Securing an AnzoGraph 2.5 Environment

This topic lists the recommended procedures to follow to strengthen the security of AnzoGraph 2.5 environments.

Set up Firewall Rules

In order to protect the environment from malicious systems and prevent man-in-the-middle attacks or leaking of data source credentials, firewall rules should be configured for the AnzoGraph cluster network. Rules should allow outbound connections only to trusted data sources and services. For information about the ports that need to be opened for inbound and outbound connections to support normal operations, see Firewall Requirements.

Replace the Default Self-Signed Certificates with Trusted Certificates

AnzoGraph installations include self-signed certificates, serv.crt and ca.crt, and private and public keys, serv.keyserv.pub.key, in the <install_path>/config and <install_path>/etc directories. The certificates and keys are required for encrypted communication over gRPC protocol. You can follow the steps below to replace the default certificates and keys with your own trusted files.

Your certificates must meet the following requirements:

  • All servers in the cluster must use the same certificates and keys.
  • The DNS in the certificates must be localhost.
  • Your certificates and keys must use the same file names as the default files that you are replacing.
  • The public key should be generated from the new private key.

The private and public keys are used to encrypt and decrypt the system manager password. If you replace the keys and have enabled (or plan to enable) system manager authentication (as described in Enable System Manager Authentication below), you must also generate a new azgmgrd password and re-authenticate azgmgrd as described in Change the System Manager Password.

  1. On the leader server, run the following commands to stop the database and the system manager, azgmgrd:
    sudo systemctl stop anzograph
    sudo systemctl stop azgmgrd
  2. On the leader server, open the <install_path>/config/settings.conf file for editing.
  3. Uncomment the use_custom_ssl_files=false line and change the value to true.
  4. Save and close settings.conf.
  5. On each server in the cluster, replace the serv.crt, ca.crt, serv.key, and serv.pub.key files in the <install_path>/config directory with your files. Make sure that the new files have the same file names as the default files.

    Anzo also needs to trust the new certificates. Make sure you have Trust All TLS Certificates enabled on the AnzoGraph connection or make sure Anzo's trust store has either the certificate for the CA that signed the certificate or the certificate itself. See Adding a Certificate to the Trust Store for instructions.

  6. Remove the serv.crt, ca.crt, serv.key, and serv.pub.key files from the <install_path>/etc directory.
  7. If system manager authentication is enabled or you plan to enable it (as described in Enable System Manager Authentication below), do not restart AnzoGraph at this time. Proceed to Change the System Manager Password and complete that task before starting AnzoGraph.

    If system manager authentication is not enabled and you do not plan to enable it, you can restart AnzoGraph with the following commands. Run the first command on all servers in the cluster. Then run the second command on the leader server:

    sudo systemctl start azgmgrd
    sudo systemctl start anzograph

Enable System Manager Authentication

By default, communication is encrypted but not authenticated between the system managers (azgmgrd) in a cluster and between the system managers and the database (when azgctl commands like azgctl -start or azgctl -xray are run). If you want to enable authentication in addition to encryption, follow the steps below.

  1. If AnzoGraph is running, run the following commands on the leader server to stop the database and the system manager, azgmgrd:
    sudo systemctl stop anzograph
    sudo systemctl stop azgmgrd
  2. On the leader server, open the <install_path>/config/settings.conf file for editing.
  3. Uncomment the azgmgrd_client_auth=false line and change the value to true.

    When azgmgrd client authentication is enabled, the username and password that azgmgrd uses is the “AnzoGraph DB Admin user” and “AnzoGraph DB Admin password” that was created when AnzoGraph was installed. If you want to change the password, you can follow the instructions in Change the System Manager Password. It is not possible to change the username.

  4. Save and close settings.conf.
  5. In order to authenticate the system manager with the database process, AnzoGraph needs to be started and stopped once using the azgctl system management commands. Follow the steps below to start AnzoGraph, authenticate azgmgrd, and then stop AnzoGraph:
    1. Run the following command to start the system management daemon, azgmgrd. On a cluster, run this command on each of the servers in the cluster:
      ./<install_path>/bin/azgmgrd

      For example:

      ./opt/cambridgesemantics/anzograph/bin/azgmgrd
    2. On the leader server, run the following command to start the database and display the prompts for the azgmgrd credentials:
      ./<install_path>/bin/azgctl -start

      For example:

      ./opt/cambridgesemantics/anzograph/bin/azgctl -start

      You are prompted to enter the azgmgrd user name:

      Starting AnzoGraph...
      Enter user name:
    3. At the prompt, specify the name for the user that you created during the AnzoGraph installation. If you accepted the default value when prompted, it is admin. After typing the user name, press Enter to continue. You are prompted to specify the password for azgmgrd:
      Enter password:
    4. Specify the password that you created during the installation and press Enter. The database resumes startup:
      Starting AnzoGraph...
    5. Once startup is complete, the authentication must be completed by stopping the database and system management daemon. Run the following two commands to stop the database and daemon:
      ./<install_path>/bin/azgctl -stop
      ./<install_path>/bin/azgctl -stopdaemon

      For example:

      ./opt/cambridgesemantics/anzograph/bin/azgctl -stop
      ./opt/cambridgesemantics/anzograph/bin/azgctl -stopdaemon
  6. You can now restart the AnzoGraph services. Run the first command on all servers in the cluster. Then run the second command on the leader server:
    sudo systemctl start azgmgrd
    sudo systemctl start anzograph

Change the System Manager Password

When system manager (azgmgrd) client authentication is enabled, the username and password that the manager uses is the “AnzoGraph DB Admin user” and “AnzoGraph DB Admin password” that was created when AnzoGraph was installed. If you want to change the password that azgmgrd uses, follow the instructions below. It is not possible to change the azgmgrd username.

  1. If AnzoGraph is running, run the following commands on the leader server to stop the database and azgmgrd:
    sudo systemctl stop anzograph
    sudo systemctl stop azgmgrd
  2. On the leader server, run the following command to create a new password and return an encrypted string:
    ./<install_path>/bin/azgpasswd -e <new_password>

    For example:

    ./opt/cambridgesemantics/anzograph/bin/azgpasswd -e 123

    Some special characters, such as $ and *, are treated as parameters in bash. When typing the password, avoid special characters. For more information, see Quoting in the Bash Reference Manual.

    The command returns a string such as the one below (shortened for readability):

    encrypt:Rs47UhKIbOYASqeO0EM/bSizVXsL9wCorE22XZWpaTEuhdfcR/av+H+eE1gFeCxbgyFETA49paaVsvEzGLb
    jXTUkJCPOTLfk8yIbQROElL5jsUBM0qsaoGbO8Q1guTO//gfp3eKoNy6N8GyEdqjFW3cQEVQq9kjRrxQn6PGizzTKz4+1
    /QbP2CTJAnktQFm7Wlwf0kXdooJNyanZ7UTzuDoMEoSa3typWi6xblEpSY9QuZ6T6XtCsb8S76duPuaLDemtpI4I+0uI=
  3. Copy the encrypted string that was returned. Include the encrypt: text at the start of the value.
  4. Open the <install_path>/config/settings.conf file for editing.
  5. Locate the azgmgrd_password setting and replace the existing value with the string that you copied. Include the encrypt: in the value. For example:
    azgmgrd_password=Rs47UhKIbOYASqeO0EM/bSizVXsL9wCorE22XZWpaTEuhdfcR/av+H+eE1gFeCxbgyFETA49
    paaVsvEzGLbjXTUkJCPOTLfk8yIbQROElL5jsUBM0qsaoGbO8Q1guTO//gfp3eKoNy6N8GyEdqjFW3cQEVQq9kjRrxQn
    6PGizzTKz4+1/QbP2CTJAnktQFm7Wlwf0kXdooJNyanZ7UTzuDoMEoSa3typWi6xblEpSY9QuZ6T6XtCsb8S76duPuaL
    DemtpI4I+0uI=
  6. Save and close settings.conf.
  7. The system manager needs to be re-authenticated with the new password. To authenticate, AnzoGraph needs to be started and stopped once using the azgctl system management commands. Follow the steps below to start AnzoGraph, authenticate azgmgrd, and then stop AnzoGraph:
    1. Run the following command to start the system management daemon, azgmgrd. On a cluster, run this command on each of the servers in the cluster:
      ./<install_path>/bin/azgmgrd

      For example:

      ./opt/cambridgesemantics/anzograph/bin/azgmgrd
    2. On the leader server, run the following command to start the database and display the prompts for the azgmgrd credentials:
      ./<install_path>/bin/azgctl -start

      For example:

      ./opt/cambridgesemantics/anzograph/bin/azgctl -start

      You are prompted to enter the azgmgrd user name:

      Starting AnzoGraph...
      Enter user name:
    3. At the prompt, specify the name for the user that you created during the AnzoGraph installation. If you accepted the default value when prompted, it is admin. After typing the user name, press Enter to continue. You are prompted to specify the password for azgmgrd:
      Enter password:
    4. Specify the password that you created in Step 2 and press Enter. The database resumes startup:
      Starting AnzoGraph...
    5. Once startup is complete, the authentication must be completed by stopping the database and system management daemon. Run the following two commands to stop the database and daemon:
      ./<install_path>/bin/azgctl -stop
      ./<install_path>/bin/azgctl -stopdaemon

      For example:

      ./opt/cambridgesemantics/anzograph/bin/azgctl -stop
      ./opt/cambridgesemantics/anzograph/bin/azgctl -stopdaemon
  8. You can now restart the AnzoGraph services. Run the first command on all servers in the cluster. Then run the second command on the leader server:
    sudo systemctl start azgmgrd
    sudo systemctl start anzograph

Configure File Access Policies

AnzoGraph Version 2.5.6 and later offers configuration options for ensuring that only certain files or directories on the server are accessible during the execution of a query. These configuration settings specify patterns that are used to determine whether a directory or file is accessible. When AnzoGraph receives a request that includes a path to a file or directory, it checks that path against the allowed and denied access patterns. If the specified file or directory matches one of the allowed access patterns and it is not matched to a deny pattern, the query is executed. If the specified path is matched to a denied pattern or is not matched to any of the allowed patterns, the query is aborted and AnzoGraph returns an access denied error message. For details and configuration instructions, see Managing AnzoGraph File Access Policies.