Return to book
Review this book
About the author
Introduction
1. Getting Started
- 1.1. Document and Graph models
- 1.2. Installation
- 1.3. Run the server
- 1.4. Run the console
- 1.5. Classes
- 1.6. Clusters
- 1.7. Record ID
- 1.8. SQL
- 1.9. Relationships
- 1.10. Working with Graphs
- 1.11. Using Schema with Graphs
- 1.12. Setup a Distributed Database
- 1.13. Working with Distributed Graphs
- 1.14. Java API
- 1.15. More on Tutorials
  - 1.15.1. Presentations
2. Basic Concepts
- 2.1. Supported Types
- 2.2. Inheritance
- 2.3. Schema
3. Fetching Strategies
4. Indexes
- 4.1. SB-Tree
- 4.2. Hash
- 4.3. Full Text
- 4.4. Lucene Full Text
- 4.5. Lucene Spatial
5. Security
- 5.1. SSL
6. Caching
7. Functions
8. Transaction
9. Hook - Triggers
- 9.1. Dynamic Hooks
- 9.2. Java (Native) Hooks
10. API
- 10.1. SQL
- 10.2. Java API
- 10.3. Gremlin API
- 10.4. Javascript
  - 10.4.1. Javascript API
- 10.5. Scala API
- 10.6. HTTP API
- 10.7. Binary Protocol
11. Use Cases
- 11.1. Time Series
- 11.2. Key Value
12. Server
- 12.1. Embed the Server
- 12.2. Plugins
13. Studio
- 13.1. Query
- 13.2. Edit Document
- 13.3. Edit Vertex
- 13.4. Schema
- 13.5. Class
- 13.6. Graph Editor
- 13.7. Functions
- 13.8. Security
- 13.9. Database Management
- 13.10. Server Management
14. Console
- 14.1. Backup
- 14.2. Begin
- 14.3. Browse Class
- 14.4. Browse Cluster
- 14.5. Classes
- 14.6. Clusters
- 14.7. Commit
- 14.8. Config
- 14.9. Config Get
- 14.10. Config Set
- 14.11. Connect
- 14.12. Create Cluster
- 14.13. Create Database
- 14.14. Create Index
- 14.15. Create Link
- 14.16. Create Property
- 14.17. Declare Intent
- 14.18. Delete
- 14.19. Dictionary Get
- 14.20. Dictionary Keys
- 14.21. Dictionary Put
- 14.22. Dictionary Remove
- 14.23. Disconnect
- 14.24. Display Record
- 14.25. Drop Cluster
- 14.26. Drop Database
- 14.27. Export
- 14.28. Export Record
- 14.29. Freeze DB
- 14.30. Get
- 14.31. Grant
- 14.32. Import
- 14.33. Info
- 14.34. Info Class
- 14.35. Insert
- 14.36. Load Record
- 14.37. Profiler
- 14.38. Properties
- 14.39. Release DB
- 14.40. Reload Record
- 14.41. Restore
- 14.42. Revoke
- 14.43. Rollback
- 14.44. Set
15. Operations
- 15.1. Installation
- 15.2. Performance Tuning
- 15.3. ETL
- 15.4. Distributed Architecture
- 15.5. Backup and Restore
- 15.6. Export and Import
- 15.7. Logging
16. Enterprise Edition
17. Troubleshooting
- 17.1. Java
18. Available Plugins
- 18.1. Rexster
- 18.2. Gephi Graph Render
19. Upgrade
- 19.1. Backward compatibility
- 19.2. From 1.7.x to 2.0.x
- 19.3. From 1.6.x to 1.7.x
- 19.4. From 1.5.x to 1.6.x
- 19.5. From 1.4.x to 1.5.x
- 19.6. From 1.3.x to 1.4.x
20. Internals
- 20.1. Storages
- 20.2. Clusters
- 20.3. RidBag
- 20.4. SQL Syntax
- 20.5. Custom Index Engine
21. Contribute to OrientDB
- 21.1. The Team
- 21.2. Hackaton
- 21.3. Report an issue
22. Get in touch

OrientDB Manual

SSL

Starting from v1.7, OrientDB provides the ability to secure is HTTP and BINARY protocols using SSL (For Distributed SSL see the HazelCast Documentation).

Setting up the Key and Trust Stores

OrientDB uses the JAVA Keytool to setup and manage certificates. This tutorial shows how to create key and trust stores that reference a self signed cert. Use of CA signed certs is outside the scope of this document. For more details on using the java Keytool please visit http://docs.oracle.com/javase/7/docs/technotes/tools/index.html#security and for more information.

Using keytool, create a certificate for the server:

keytool -genkey -alias server -keystore orientdb.ks -keyalg RSA -keysize 2048 -validity 3650
Export the server's certificate so it can be shared with clients:

keytool -export -alias server -keystore orientdb.ks -file orientdb.cert
Create a certificate/keystore for the console/clients:

keytool -genkey -alias console -keystore orientdb-console.ks -keyalg RSA -keysize 2048 -validity 3650
Create a trust-store for the client, and import the server's certificate. This establishes that the client "trusts" the server:

keytool -import -alias server -keystore orientdb-console.ts -file orientdb.cert

NOTE: You will need to repeat steps 3 and 4 for each remote client vm you wish to connect to the server. Remember to change the alias and keystore and trust-store filenames accordingly.

Configuring the Server

The OrientDB server config ($ORIENTDB_HOME/config/orientdb-server-config.xml) does not enable SSL by default. To enable SSL on a protocol listener you simply change the "socket" attribute of the from "default" to one of your configured definitions.

There are two default definitions named "ssl" and "https". These should be sufficient for most uses cases, however more can be defined if you want to secure different listeners with there own certificates or want custom socket factory implementations. When using the "ssl" implementation keep in mind that the default port for OrientDB SSL is 2434 and that your port-range should be changed to 2434-2440.

By default, the OrientDB Server looks for its keys and trust stores in $ORIENTDB_HOME/config/cert. This is configured using the parameters. Make sure that all of the key and trust stores created in the previous setup are in the correct directory and that the passwords used are also correct.

Note that paths are relative to $ORIENTDB_HOME. Absolute paths are supported.

Example Configuration

  <sockets>
    <socket implementation="com.orientechnologies.orient.server.network.OServerSSLSocketFactory" name="ssl">
      <parameters>
        <parameter value="false" name="network.ssl.clientAuth"/>
        <parameter value="config/cert/orientdb.ks" name="network.ssl.keyStore"/>
        <parameter value="password" name="network.ssl.keyStorePassword"/>

        <!-- NOTE: We are using the same store for keys and trust.
            This will change if client authentication is enabled. See Configuring Client section -->

        <parameter value="config/cert/orientdb.ks" name="network.ssl.trustStore"/>
        <parameter value="password" name="network.ssl.trustStorePassword"/>
      </parameters>
    </socket>

    ...

    <listener protocol="binary" ip-address="0.0.0.0" port-range="2424-2430" socket="default"/>
    <listener protocol="binary" ip-address="0.0.0.0" port-range="2434-2440" socket="ssl"/>

Configuring the Console

To enable SSL for remote connections using the console, a few changes to the console script are required.

Confirm that your KEYSTORE, TRUSTSTORE and repective PASSWORD variables are set correctly.
In the SSL_OPTS definition set the "client.ssl.enabled" system property to "true"

Configuring Client

Configuring remote clients can be done using standard java system property patterns.

Properties:

client.ssl.enabled: Used to enable/disable SSL. Accepts "true" or "false". Only needed when using remote binary client connections.
javax.net.ssl.keyStore: Path to key store
javax.net.ssl.keyStorePassword: Key store password
javax.net.ssl.trustStore: Path to trust store
javax.net.ssl.trustStorePassword: Trust store password

Use steps 3 and 4 from the "Setting up the Key and Trust Stores" section to create client certificates and trust of the server. Paths to the stores will be client specific and do not need to be the same as the server.

If you would like to use key and/or truststores other that the default JVM they should use instead:

client.ssl.keyStore: Path to key store
client.ssl.keyStorePass: Key store password
client.ssl.trustStore: Path to trust store
client.ssl.trustStorePass: Trust store password

Example Java Command Line:

java -Dclient.ssl.enabled=false -Djavax.net.ssl.keyStore=</path/to/keystore> -Djavax.net.ssl.keyStorePassword=<keystorepass> \
    -Djavax.net.ssl.trustStore=</path/to/truststore> -Djavax.net.ssl.trustStorePassword=<truststorepass>

Example Java Implementation:

System.setProperty("client.ssl.enabled", <"true"|"false">); # This will only be needed for remote binary clients
System.setProperty("javax.net.ssl.keyStore", </path/to/keystore>);
System.setProperty("javax.net.ssl.keyStorePassword", <keystorepass>);
System.setProperty("javax.net.ssl.trustStore", </path/to/truststore>);
System.setProperty("javax.net.ssl.trustStorePassword", <truststorepass>);

If you want to verify/authenticate client certificates, you need to take a few extra steps on the server:

Export the client's certificate so it can be shared with server:

keytool -export -alias <client_alias> -keystore <client.ks> -file client_cert

Example using console:

keytool -export -alias console -keystore orientdb-console.ks -file orientdb-console.cert
Create a truststore for the server if one does not exist, and import the client's certificate. This establishes that the server "trusts" the client:

keytool -import -alias <client_alias> -keystore orientdb.ts -file client_cert

Example using console:

keytool -import -alias console -keystore orientdb.ts -file orientdb-console.cert

In the server config make sure that client authentication is enabled for the and that the trust-store path and password are correct:

Example

  <sockets>
    <socket implementation="com.orientechnologies.orient.server.network.OServerSSLSocketFactory" name="ssl">
      <parameters>
        <parameter value="true" name="network.ssl.clientAuth"/>
        <parameter value="config/cert/orientdb.ks" name="network.ssl.keyStore"/>
        <parameter value="password" name="network.ssl.keyStorePassword"/>

        <!-- NOTE: We are using the trust store with the imported client cert. You can import as many client as you would like -->
        <parameter value="config/cert/orientdb.ts" name="network.ssl.trustStore"/>
        <parameter value="password" name="network.ssl.trustStorePassword"/>
      </parameters>
    </socket>