLS client authentication used to validate client connection. mTLS will require either `REQUIREANY` or `REQUIREANDVERIFY` for this setting. See [Client authentication](#client-authentication) for details. + +```sh +# First, create a rootca, node, and client certificates +$ dgraph cert -n localhost -c dgraphuser +# Default use for enabling TLS server (after generating certificates) +$ dgraph alpha --tls_dir tls --tls_client_auth="REQUIREANDVERIFY" +``` + +Dgraph Live Loader can be configured with following options: + +* `--tls_cacert string` - Dgraph Root CA, such as `.tls/ca.crt` +* `--tls_use_system_ca` - Include System CA with Dgraph Root CA. +* `--tls_cert` - User cert file provided by the client to Alpha \ +* `--tls_key` - User private key file provided by the client to Alpha \ +* `--tls_server_name string` - Server name, used for validating the server's TLS host name. + +```sh # Now, connect to server using TLS -$ dgraph live --tls_dir tls -s 21million.schema -f 21million.rdf.gz +$ dgraph live \ + --tls_cert ./tls/client.dgraphuser.crt \ + --tls_key ./tls/client.dgraphuser.key \ + --tls_server_name "localhost" \ + -s 21million.schema \ + -f 21million.rdf.gz ``` ### Client authentication @@ -1706,7 +1738,7 @@ If the `--tls_client_auth` option is set to `REQUEST`or `VERIFYIFGIVEN` (default use the option `--cacert`. For instance (for an export request): ``` -curl --cacert ./tls/ca.crt https://localhost:8080/admin/export +curl --silent --cacert ./tls/ca.crt https://localhost:8080/admin/export ``` If the `--tls_client_auth` option is set to `REQUIREANY` or `REQUIREANDVERIFY`, @@ -1714,7 +1746,8 @@ in addition to the `--cacert` option, also use the `--cert` and `--key` options. For instance (for an export request): ``` -curl --cacert ./tls/ca.crt --cert ./tls/node.crt --key ./tls/node.key https://localhost:8080/admin/export +curl --silent --cacert ./tls/ca.crt --cert ./tls/client.dgraphuser.crt \ + --key ./tls/client.dgraphuser.key https://localhost:8080/admin/export ``` Refer to the `curl` documentation for further information on its TLS options. @@ -1796,10 +1829,10 @@ $ dgraph live -f -s -a #### Encrypted imports via Live Loader -A new flag keyfile is added to the Live Loader. This option is required to decrypt the encrypted export data and schema files. Once the export files are decrypted, the Live Loader streams the data to a live Alpha instance. +A new flag keyfile is added to the Live Loader. This option is required to decrypt the encrypted export data and schema files. Once the export files are decrypted, the Live Loader streams the data to a live Alpha instance. {{% notice "note" %}} -If the live Alpha instance has encryption turned on, the `p` directory will be encrypted. Otherwise, the `p` directory is unencrypted. +If the live Alpha instance has encryption turned on, the `p` directory will be encrypted. Otherwise, the `p` directory is unencrypted. {{% /notice %}} #### Encrypted RDF/JSON file and schema via Live Loader @@ -1978,7 +2011,7 @@ dgraph bulk --encryption_key_file ./enc_key_file -f data.json.gz -s data.schema #### Encrypting imports via Bulk Loader -The Bulk Loader’s `encryption_key_file` option was previously used to encrypt the output `p ` directory. This same option will also be used to decrypt the encrypted export data and schema files. +The Bulk Loader’s `encryption_key_file` option was previously used to encrypt the output `p ` directory. This same option will also be used to decrypt the encrypted export data and schema files. Another option, `--encrypted`, indicates whether the input `rdf`/`json` data and schema files are encrypted or not. With this switch, we support the use case of migrating data from unencrypted exports to encrypted import. From d17c5a1ccb4f7a751c26a9931c4cf751c9247965 Mon Sep 17 00:00:00 2001 From: joaquin Date: Wed, 6 May 2020 21:55:09 -0700 Subject: [PATCH 2/7] update typos, wording in deploy tls docs --- wiki/content/deploy/index.md | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/wiki/content/deploy/index.md b/wiki/content/deploy/index.md index 3dbc11ef3b7..8f55cb3f689 100644 --- a/wiki/content/deploy/index.md +++ b/wiki/content/deploy/index.md @@ -1537,10 +1537,10 @@ $ dgraph cert --help # Create Dgraph Root CA, used to sign all other certificates. $ dgraph cert -# Create node certificate +# Create node certificate and private key $ dgraph cert -n localhost -# Create client certificate for mTLS +# Create client certificate and private key for mTLS (mutual TLS) $ dgraph cert -c dgraphuser # Combine all in one command @@ -1641,15 +1641,15 @@ The following configuration options are available for Alpha: * `--tls_client_auth string` - TLS client authentication used to validate client connection. See [Client authentication](#client-authentication) for details. ```sh -# First, create rootca and node certificates +# First, create rootca and node certificates and private keys $ dgraph cert -n localhost -# Default use for enabling TLS server (after generating certificates) +# Default use for enabling TLS server (after generating certificates and private keys) $ dgraph alpha --tls_dir tls ``` Dgraph Live Loader can be configured with following options: -* `--tls_cacert string` - Dgraph Root CA, such as `.tls/ca.crt` +* `--tls_cacert string` - Dgraph Root CA, such as `./tls/ca.crt` * `--tls_use_system_ca` - Include System CA with Dgraph Root CA. * `--tls_server_name string` - Server name, used for validating the server's TLS host name. @@ -1667,23 +1667,24 @@ The following configuration options are available for Alpha: * `--tls_client_auth string` - TLS client authentication used to validate client connection. mTLS will require either `REQUIREANY` or `REQUIREANDVERIFY` for this setting. See [Client authentication](#client-authentication) for details. ```sh -# First, create a rootca, node, and client certificates +# First, create a rootca, node, and client certificates and private keys $ dgraph cert -n localhost -c dgraphuser -# Default use for enabling TLS server (after generating certificates) +# Default use for enabling TLS server (after generating certificates and private keys) $ dgraph alpha --tls_dir tls --tls_client_auth="REQUIREANDVERIFY" ``` Dgraph Live Loader can be configured with following options: -* `--tls_cacert string` - Dgraph Root CA, such as `.tls/ca.crt` +* `--tls_cacert string` - Dgraph Root CA, such as `./tls/ca.crt` * `--tls_use_system_ca` - Include System CA with Dgraph Root CA. -* `--tls_cert` - User cert file provided by the client to Alpha \ -* `--tls_key` - User private key file provided by the client to Alpha \ +* `--tls_cert` - User cert file provided by the client to Alpha +* `--tls_key` - User private key file provided by the client to Alpha * `--tls_server_name string` - Server name, used for validating the server's TLS host name. ```sh -# Now, connect to server using TLS +# Now, connect to server using mTLS (mutual TLS) $ dgraph live \ + --tls_cacert ./tls/ca.crt \ --tls_cert ./tls/client.dgraphuser.crt \ --tls_key ./tls/client.dgraphuser.key \ --tls_server_name "localhost" \ From 5e3434425419282256f43c0eac4b0722be3c41c3 Mon Sep 17 00:00:00 2001 From: joaquin Date: Thu, 7 May 2020 12:37:01 -0700 Subject: [PATCH 3/7] deploy/tls docs - updated table and updates for clarity --- wiki/content/deploy/index.md | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/wiki/content/deploy/index.md b/wiki/content/deploy/index.md index 8f55cb3f689..965a1352f57 100644 --- a/wiki/content/deploy/index.md +++ b/wiki/content/deploy/index.md @@ -1526,9 +1526,9 @@ Connections between client and server can be secured with TLS. Password protecte {{% notice "tip" %}}If you're generating encrypted private keys with `openssl`, be sure to specify encryption algorithm explicitly (like `-aes256`). This will force `openssl` to include `DEK-Info` header in private key, which is required to decrypt the key by Dgraph. When default encryption is used, `openssl` doesn't write that header and key can't be decrypted.{{% /notice %}} -### Self-signed certificates +### Dgraph Certificate Management Tool -The `dgraph cert` program creates and manages self-signed certificates using a generated Dgraph Root CA. The _cert_ command simplifies certificate management for you. +The `dgraph cert` program creates and manages CA-signed certificates and private keys using a generated Dgraph Root CA. The `dgraph cert` command simplifies certificate management for you. ```sh # To see the available flags. @@ -1638,7 +1638,7 @@ The following configuration options are available for Alpha: * `--tls_dir string` - TLS dir path; this enables TLS connections (usually 'tls'). * `--tls_use_system_ca` - Include System CA with Dgraph Root CA. -* `--tls_client_auth string` - TLS client authentication used to validate client connection. See [Client authentication](#client-authentication) for details. +* `--tls_client_auth string` - TLS client authentication used to validate client connection. Client cert and key will be optional by client with either `REQUEST` or `VERIFYIFGIVEN` for this setting. See [Client authentication](#client-authentication) for details. ```sh # First, create rootca and node certificates and private keys @@ -1664,7 +1664,7 @@ The following configuration options are available for Alpha: * `--tls_dir string` - TLS dir path; this enables TLS connections (usually 'tls'). * `--tls_use_system_ca` - Include System CA with Dgraph Root CA. -* `--tls_client_auth string` - TLS client authentication used to validate client connection. mTLS will require either `REQUIREANY` or `REQUIREANDVERIFY` for this setting. See [Client authentication](#client-authentication) for details. +* `--tls_client_auth string` - TLS client authentication used to validate client connection. Client cert and key will be required by client with either `REQUIREANY` or `REQUIREANDVERIFY` for this setting. See [Client authentication](#client-authentication) for details. ```sh # First, create a rootca, node, and client certificates and private keys @@ -1696,12 +1696,12 @@ $ dgraph live \ The server option `--tls_client_auth` accepts different values that change the security policty of client certificate verification. -| Value | Description | -|-------|-------------| -| REQUEST | Server accepts any certificate, invalid and unverified (least secure) | -| REQUIREANY | Server expects any certificate, valid and unverified | -| VERIFYIFGIVEN | Client certificate is verified if provided (default) | -| REQUIREANDVERIFY | Always require a valid certificate (most secure) | +| Value | Client Cert/Key | Description | +|--------------------|-----------------|--------------------| +| `REQUEST` | optional | Server accepts any certificate, invalid and unverified (least secure) | +| `REQUIREANY` | required | Server expects any certificate, valid and unverified | +| `VERIFYIFGIVEN` | opitonal | Client certificate is verified if provided (default) | +| `REQUIREANDVERIFY` | required | Always require a valid certificate (most secure) | {{% notice "note" %}}REQUIREANDVERIFY is the most secure but also the most difficult to configure for remote clients. When using this value, the value of `--tls_server_name` is matched against the certificate SANs values and the connection host.{{% /notice %}} @@ -1747,8 +1747,7 @@ in addition to the `--cacert` option, also use the `--cert` and `--key` options. For instance (for an export request): ``` -curl --silent --cacert ./tls/ca.crt --cert ./tls/client.dgraphuser.crt \ - --key ./tls/client.dgraphuser.key https://localhost:8080/admin/export +curl --silent --cacert ./tls/ca.crt --cert ./tls/client.dgraphuser.crt --key ./tls/client.dgraphuser.key https://localhost:8080/admin/export ``` Refer to the `curl` documentation for further information on its TLS options. From 09c1b96d6e5ce55176bd1e395450f4666a33fac0 Mon Sep 17 00:00:00 2001 From: joaquin Date: Thu, 7 May 2020 13:33:15 -0700 Subject: [PATCH 4/7] updated deploy/tls doc table for client auth --- wiki/content/deploy/index.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/wiki/content/deploy/index.md b/wiki/content/deploy/index.md index 965a1352f57..ad5bffe0cf9 100644 --- a/wiki/content/deploy/index.md +++ b/wiki/content/deploy/index.md @@ -1694,14 +1694,14 @@ $ dgraph live \ ### Client authentication -The server option `--tls_client_auth` accepts different values that change the security policty of client certificate verification. +The server will always REQUEST Client Authentication **only** when the `--tls_client_auth` option is specified. There are four different values that change the security policy of the client certificate. -| Value | Client Cert/Key | Description | +| Value | Client Cert/Key | Client Certificate Verified | |--------------------|-----------------|--------------------| -| `REQUEST` | optional | Server accepts any certificate, invalid and unverified (least secure) | -| `REQUIREANY` | required | Server expects any certificate, valid and unverified | -| `VERIFYIFGIVEN` | opitonal | Client certificate is verified if provided (default) | -| `REQUIREANDVERIFY` | required | Always require a valid certificate (most secure) | +| `REQUEST` | optional | Client certificate is not VERIFIED if provided. (least secure) | +| `REQUIREANY` | required | Client certificate is never VERIFIED | +| `VERIFYIFGIVEN` | optional | Client certificate is VERIFIED if provided (default) | +| `REQUIREANDVERIFY` | required | Client certificate is always VERIFIED (most secure) | {{% notice "note" %}}REQUIREANDVERIFY is the most secure but also the most difficult to configure for remote clients. When using this value, the value of `--tls_server_name` is matched against the certificate SANs values and the connection host.{{% /notice %}} From 6ccbed648cd2b374ad11ef64b641c15ddf480cc8 Mon Sep 17 00:00:00 2001 From: joaquin Date: Thu, 7 May 2020 13:40:15 -0700 Subject: [PATCH 5/7] deploy tls docs fix --- wiki/content/deploy/index.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/wiki/content/deploy/index.md b/wiki/content/deploy/index.md index ad5bffe0cf9..1cce26f29e8 100644 --- a/wiki/content/deploy/index.md +++ b/wiki/content/deploy/index.md @@ -1638,7 +1638,6 @@ The following configuration options are available for Alpha: * `--tls_dir string` - TLS dir path; this enables TLS connections (usually 'tls'). * `--tls_use_system_ca` - Include System CA with Dgraph Root CA. -* `--tls_client_auth string` - TLS client authentication used to validate client connection. Client cert and key will be optional by client with either `REQUEST` or `VERIFYIFGIVEN` for this setting. See [Client authentication](#client-authentication) for details. ```sh # First, create rootca and node certificates and private keys @@ -1664,12 +1663,12 @@ The following configuration options are available for Alpha: * `--tls_dir string` - TLS dir path; this enables TLS connections (usually 'tls'). * `--tls_use_system_ca` - Include System CA with Dgraph Root CA. -* `--tls_client_auth string` - TLS client authentication used to validate client connection. Client cert and key will be required by client with either `REQUIREANY` or `REQUIREANDVERIFY` for this setting. See [Client authentication](#client-authentication) for details. +* `--tls_client_auth string` - TLS client authentication used to validate client connection. See [Client authentication](#client-authentication) for details. ```sh # First, create a rootca, node, and client certificates and private keys $ dgraph cert -n localhost -c dgraphuser -# Default use for enabling TLS server (after generating certificates and private keys) +# Default use for enabling TLS server with client authentication (after generating certificates and private keys) $ dgraph alpha --tls_dir tls --tls_client_auth="REQUIREANDVERIFY" ``` From f5347214eca4853c8b0cf625b0dc7cbff1d81f29 Mon Sep 17 00:00:00 2001 From: joaquin Date: Thu, 7 May 2020 14:04:47 -0700 Subject: [PATCH 6/7] deploy tls docs - reorganized sections for client authentication, updated for curl section in relation to client authentication --- wiki/content/deploy/index.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/wiki/content/deploy/index.md b/wiki/content/deploy/index.md index 1cce26f29e8..7d0d2fcc371 100644 --- a/wiki/content/deploy/index.md +++ b/wiki/content/deploy/index.md @@ -1550,7 +1550,7 @@ $ dgraph cert -n localhost -c dgraphuser $ dgraph cert ls ``` -### File naming conventions +#### File naming conventions To enable TLS you must specify the directory path to find certificates and keys. The default location where the _cert_ command stores certificates (and keys) is `tls` under the Dgraph working directory; where the data files are found. The default dir path can be overridden using the `--dir` option. @@ -1583,7 +1583,7 @@ $ dgraph cert -n localhost,104.25.165.23,dgraph.io,2400:cb00:2048:1::6819:a417 {{% notice "note" %}}When using host names for node certificates, including _localhost_, your clients must connect to the matching host name -- such as _localhost_ not 127.0.0.1. If you need to use IP addresses, then add them to the node certificate.{{% /notice %}} -### Certificate inspection +#### Certificate inspection The command `dgraph cert ls` lists all certificates and keys in the `--dir` directory (default 'tls'), along with details to inspect and validate cert/key pairs. @@ -1657,13 +1657,15 @@ Dgraph Live Loader can be configured with following options: $ dgraph live --tls_cacert ./tls/ca.crt --tls_server_name "localhost" -s 21million.schema -f 21million.rdf.gz ``` -### mTLS (Mutual TLS) options +### Client authentication + +#### mTLS (Mutual TLS) options The following configuration options are available for Alpha: * `--tls_dir string` - TLS dir path; this enables TLS connections (usually 'tls'). * `--tls_use_system_ca` - Include System CA with Dgraph Root CA. -* `--tls_client_auth string` - TLS client authentication used to validate client connection. See [Client authentication](#client-authentication) for details. +* `--tls_client_auth string` - TLS client authentication used to validate client connection. See [Client Authentication Options](#client-authentication-options) for details. ```sh # First, create a rootca, node, and client certificates and private keys @@ -1691,7 +1693,7 @@ $ dgraph live \ -f 21million.rdf.gz ``` -### Client authentication +#### Client Authentication Options The server will always REQUEST Client Authentication **only** when the `--tls_client_auth` option is specified. There are four different values that change the security policy of the client certificate. @@ -1732,23 +1734,21 @@ succeed. ### Using Curl with Client authentication -When TLS is enabled, `curl` requests to Dgraph will need some specific options to work. - -If the `--tls_client_auth` option is set to `REQUEST`or `VERIFYIFGIVEN` (default), -use the option `--cacert`. For instance (for an export request): +When TLS is enabled, `curl` requests to Dgraph will need some specific options to work. For instance (for an export request): ``` curl --silent --cacert ./tls/ca.crt https://localhost:8080/admin/export ``` -If the `--tls_client_auth` option is set to `REQUIREANY` or `REQUIREANDVERIFY`, -in addition to the `--cacert` option, also use the `--cert` and `--key` options. -For instance (for an export request): +If you are using `curl` with [Client Authentication](#client-authentication), you will need to provide the client certificate and private key. For instance (for an export request): ``` curl --silent --cacert ./tls/ca.crt --cert ./tls/client.dgraphuser.crt --key ./tls/client.dgraphuser.key https://localhost:8080/admin/export ``` +When the Dgraph alpha is configured with `--tls_client_auth` set to `REQUIREANY` or `REQUIREANDVERIFY`, you are required to provide the client certificate and private key. With `REQUEST`or `VERIFYIFGIVEN`, providing the client certificate and private key is optional. See [Client Authentication Options](#client-authentication-options) for details. + + Refer to the `curl` documentation for further information on its TLS options. ### Access Data Using a Client From 0fb7a3a2098ac3e005236ffdc647881a260e7a06 Mon Sep 17 00:00:00 2001 From: joaquin Date: Thu, 7 May 2020 18:24:27 -0700 Subject: [PATCH 7/7] deploy tls doc changes for correctness --- wiki/content/deploy/index.md | 47 ++++++++++++++++-------------------- 1 file changed, 21 insertions(+), 26 deletions(-) diff --git a/wiki/content/deploy/index.md b/wiki/content/deploy/index.md index 7d0d2fcc371..35579118607 100644 --- a/wiki/content/deploy/index.md +++ b/wiki/content/deploy/index.md @@ -1632,12 +1632,26 @@ Important points: * Node certificates are only valid for the hosts listed. * Client certificates are only valid for the named client/user. -### TLS options +### TLS Options The following configuration options are available for Alpha: * `--tls_dir string` - TLS dir path; this enables TLS connections (usually 'tls'). * `--tls_use_system_ca` - Include System CA with Dgraph Root CA. +* `--tls_client_auth string` - TLS client authentication used to validate client connection. See [Client Authentication Options](#client-authentication-options) for details. + +Dgraph Live Loader can be configured with the following options: + +* `--tls_cacert string` - Dgraph Root CA, such as `./tls/ca.crt` +* `--tls_use_system_ca` - Include System CA with Dgraph Root CA. +* `--tls_cert` - User cert file provided by the client to Alpha +* `--tls_key` - User private key file provided by the client to Alpha +* `--tls_server_name string` - Server name, used for validating the server's TLS host name. + + +#### Using TLS without Client Authentication + +For TLS without client authentication, you can configure certificates and run Alpha server using the following: ```sh # First, create rootca and node certificates and private keys @@ -1646,26 +1660,16 @@ $ dgraph cert -n localhost $ dgraph alpha --tls_dir tls ``` -Dgraph Live Loader can be configured with following options: - -* `--tls_cacert string` - Dgraph Root CA, such as `./tls/ca.crt` -* `--tls_use_system_ca` - Include System CA with Dgraph Root CA. -* `--tls_server_name string` - Server name, used for validating the server's TLS host name. +You can then run Dgraph live loader using the following: ```sh # Now, connect to server using TLS $ dgraph live --tls_cacert ./tls/ca.crt --tls_server_name "localhost" -s 21million.schema -f 21million.rdf.gz ``` -### Client authentication +#### Using TLS with Client Authentication -#### mTLS (Mutual TLS) options - -The following configuration options are available for Alpha: - -* `--tls_dir string` - TLS dir path; this enables TLS connections (usually 'tls'). -* `--tls_use_system_ca` - Include System CA with Dgraph Root CA. -* `--tls_client_auth string` - TLS client authentication used to validate client connection. See [Client Authentication Options](#client-authentication-options) for details. +If you do require Client Authentication (Mutual TLS), you can configure certificates and run Alpha server using the following: ```sh # First, create a rootca, node, and client certificates and private keys @@ -1674,13 +1678,7 @@ $ dgraph cert -n localhost -c dgraphuser $ dgraph alpha --tls_dir tls --tls_client_auth="REQUIREANDVERIFY" ``` -Dgraph Live Loader can be configured with following options: - -* `--tls_cacert string` - Dgraph Root CA, such as `./tls/ca.crt` -* `--tls_use_system_ca` - Include System CA with Dgraph Root CA. -* `--tls_cert` - User cert file provided by the client to Alpha -* `--tls_key` - User private key file provided by the client to Alpha -* `--tls_server_name string` - Server name, used for validating the server's TLS host name. +You can then run Dgraph live loader using the following: ```sh # Now, connect to server using mTLS (mutual TLS) @@ -1695,7 +1693,7 @@ $ dgraph live \ #### Client Authentication Options -The server will always REQUEST Client Authentication **only** when the `--tls_client_auth` option is specified. There are four different values that change the security policy of the client certificate. +The server will always **request** Client Authentication. There are four different values for the `--tls_client_auth` option that change the security policy of the client certificate. | Value | Client Cert/Key | Client Certificate Verified | |--------------------|-----------------|--------------------| @@ -1740,15 +1738,12 @@ When TLS is enabled, `curl` requests to Dgraph will need some specific options t curl --silent --cacert ./tls/ca.crt https://localhost:8080/admin/export ``` -If you are using `curl` with [Client Authentication](#client-authentication), you will need to provide the client certificate and private key. For instance (for an export request): +If you are using `curl` with [Client Authentication](#client-authentication-options) set to `REQUIREANY` or `REQUIREANDVERIFY`, you will need to provide the client certificate and private key. For instance (for an export request): ``` curl --silent --cacert ./tls/ca.crt --cert ./tls/client.dgraphuser.crt --key ./tls/client.dgraphuser.key https://localhost:8080/admin/export ``` -When the Dgraph alpha is configured with `--tls_client_auth` set to `REQUIREANY` or `REQUIREANDVERIFY`, you are required to provide the client certificate and private key. With `REQUEST`or `VERIFYIFGIVEN`, providing the client certificate and private key is optional. See [Client Authentication Options](#client-authentication-options) for details. - - Refer to the `curl` documentation for further information on its TLS options. ### Access Data Using a Client