Putting some Gravitee into Neo4j — Part II — go Gravitee

Preamble

  1. Your web browser communicates with the Neo4j Web Server.
  2. UI application elements move to your web browser. The Neo4j Web Server does not serve the application itself.
  3. Your web browser communicates with the Gravitee Gateway Server. This is the main part of the dance.
  4. The Gravitee Gateway Server communicates with the identity provider. This may lead to an authentication request.
  5. With the dance complete your web browser can access the database.

Setup

  • Ports 8092, 8093 and 8094 must be accessible.
  • DNS name linked to the public ip address of the server. For the rest of the document I’ll assume the DNS name is apollo.yourdomain.io (I like Greek mythology).
  • Certificate is ready and waiting on the server.
ls -l /home/ec2-user
certificate files

Installation

sudo curl -sSL https://bit.ly/install-am-3x | bash
fancy installation output
sudo ss -lntp
game of ports
openssl pkcs12 -export \
-in /home/ec2-user/certificate.crt \
-inkey /home/ec2-user/private.key \
-out /home/ec2-user/apollo.yourdomain.io.p12 \
-name apollo.yourdomain.io \
-CAfile /home/ec2-user/ca_bundle.crt \
-caname "ZeroSSL Certificate apollo.yourdomain.io" \
-password pass:notverysecure
keytool -importkeystore \
-deststorepass notverysecure \
-destkeypass notverysecure \
-deststoretype JKS \
-srckeystore /home/ec2-user/apollo.yourdomain.io.p12 \
-srcstoretype JKS \
-srcstorepass notverysecure \
-destkeystore /home/ec2-user/apollo.yourdomain.io.jks \
-alias apollo.yourdomain.io
cat /home/ec2-user/certificate.crt /home/ec2-user/ca_bundle.crt > /home/ec2-user/apollo.yourdomain.io.cert
sudo mkdir /opt/graviteeio/security
sudo cp /home/ec2-user/apollo.yourdomain.io.cert /opt/graviteeio/security/
sudo cp /home/ec2-user/apollo.yourdomain.io.jks /opt/graviteeio/security/
sudo cp /home/ec2-user/private.key /opt/graviteeio/security/apollo.yourdomain.io.key
sudo chown -R gravitee:gravitee /opt/graviteeio/security
ls -l /opt/graviteeio/security
ready to use
http:
port: 8092
secured: true
ssl:
keystore:
type: jks
path: /opt/graviteeio/security/apollo.yourdomain.io.jks
password: notverysecure
...
services:
core:
http:
enabled: false
port: 18092
...
jetty:
port: 8093
secured: true
ssl:
keystore:
type: jks
path: /opt/graviteeio/security/apollo.yourdomain.io.jks
password: notverysecure
...
services:
core:
http:
enabled: false
port: 18093
...
{
"baseURL": "https://apollo.yourdomain.io:8093/management"
}
server {
listen 0.0.0.0:8094 ssl;
server_name apollo.yourdomain.io;
ssl_certificate /opt/graviteeio/security/apollo.yourdomain.io.cert;
ssl_certificate_key /opt/graviteeio/security/apollo.yourdomain.io.key;
root /opt/graviteeio/am/management-ui;
index index.html;
location / {
try_files $uri $uri/ /index.html;
}
}
sudo systemctl restart graviteeio-am-gateway.service
sudo systemctl restart graviteeio-am-management-api.service
sudo systemctl restart nginx
sudo ss -lntp
two ports less

Configuration

Organization settings — Entrypoints
Entrypoint changed
Create domain
Create domain
Domain created
  • General → Enable domain → SAVE
  • Login → User Registration → SAVE
  • User Accounts → Select the Default Identity Provider in the pull-down-menu → SAVE
  • Users → Create a new user (yourself for example) … fill out the mandatory fields, make sure to select the Default Identity Provider → Create
  • Groups → Create a new group … the name should be (lowercase) admin → Create
application menu
  • Identity Providers → Enable → SAVE
  • Settings → OAuth2.0/OIDC → Scopes → ADD SCOPES
Application level OAuth2.0/OIDC Settings
Scopes added

Thoughts

  • You set up a broker that can handle SSO authentication flows for you. With configuration only.
  • You went with the default identity provider (and created a user and group in it), but you could as easily have plugged in an external identity provider such as Google or your organization’s Active Directory, or …
  • You defined an application that can handle the specific flow that the Neo4j database you are going to install on the same server requires. With configuration only.

--

--

At the age of 15, Tom Geudens’ parents gave him a choice. Either become a baker or go into IT. He went into IT …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tom Geudens

At the age of 15, Tom Geudens’ parents gave him a choice. Either become a baker or go into IT. He went into IT …