# Encrypting Connections

TigerGraph supports secure data-in-flight communication, using SSL/TLS encryption protocol. This applies to any outward-facing channel, including GSQL clients, RESTPP endpoints, and the GraphStudio web interface. When SSL/TLS is enabled, HTTPS takes the place of HTTP for RESTPP and GraphStudio connections.

## Prerequisites

You should have basic knowledge about how SSL works:

1. What the SSL certificate and key are used for

2. That an SSL certificate is bound to a domain

3. How an SSL certificate chain works

A good primer on SSL is available at Apache’s SSL/TLS Strong Encryption: An Introduction

## Nginx-Based

TigerGraph uses the Nginx web server, so SSL configuration makes use of some built-in support in Nginx.

## Step 1. Obtain an SSL Certificate

The two main options for obtaining an SSL Certificate are to generate your own self-signed certificate or to purchase a certificate from a trusted Certificate Authority. Regardless of which method you choose, your certificate should be chained to a trusted root certificate embedded in your browser. The options and details for producing a trusted SSL certificate are beyond the scope of this document. The focus of this document is how to configure your TigerGraph system to use the certificate to enable SSL.

### Option 1: Using a Certificate From A Trusted Agent

First, obtain an SSL certificate from a trusted agent of your choice. Certificate vendors will provide clear instructions for ordering a certificate and then for installing it on your system.

Then you can configure the certificate with `gadmin config entry ssl`

### Option 2: Create a Self-Signed Certificate

There are multiple ways to create a self-signed certificate. One example is shown below.

 For simplicity, the method below will use the root certificate directly as the HTTPS server certificate. This method is satisfactory for testing but should not be used for a production system.
 In the example below, the Common Name value should be your server hostname, since HTTPS certificates are bound to domain names.
Self-Signed Certificate generation example using openssl

## Step 2: Configure SSL with `gadmin`

With the self-signed certificate successfully generated, you can configure it with `gadmin`, so that all the HTTP traffic will be protected with SSL.

 TigerGraph’s SSL only accepts PEM-encoded certificates. If you have a certificate encoded in other formats (e.g. DER), you need to convert it to a PEM-encoded certificate first.
``````$gadmin config entry ssl ​Nginx.SSL.Enable [ false ]: Enable SSL connection for all HTTP requests New: true Nginx.SSL.Key [ <masked> ]: Private key for SSL New: @privateKey_file_path Nginx.SSL.Cert [ <masked> ]: Public certificate for SSL New: @ssl_cert_path # This config (Nginx.ProxySSLVerify) was removed in v3.1.1 Nginx.ProxySSLVerify [ false ]: Enable verification of the proxied HTTPS server certificate. Recommend to turn on. New: true`````` After saving the settings, apply the configuration settings. ``````gadmin config apply -y [ Info] Successfully applied configuration change. Please restart services to make it effective immediately.`````` Then restart the following services: `gsql`, `nginx`, `ts3`, and `gui`. ``$ gadmin restart gsql nginx gui ts3 -y``

``````$curl https://localhost:14240 curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none More details here: http://curl.haxx.se/docs/sslcerts.html curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.``````  In v1.2, the default TCP/IP port for Nginx has changed from 44240 to 14240, to avoid possible port conflicts with Zookeeper. You may use the -k option to turn off the verification, but it is unsafe and not recommended. To successfully make requests with curl, you will need to specify the certificate by using the `--cacert` parameter: ``````$ curl --cacert /home/tigergraph/nginx-selfsigned.crt https://localhost:14240