Azure Secure Deploy SSL

How do we inject an SSL cert with the standalone version (and the Standalone bash script shown here)?

I've done this in the past using Azure Key Vault with an Ubuntu VM and NGINX. But I dont know what kind of web server is hosting the Azure Neo4j Enterprise Standalone verson.

  1. What are the web server details
  2. How do we inject the SSL?

Thanks

This article covers how to set up SSL simply with Neo4j using LetsEncrypt certificates.

If you have other certificates already, then you'll need to follow the Neo4j docs, which are here:

https://neo4j.com/docs/operations-manual/current/security/ssl-framework/#ssl-configuration

Basically, you have to automate the placement of the key & cert files into a particular directory, and then write content into the /etc/neo4j/neo4j.template file (assuming you're using the Azure VM image) to refer to those.

Thanks for the prompt response Mr. Allen. Here is a first stab at putting a script together for self-signed SSL certs using Azure Key Vault (my preferred method). Perhaps you or someone in the forums could look this over and provide advice / insights on where to improve.

I'm specifically stuck on how to get the neo4j.template information into the file during deployment.

Fairly certain I need to use --custom-data, but unsure how to do this.

Sample script

#!/bin/bash

# Enter variables below.
# Change script file to executable. Run (on Linux) with ./AzureServiceScriptName.sh > AzureServiceSetupLog.txt

export SUBSCRIPTION=mySubscriptionID

# Deployment information
export LOCATION=westus
export RESOURCE_GROUP_NAME=neo4jj-rg

# Network information
export NETWORK_SEC_GROUP=neo4jj-nsg
export IP_ADDRESS_TYPE=static
export SOURCE_IP_ADDRESS=my.ip.address.here/32

# VM information
export SVC_PUBLISHER=neo4j
export SVC_OFFER=neo4j-enterprise-3_5
export SVC_SKU=neo4j_3_5_5_apoc
export SVC_VERSION=latest
export VM_NAME=neo4jj-vm
export VM_SIZE=Standard_A2m_v2
export VM_IMAGE=$SVC_PUBLISHER:$SVC_OFFER:$SVC_SKU:$SVC_VERSION

# UN PW's
export VM_ADMIN_USERNAME=myAdminUN
export VM_ADMIN_PASSWORD=myAdminPW
export SVC_PASSWORD=myAdminPW

# Keyvault SSL information
export KEYVAULT_NAME=neo4jKeyvault
export SSL_CERT_NAME=neo4jSSL

# Create a resource group
az group create \
	--name $RESOURCE_GROUP_NAME \
	--location $LOCATION

# Create a network security group
az network nsg create \
   --resource-group $RESOURCE_GROUP_NAME \
   --location $LOCATION \
   --name $NETWORK_SEC_GROUP 

# Assign NSG rules to allow inbound traffic on Neo4j ports

prio=1000

for port in 7473 7474 7687; 

do
	az network nsg rule create \
    --resource-group $RESOURCE_GROUP_NAME \
    --nsg-name "$NETWORK_SEC_GROUP" \
		--source-address-prefixes $SOURCE_IP_ADDRESS \
    --name neo4j-allow-$port \
    --protocol tcp \
    --priority $prio \
    --destination-port-range $port
  prio=$(($prio+1))
done

# Create a keyvault in the resource group
keyvault_name=$KEYVAULT_NAME \
az keyvault create \
    --resource-group $RESOURCE_GROUP_NAME \
    --name $KEYVAULT_NAME \
    --enabled-for-deployment

# Create an SSL cert in the keyvault (takes a few mins to generate)
az keyvault certificate create \
    --vault-name $KEYVAULT_NAME \
    --name $SSL_CERT_NAME \
    --policy "$(az keyvault certificate get-default-policy)"

# Prepare the SSL cert for use in the VM
secret=$(az keyvault secret list-versions \
    --vault-name $KEYVAULT_NAME \
    --name $SSL_CERT_NAME \
    --query "[?attributes.enabled].id" --output tsv)
VM_SECRET=$(az vm secret format --secrets "$SECRET")

# Create a `neo4j.template` file in the current directory with the following content
touch neo4j.template
cat > neo4j.template <<EOF
    dbms.connectors.default_listen_address=0.0.0.0
		dbms.connectors.default_advertised_address=your.domain.com
		bolt.ssl_policy=default
		dbms.ssl.policy.default.base_directory=/var/lib/neo4j/certificates
		dbms.ssl.policy.default.allow_key_generation=false
		dbms.ssl.policy.default.private_key=/var/lib/neo4j/certificates/neo4j.key
		dbms.ssl.policy.default.public_certificate=/var/lib/neo4j/certificates/neo4j.cert
		dbms.ssl.policy.default.revoked_dir=/var/lib/neo4j/certificates/revoked
		dbms.ssl.policy.default.client_auth=NONE
EOF

# Create the actual VM and inject the SSL cert
az vm create \
--resource-group $RESOURCE_GROUP_NAME \
--name $VM_NAME \
--image $VM_IMAGE \
--vnet-name $VM_NAME-vnet \
--subnet $VM_NAME-subnet \
--admin-username $VM_ADMIN_USERNAME \
--public-ip-address-allocation $IP_ADDRESS_TYPE \
--size $VM_SIZE \
--generate-ssh-keys \
--custom-data neo4j.template \
--secrets "$VM_SECRET"

# Use default assigned NIC name

az network nic update \
  --resource-group "$RESOURCE_GROUP_NAME" \
  --name "${VM_NAME}VMNic" \
  --network-security-group "$NETWORK_SEC_GROUP"

# Open port 443 of the VM
az vm open-port \
--resource-group $RESOURCE_GROUP_NAME \
--name $VM_NAME \
--priority 900 \
--port 443

# Open port 22 of the VM
az vm open-port \
--resource-group $RESOURCE_GROUP_NAME \
--name $VM_NAME \
--priority 901 \
--port 22

If you're not familiar with Azure, this is going to take some learning curve because what you're trying to do here is fairly advanced, but I can give you the sketch of what needs to happen.

First -- make sure that you have read this entire documentation page. The rest of what I'm going to say won't make sense without it. In particular take note of the systemctl bits, and make sure you understand what neo4j.template is and what it's doing. https://neo4j.com/developer/neo4j-cloud-vms/

Second -- the rough approach that you should use is like this:

  1. Start the VM just as you have it above, without modifications
  2. Wait until the VM is live
  3. Use az vm run-command (documented here: https://docs.microsoft.com/en-us/cli/azure/vm/run-command?view=azure-cli-latest) to run a shell script that you wrote.
  4. That shell script (which you need to write) should use tools like sed to do the edits that you need to /etc/neo4j/neo4j.template, and at the very end of the script when your edits are done, execute systemctl restart neo4j to restart neo4j.

Using az vm run-command you can do whatever you want with the VM after the fact, so this is probably how I would approach it, and the result will be automate-able.

2 Likes

Hi David,

Do you have a default neo4j.template file handy?

It's baked into the Azure image itself. Just launch a test image stand-alone in any configuration, and copy the file right out of the image.

1 Like