Securing an AnzoGraph DB Environment

This topic lists the recommended procedures to follow to strengthen the security of AnzoGraph DB environments.

Set Up Firewall Rules
Replace the Default Self-Signed Certificates with Trusted Certificates
Configure File Access Policies

Set Up Firewall Rules

In order to protect the environment from malicious systems and prevent man-in-the-middle attacks or leaking of data source credentials, firewall rules should be configured for the AnzoGraph DB cluster network. Rules should allow outbound connections only to trusted data sources and services. For information about the ports that need to be opened for inbound and outbound connections to support normal operations, see Firewall Requirements.

Replace the Default Self-Signed Certificates with Trusted Certificates

AnzoGraph DB installations include self-signed certificates, serv.crt and ca.crt, and private and public keys, serv.keyserv.pub.key, in the <install_path>/config directory. The certificates and keys are required for encrypted communication over gRPC protocol. You can follow the steps below to replace the default certificates and keys with your own trusted files.

Your certificates must meet the following requirements:

All servers in the cluster must use the same certificates and keys.
The DNS in the certificates must be localhost.
Your certificates and keys must use the same file names as the default files that you are replacing.
The public key should be generated from the new private key.

The private and public keys are used to encrypt and decrypt the system manager password. If you replace the keys and have enabled (or plan to enable) system manager authentication (as described in Securing an AnzoGraph DB Environment below), you must also generate a new azgmgrd password and re-authenticate azgmgrd as described in Securing an AnzoGraph DB Environment.

On the leader server, run the following commands to stop the database and the system manager, azgmgrd:
```
sudo systemctl stop anzograph
```
```
sudo systemctl stop azgmgrd
```
On the leader server, open the <install_path>/config/settings.conf file for editing.
Uncomment the use_custom_ssl_files=false line and change the value to true.
Save and close settings.conf.
On each server in the cluster, replace the serv.crt, ca.crt, serv.key, and serv.pub.key files in the <install_path>/config directory with your files. Make sure that the new files have the same file names as the default files.
Restart AnzoGraph DB with the following commands. Run the first command on all servers in the cluster. Then run the second command on the leader server:
```
sudo systemctl start azgmgrd
```
```
sudo systemctl start anzograph
```

Configure File Access Policies

AnzoGraph DB offers configuration options for ensuring that only certain files or directories on the server are accessible during the execution of a query. These configuration settings specify patterns that are used to determine whether a directory or file is accessible. When AnzoGraph DB receives a request that includes a path to a file or directory, it checks that path against the allowed and denied access patterns. If the specified file or directory matches one of the allowed access patterns and it is not matched to a deny pattern, the query is executed. If the specified path is matched to a denied pattern or is not matched to any of the allowed patterns, the query is aborted and AnzoGraph DB returns an access denied error message. For details and configuration instructions, see Manage File Access Policies.