update the ssl config for backup

renetapopova · renetapopova · commit 415a36c36529 · 2025-10-28T10:55:21.000Z
diff --git a/modules/ROOT/pages/backup-restore/online-backup.adoc b/modules/ROOT/pages/backup-restore/online-backup.adoc
@@ -315,12 +315,39 @@ The SSL configuration policy has the key of `dbms.ssl.policy.backup`.
 
 As an example, add the following content to your _neo4j.conf_ and _neo4j-admin.conf_ files:
 
+.Server configuration in _neo4j.conf_
 [source, properties]
 ----
+server.backup.listen_address=0.0.0.0:6362
 dbms.ssl.policy.backup.enabled=true
-dbms.ssl.policy.backup.tls_versions=TLSv1.2
-dbms.ssl.policy.backup.ciphers=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+dbms.ssl.policy.backup.base_directory=certificates/backup
+dbms.ssl.policy.backup.private_key=private.key
+dbms.ssl.policy.backup.public_certificate=public.crt
 dbms.ssl.policy.backup.client_auth=REQUIRE
+dbms.ssl.policy.backup.tls_versions=TLSv1.2,TLSv1.3
+# dbms.ssl.policy.backup.tls_versions=TLSv1.2
+dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+# dbms.ssl.policy.backup.ciphers=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
+# dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+# dbms.netty.ssl.provider=OPENSSL
+dbms.netty.ssl.provider=JDK
+----
+
+.Client configuration in _neo4j-admin.conf_
+[source, properties]
+----
+# Enable SSL backup
+dbms.ssl.policy.backup.enabled=true
+# dbms.ssl.policy.backup.base_directory=certificates/backup
+dbms.ssl.policy.backup.private_key=/path/to/certificates/backup/private.key
+dbms.ssl.policy.backup.public_certificate=/path/to/certificates/backup/public.crt
+dbms.ssl.policy.backup.client_auth=REQUIRE
+dbms.ssl.policy.backup.tls_versions=TLSv1.2,TLSv1.3
+# dbms.ssl.policy.backup.tls_versions=TLSv1.2
+dbms.ssl.policy.backup.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
+# dbms.netty.ssl.provider=OPENSSL
+dbms.netty.ssl.provider=JDK
+server.jvm.additional=-Djavax.net.ssl.trustStore=/path/to/certificates/backup/trusted/
 ----
 
 [TIP]
diff --git a/modules/ROOT/pages/security/ssl-framework.adoc b/modules/ROOT/pages/security/ssl-framework.adoc
@@ -928,7 +928,7 @@ The owner/group should be configured to the user/group that will be running the
 Default user/group is neo4j/neo4j.
 ====
 
-. Set the backup SSL configuration in _neo4j.conf_.
+. Set the backup SSL configuration in both _neo4j.conf_ and _neo4j-admin.conf_.
 .. Set the backup SSL policy to `true`:
 +
 [source, properties]
@@ -1162,7 +1162,7 @@ This means that while new connections will use new certificates, the existing co
 Even if a certificate expires, active connections remain unaffected because the certificates are only used during the initial connection handshake.
 
 . Verify that the intra-cluster communication is still encrypted using external tooling, such as Nmap, described in <<ssl-cluster-config, Configuring SSL for intra-cluster communications>>.
- 
+
 
 [[ssl-terminology]]
 == Terminology
