Skip to content

Update index.adoc #896

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
AyeshaFirdausTG wants to merge 1 commit into
base: 4.2
Choose a base branch
from
Open

Update index.adoc #896

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
95 changes: 95 additions & 0 deletions modules/security/pages/index.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,101 @@ TigerGraph Server meets the following security compliance standards as certified
* https://www.tigergraph.com/soc-2/[SOC 2 Compliance]
* https://www.tigergraph.com/compliance/[PCI-DSS]

== Configuring TLS for Internal Kafka.

This feature introduces SSL/TLS encryption for TigerGraph’s internal Kafka. It addresses the lack of native encryption and authentication for data in transit within the TigerGraph cluster.

=== Basic Setup Workflow

[source,bash]
----
gadmin config set Kafka.Security.SSL.Certificate @/path/to/cert.pem
----

* Set certificate-chain in PEM format.
Copy link
Contributor

@pingxieTG pingxieTG Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The description can be placed before the code block. Same for the following.
Btw, is the numbered list better than bullet points here?


[source,bash]
----
gadmin config set Kafka.Security.SSL.PrivateKey @/path/to/prikey.pem
----

* Set private-key in PEM format.

[source,bash]
----
gadmin config set Kafka.Security.SSL.Passphrase @/path/to/passphrase
----

* Set passphrase for private key. Java keystore requires passphrase.

[source,bash]
----
gadmin config set Kafka.Security.SSL.Enable true
----

[source,bash]
----
gadmin config apply -y
----

[source,bash]
----
gadmin restart -y kafka
----

Kafka restarts with the new configurations.
Comment on lines +76 to +81
Copy link
Contributor

@pingxieTG pingxieTG Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, here we should gadmin restart all -y: Restart Kafka and the corresponding client services.


=== Configuration Reference

[cols="1,2,1", options="header"]
|===
| Parameter | Description | Default Value

| Kafka.Security.SSL.Certificate
| Kafka broker certificate in PEM format
|

| Kafka.Security.SSL.Enable
| Enable Kafka TLS encryption
| false

| Kafka.Security.SSL.ExternalListener.ClientAuth
| Enable SSL client authentication for external listeners, the root certificate of Kafka.Security.SSL.Certificate will be used to trust client certificate.
| false

| Kafka.Security.SSL.Passphrase
| Kafka broker private key passphrase. Should not be empty.
|

| Kafka.Security.SSL.Port
| Kafka SSL listening port
| 30001

| Kafka.Security.SSL.PrivateKey
| Kafka broker private key in PEM format
|

| Kafka.Security.ClientConf.ProtocolForAllClients
| If specified, all clients must use the specified protocol. Legal values include: empty-string (not specified), ssl, plaintext. If it's not specified, clients can choose a preferred protocol
|

| Kafka.Security.ClientConf.EngineProtocol
| It is the protocol for engine-kafka communication. The value can be an empty-string or "plaintext", "ssl". It's overridden by Kafka.Security.ClientConf.ProtocolForAllClients.
|

| Kafka.Security.ClientConf.InfraProtocol
| It is the protocol for infra-kafka communication. The value can be an empty-string or "plaintext", "ssl". It's overridden by Kafka.Security.ClientConf.ProtocolForAllClients.
|

| Kafka.Security.ClientConf.InterBrokerProtocol
| It is the protocol for inter-broker communication. The value can be an empty-string or "plaintext", "ssl". It's overridden by Kafka.Security.ClientConf.ProtocolForAllClients.
|
|===





== Vulnerability scanning
TigerGraph leverages best-of-breed tools to periodically and proactively scan source code, application runtime, infrastructure to identify security vulnerabilities:

Expand Down