Putting some Gravitee into Neo4j — Part III — go Neo4j

Preamble

Setup

  • Ports 7473 and 7687 must (additionally) be accessible

Installation

sudo fdisk -l
That isn’t exactly the promised 75Gb, now is it …
# execute these commands one by one
sudo
parted /dev/nvme1n1 mklabel msdos
sudo parted /dev/nvme1n1 mkpart primary xfs 0% 100%
sudo mkdir /neo4j
sudo mkfs.xfs /dev/nvme1n1p1
sudo mount /dev/nvme1n1p1 /neo4j
echo '/dev/nvme1n1p1 /neo4j xfs defaults,noatime 1 1' | sudo tee -a /etc/fstab
sudo mount -a
sudo chown ec2-user:ec2-user /neo4j
df
Nice spot for the database
cd /neo4j
mkdir -p data import log metrics plugins certificates/bolt/trusted certificates/https/trusted
find .
/neo4j folder structure
cp /home/ec2-user/private.key /neo4j/certificates/bolt/neo4j.key
cp /home/ec2-user/private.key /neo4j/certificates/https/neo4j.key
cp /home/ec2-user/apollo.yourdomain.io.cert /neo4j/certificates/bolt/neo4j.cert
cp /home/ec2-user/apollo.yourdomain.io.cert /neo4j/certificates/bolt/trusted/neo4j.cert
cp /home/ec2-user/apollo.yourdomain.io.cert /neo4j/certificates/https/neo4j.cert
cp /home/ec2-user/apollo.yourdomain.io.cert /neo4j/certificates/https/trusted/neo4j.cert
cp /home/ec2-user/apollo.yourdomain.io.jks /neo4j/certificates
# execute these commands one by one
sudo rpm --import https://debian.neo4j.com/neotechnology.gpg.key
sudo tee -a /etc/yum.repos.d/neo4j.repo <<EOF
[neo4j]
name=Neo4j RPM Repository
baseurl=https://yum.neo4j.com/stable
enabled=1
gpgcheck=1
EOF
sudo amazon-linux-extras enable java-openjdk11
sudo NEO4J_ACCEPT_LICENSE_AGREEMENT=yes yum install neo4j-enterprise-4.4.2 -y

Configuration

sudo chown -R neo4j:neo4j /neo4j
dbms.directories.data=/neo4j/data
dbms.directories.plugins=/neo4j/plugins
dbms.directories.logs=/neo4j/log
dbms.directories.metrics=/neo4j/metrics
dbms.directories.import=/neo4j/import
# BASICS
metrics.enabled=true
metrics.csv.enabled=false
metrics.prometheus.enabled=false
metrics.graphite.enabled=false
metrics.jmx.enabled=true
#dbms.logs.query.enabled=off
dbms.security.procedures.unrestricted=apoc.*,gds.*
dbms.default_listen_address=0.0.0.0
dbms.memory.heap.initial_size=2g
dbms.memory.heap.max_size=2g
dbms.memory.pagecache.size=1g
dbms.memory.transaction.global_max_size=2000m
dbms.tx_log.rotation.retention_policy=1G size
dbms.db.timezone=SYSTEM
dbms.logs.user.stdout_enabled=false
# HTTPS + BOLT over SSL
dbms.default_listen_address=0.0.0.0
dbms.default_advertised_address=apollo.yourdomain.io
dbms.connector.http.enabled=false
dbms.connector.https.enabled=true
dbms.connector.bolt.tls_level=OPTIONAL
dbms.ssl.policy.bolt.enabled=true
dbms.ssl.policy.bolt.private_key=/neo4j/certificates/bolt/neo4j.key
dbms.ssl.policy.bolt.public_certificate=/neo4j/certificates/bolt/neo4j.cert
dbms.ssl.policy.bolt.client_auth=NONE
dbms.ssl.policy.bolt.base_directory=/neo4j/certificates/bolt
dbms.ssl.policy.https.enabled=true
dbms.ssl.policy.https.client_auth=NONE
dbms.ssl.policy.https.private_key=/neo4j/certificates/https/neo4j.key
dbms.ssl.policy.https.public_certificate=/neo4j/certificates/https/neo4j.cert
dbms.ssl.policy.https.base_directory=/neo4j/certificates/https
# SSO
dbms.security.authorization_providers=oidc-neo4jgravitee,native
dbms.security.authentication_providers=oidc-neo4jgravitee,native
dbms.security.oidc.neo4jgravitee.display_name=Gravitee
dbms.security.oidc.neo4jgravitee.redirect_uri=https://apollo.yourdomain.io:7473/browser?idp_id=neo4jgravitee&auth_flow_step=redirect_uri
dbms.security.oidc.neo4jgravitee.params=client_id=neo4jgravitee;response_type=code;scope=profile openid email groups
# access_token instead of id_token here as we're using the userinfo
dbms.security.oidc.neo4jgravitee.config=principal=unique_name;code_challenge_method=S256;token_type_principal=id_token;token_type_authentication=access_token
dbms.security.oidc.neo4jgravitee.well_known_discovery_uri=https://apollo.yourdomain.io:8092/neo4jssodomain/oidc/.well-known/openid-configuration
dbms.security.oidc.neo4jgravitee.audience=neo4jgravitee
dbms.security.oidc.neo4jgravitee.claims.username=email
dbms.security.oidc.neo4jgravitee.claims.groups=groups
dbms.security.oidc.neo4jgravitee.get_username_from_user_info=true
dbms.security.oidc.neo4jgravitee.get_groups_from_user_info=true
# SSO - Certificates for Gravitee Server
dbms.jvm.additional=-Djavax.net.ssl.keyStore=/neo4j/certificates/apollo.yourdomain.io.jks
dbms.jvm.additional=-Djavax.net.ssl.keyStorePassword=notverysecure
dbms.jvm.additional=-Djavax.net.ssl.trustStore=/neo4j/certificates/apollo.yourdomain.io.jks
dbms.jvm.additional=-Djavax.net.ssl.trustStorePassword=notverysecure

Fingers crossed

sudo systemctl enable neo4j
sudo systemctl start neo4j
tail -f /neo4j/log/neo4j.log
Neo4j starting up …
There’s an SSO option and it should say Gravitee
first sign in
permissions
SUCCESS!

Thoughts

--

--

At the age of 15, Tom Geudens’ parents gave him a choice. Either become a baker or go into IT. He went into IT …

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tom Geudens

At the age of 15, Tom Geudens’ parents gave him a choice. Either become a baker or go into IT. He went into IT …