Neo4j SSL framework

This section describes breaking changes for the Neo4j SSL framework.

v3.x Change v4.x

v3.x	Change	v4.x
The configuration settings `dbms.security.property_level.enabled` and `dbms.security.property_level.blacklist` are used to disallow properties.	Discontinued	The Cypher^® `DENY` command replaces the blocking functionality. Note that the `DENY` command must be applied while Neo4j is running. For details, see Cypher Manual 4.0 → Graph and sub-graph access control.
`dbms.security.auth_provider`	Discontinued	This setting is replaced by two new settings: `dbms.security.authentication_providers` and `dbms.security.authorization_providers`.
`dbms.connector.https.enabled` is set to `true` by default.	This setting is no longer `true` by default.	To enable Neo4j to listen for incoming connections on the HTTPS port, you have to configure this setting to `true`.
The different communication channels are secured independently from each other, using the following configuration settings: `bolt.ssl_policy=<policy name>` `https.ssl_policy=<policy name>` `causal_clustering.ssl_policy=<policy name>` `dbms.backup.ssl_policy=<policy name>`	Discontinued	These settings have been replaced by the setting `dbms.ssl.policy.<scope>.enabled=true`, where `<scope>` substitutes the communication channel (`bolt`, `https`, `cluster`, and `backup`).
SSL support for Bolt and HTTPS using the legacy SSL system.	Deprecated	It is recommended to use the standard SSL configuration.
The `dbms.directories.certificates` setting is used to explicitly configure the directory that stores the private key and certificate files.	Discontinued	It is recommended to use the standard SSL configuration.
`dbms.ssl.policy.*.allow_key_generation`	Discontinued	Neo4j no longer automatically generates a self-signed certificate.

The configuration settings dbms.security.property_level.enabled and dbms.security.property_level.blacklist are used to disallow properties.

Discontinued

The Cypher^® DENY command replaces the blocking functionality. Note that the DENY command must be applied while Neo4j is running.

For details, see Cypher Manual 4.0 → Graph and sub-graph access control.

dbms.security.auth_provider

Discontinued

This setting is replaced by two new settings: dbms.security.authentication_providers and dbms.security.authorization_providers.

dbms.connector.https.enabled is set to true by default.

This setting is no longer true by default.

To enable Neo4j to listen for incoming connections on the HTTPS port, you have to configure this setting to true.

The different communication channels are secured independently from each other, using the following configuration settings:

bolt.ssl_policy=<policy name>

https.ssl_policy=<policy name>

causal_clustering.ssl_policy=<policy name>

dbms.backup.ssl_policy=<policy name>

Discontinued

These settings have been replaced by the setting dbms.ssl.policy.<scope>.enabled=true, where <scope> substitutes the communication channel (bolt, https, cluster, and backup).

SSL support for Bolt and HTTPS using the legacy SSL system.

Deprecated

It is recommended to use the standard SSL configuration.

The dbms.directories.certificates setting is used to explicitly configure the directory that stores the private key and certificate files.

Discontinued

It is recommended to use the standard SSL configuration.

dbms.ssl.policy.*.allow_key_generation

Discontinued

Neo4j no longer automatically generates a self-signed certificate.

For further details on the SSL framework changes, see Operations Manual → SSL framework.