Putting some Gravitee into Neo4j — Part III — go Neo4j

Tom Geudens
5 min readDec 21, 2021

--

Preamble

I explained the why and what in the first part. You set up Gravitee Access Management (OSS edition) in the second part. In this third part you will install a Neo4j Enterprise Edition and link the two together. The end result is you logging on with the Neo4j Browser using SSO.

Setup

As this is an experiment, having both Gravitee and Neo4j on a single server is fine. You do need the following before we can install Neo4j:

  • Ports 7473 and 7687 must (additionally) be accessible

Installation

The AWS instance I picked has NVMe storage. A bit of preparation is needed to use it.

sudo fdisk -l
That isn’t exactly the promised 75Gb, now is it …
# execute these commands one by one
sudo
parted /dev/nvme1n1 mklabel msdos
sudo parted /dev/nvme1n1 mkpart primary xfs 0% 100%
sudo mkdir /neo4j
sudo mkfs.xfs /dev/nvme1n1p1
sudo mount /dev/nvme1n1p1 /neo4j
echo '/dev/nvme1n1p1 /neo4j xfs defaults,noatime 1 1' | sudo tee -a /etc/fstab
sudo mount -a
sudo chown ec2-user:ec2-user /neo4j
df
Nice spot for the database

As you’ll soon point the database to this location, a couple of extra folders are useful:

cd /neo4j
mkdir -p data import log metrics plugins certificates/bolt/trusted certificates/https/trusted
find .
/neo4j folder structure

And you can already put the certificates in place:

cp /home/ec2-user/private.key /neo4j/certificates/bolt/neo4j.key
cp /home/ec2-user/private.key /neo4j/certificates/https/neo4j.key
cp /home/ec2-user/apollo.yourdomain.io.cert /neo4j/certificates/bolt/neo4j.cert
cp /home/ec2-user/apollo.yourdomain.io.cert /neo4j/certificates/bolt/trusted/neo4j.cert
cp /home/ec2-user/apollo.yourdomain.io.cert /neo4j/certificates/https/neo4j.cert
cp /home/ec2-user/apollo.yourdomain.io.cert /neo4j/certificates/https/trusted/neo4j.cert
cp /home/ec2-user/apollo.yourdomain.io.jks /neo4j/certificates

Yes, Neo4j is going also going to need both the nginx version of the certificates and the java keystore version. This looks a bit weird but this is due to the single server setup. If multiple servers were in play you would notice that the java keystore certificate is that of the SSO broker.

Time to install Neo4j:

# execute these commands one by one
sudo rpm --import https://debian.neo4j.com/neotechnology.gpg.key
sudo tee -a /etc/yum.repos.d/neo4j.repo <<EOF
[neo4j]
name=Neo4j RPM Repository
baseurl=https://yum.neo4j.com/stable
enabled=1
gpgcheck=1
EOF
sudo amazon-linux-extras enable java-openjdk11
sudo NEO4J_ACCEPT_LICENSE_AGREEMENT=yes yum install neo4j-enterprise-4.4.2 -y

Configuration

The installation created a neo4j user and group so change the ownership of the /neo4j mountpoint.

sudo chown -R neo4j:neo4j /neo4j

All of the following is in /etc/neo4j/neo4j.conf and needs to happen before the database is started. I’m splitting it up in four parts. First — obviously — location, location, location:

dbms.directories.data=/neo4j/data
dbms.directories.plugins=/neo4j/plugins
dbms.directories.logs=/neo4j/log
dbms.directories.metrics=/neo4j/metrics
dbms.directories.import=/neo4j/import

Second is some basic things you want in every Neo4j configuration (adapted to your machine of course)

# BASICS
metrics.enabled=true
metrics.csv.enabled=false
metrics.prometheus.enabled=false
metrics.graphite.enabled=false
metrics.jmx.enabled=true
#dbms.logs.query.enabled=off
dbms.security.procedures.unrestricted=apoc.*,gds.*
dbms.default_listen_address=0.0.0.0
dbms.memory.heap.initial_size=2g
dbms.memory.heap.max_size=2g
dbms.memory.pagecache.size=1g
dbms.memory.transaction.global_max_size=2000m
dbms.tx_log.rotation.retention_policy=1G size
dbms.db.timezone=SYSTEM
dbms.logs.user.stdout_enabled=false

Third on the list … the certificate setup for Neo4j itself

# HTTPS + BOLT over SSL
dbms.default_listen_address=0.0.0.0
dbms.default_advertised_address=apollo.yourdomain.io
dbms.connector.http.enabled=false
dbms.connector.https.enabled=true
dbms.connector.bolt.tls_level=OPTIONAL
dbms.ssl.policy.bolt.enabled=true
dbms.ssl.policy.bolt.private_key=/neo4j/certificates/bolt/neo4j.key
dbms.ssl.policy.bolt.public_certificate=/neo4j/certificates/bolt/neo4j.cert
dbms.ssl.policy.bolt.client_auth=NONE
dbms.ssl.policy.bolt.base_directory=/neo4j/certificates/bolt
dbms.ssl.policy.https.enabled=true
dbms.ssl.policy.https.client_auth=NONE
dbms.ssl.policy.https.private_key=/neo4j/certificates/https/neo4j.key
dbms.ssl.policy.https.public_certificate=/neo4j/certificates/https/neo4j.cert
dbms.ssl.policy.https.base_directory=/neo4j/certificates/https

And then finally … the link to Gravitee for the SSO

# SSO
dbms.security.authorization_providers=oidc-neo4jgravitee,native
dbms.security.authentication_providers=oidc-neo4jgravitee,native
dbms.security.oidc.neo4jgravitee.display_name=Gravitee
dbms.security.oidc.neo4jgravitee.redirect_uri=https://apollo.yourdomain.io:7473/browser?idp_id=neo4jgravitee&auth_flow_step=redirect_uri
dbms.security.oidc.neo4jgravitee.params=client_id=neo4jgravitee;response_type=code;scope=profile openid email groups
# access_token instead of id_token here as we're using the userinfo
dbms.security.oidc.neo4jgravitee.config=principal=unique_name;code_challenge_method=S256;token_type_principal=id_token;token_type_authentication=access_token
dbms.security.oidc.neo4jgravitee.well_known_discovery_uri=https://apollo.yourdomain.io:8092/neo4jssodomain/oidc/.well-known/openid-configuration
dbms.security.oidc.neo4jgravitee.audience=neo4jgravitee
dbms.security.oidc.neo4jgravitee.claims.username=email
dbms.security.oidc.neo4jgravitee.claims.groups=groups
dbms.security.oidc.neo4jgravitee.get_username_from_user_info=true
dbms.security.oidc.neo4jgravitee.get_groups_from_user_info=true
# SSO - Certificates for Gravitee Server
dbms.jvm.additional=-Djavax.net.ssl.keyStore=/neo4j/certificates/apollo.yourdomain.io.jks
dbms.jvm.additional=-Djavax.net.ssl.keyStorePassword=notverysecure
dbms.jvm.additional=-Djavax.net.ssl.trustStore=/neo4j/certificates/apollo.yourdomain.io.jks
dbms.jvm.additional=-Djavax.net.ssl.trustStorePassword=notverysecure

Fingers crossed

If all is well, in just a minute you’ll be able to log on as Neo4j administrator with the user you created in Gravitee. All that remains is to start the database:

sudo systemctl enable neo4j
sudo systemctl start neo4j
tail -f /neo4j/log/neo4j.log
Neo4j starting up …

It’s already a good sign if Neo4j comes up cleanly. If it doesn’t, you should get some indication of where the issue is (I descended into certificate hell a few times myself). After you get the Started, open a web browser and access https://apollo.yourdomain.io:7473

There’s an SSO option and it should say Gravitee

What does one do when one sees a big blue button that says Gravitee? You press it (make sure you are strapped in if you would happen to be on the ISS)!

first sign in

Obviously even SSO requires you to log in now and then … so here is where you enter the credentials you created in Gravitee before. Then press SIGN IN.

permissions

The suspense is almost unbearable (at least for me it was) but this too is a logical step. Do you want the identity provider to share this information with the broker and the database. ACCEPT.

SUCCESS!

And … it worked. I blurred a couple of elements in that image for security reasons, but notice that I am logged on and have the admin role.

Enjoy!

Thoughts

There are quite a few roads to take from here. I intend to explore how to use an identity provider such as Google. Deeper exploration of the concepts is also on my todo list. As is the use of containers (always fun with certificates). And so on …

--

--

Tom Geudens

At the age of 15, Tom Geudens’ parents gave him a choice. Either become a baker or go into IT. He went into IT …