Configuring SSL/TLS encryption for secure data-in-flight communication.
Network Security
TigerGraph supports SSL/TLS encryption for all outward-facing communication channels, including GSQL clients, RESTPP endpoints, and the GraphStudio UI.
1. Enabling SSL/TLS
SSL configuration is managed via gadmin and uses an internal Nginx reverse proxy.
Step 1: Provide Certificates
You need a PEM-encoded certificate and a private key.
bashterminal# Set file permissions (Required: 600 or less) chmod 600 ~/my_cert.crt ~/my_key.key
Step 2: Configure via gadmin
bashterminalgadmin config set Nginx.SSL.Enable true gadmin config set Nginx.SSL.Cert @/path/to/my_cert.crt gadmin config set Nginx.SSL.Key @/path/to/my_key.key # Apply and restart gadmin config apply -y gadmin restart nginx gsql gui -y
2. TLS Versions & Ciphers
TigerGraph supports TLS 1.2 and TLS 1.3. By default, it uses modern cipher suites like AES-256-GCM and CHACHA20-POLY1305.
Customizing Protocols
To restrict the system to TLS 1.3 only for maximum security:
- Export the template:
gadmin config get Nginx.ConfigTemplate > nginx.cfg - Update the
ssl_protocolsline to:ssl_protocols TLSv1.3; - Re-import:
gadmin config set Nginx.ConfigTemplate @nginx.cfg - Apply and restart Nginx.
3. Testing the Connection
Once enabled, HTTP ports (like 14240 for GraphStudio) will require HTTPS.
Using Curl
If using a self-signed certificate, you must provide the CA file or use -k (not recommended for production):
bashterminalcurl --cacert my_cert.crt https://localhost:14240
Verification
Use openssl to verify the negotiated protocol and cipher at runtime:
bashterminalopenssl s_client -connect localhost:14240 -tls1_3
[!CAUTION] Changes to the
Nginx.ConfigTemplateare not automatically persisted across TigerGraph version upgrades. You must re-apply customizations after an upgrade.