Configuring a Neo4j Cluster

For this part, we refer you to Chapter 5 "Clustering" of the pdf documentation (or online ). Section 5.3 is the practical part of the chapter.

Before continuing, it is strongly recommended that you have read and understood the previous section on Setting up a single Neo4j database because most settings are common.


Before starting

Beforehand shut down each Neo4j server before making any changes. Depending on the type of installation, you must execute the command:

Main settings

In this section, we detail only the configuration items to be modified or added to properly configure a Neo4j cluster for use by SECollab. Take the following example:

The parameters to add to the configuration file for Server 1 would be:

# Server mode
dbms.mode=CORE

dbms.connectors.default_listen_address=0.0.0.0
dbms.connectors.default_advertised_address=neo-01.domain.local:5000

# Cluster settings
causal_clustering.minimum_core_cluster_size_at_formation=3
causal_clustering.minimum_core_cluster_size_at_runtime=3
causal_clustering.initial_discovery_members=neo-01.domain.local:5000,neo-02.domain.local:5000,neo-03.domain.local:5000
causal_clustering.discovery_type=LIST

Some explanations:

The configuration for server 2 and 3 is the same as the parameter dbms.connectors.default_advertised_address which changes. So this one becomes:

Common Configurations

The configurations detailed in the previous section (connector, memory, etc.) apply here as well.

Secure intra-cluster communications (recommended)

By default, intra-cluster communications are not encrypted, but Neo4j provides mechanisms to fix this problem. Please refer to sections 5.5 (or online) and 9.2 of the documentation (or online) before continuing.

It is your responsibility to create a certificate for each cluster server using your enterprise PKI. Here is an example configuration to add to the "neo4j.conf" file:

# SSL Policy - cluster
dbms.ssl.policy.cluster.base_directory=/var/lib/neo4j/certificates/cluster
dbms.ssl.policy.cluster.private_key=/var/lib/neo4j/certificates/cluster/neo-01.domain.local.key	
dbms.ssl.policy.cluster.public_certificate=/var/lib/neo4j/certificates/cluster/neo-01.domain.local.crt
dbms.ssl.policy.cluster.trusted_dir=/var/lib/neo4j/certificates/cluster/trusted
dbms.ssl.policy.cluster.revoked_dir=/var/lib/neo4j/certificates/cluster/revoked
dbms.ssl.policy.cluster.verify_hostname=true

dbms.ssl.policy.cluster.tls_versions=TLSv1.2
# ref: https://support.comodo.com/index.php?/Knowledgebase/Article/View/659/17/how-to----disable-weak-ciphers-in-tomcat-7--8
dbms.ssl.policy.cluster.ciphers=TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA
dbms.ssl.policy.cluster.client_auth=REQUIRE

# Apply policy to cluster communication
causal_clustering.ssl_policy=cluster

Start the cluster

To apply the changes made and start the cluster, restart each Neo4j database. Depending on the type of installation, you must execute the command :

When a cluster is created, the first server started usually becomes the LEADER of the cluster. To monitor the state of the cluster (creation, synchronization ...), you can follow the logs on each server. Depending on your installation, you must execute the command: