Configuring remote database aliasesEnterprise Edition
You can use a remote database alias to connect to a graph located on a remote standalone server or cluster.
Although remote database aliases do not store any data, they enable users or applications to perform queries on remote databases as if they were on the local DBMS server. All configurations can be done using administrative commands on a running system. Any changes are automatically synchronized across all members of a cluster.
When creating the remote database alias, it can be configured to authenticate with either:
-
STORED NATIVE CREDENTIALS, the credentials of a single native user on the remote DBMS. -
Introduced in 2026.01
OIDC CREDENTIAL FORWARDING, forwarding the bearer authentication token from the logged-in user on the local DBMS. The user needs to be logged in with an identity provider supporting OIDC.
By creating a remote database alias, you define:
-
Which credentials to use to authenticate to the remote database.
-
Where the remote database is located.
-
How to connect to the remote database using driver settings.
|
To manage remote database aliases, you must have either database management or alias management privileges. For example, the following command grants the permission to create an alias to the |
By granting access to the remote database alias, you define which users can use it to connect to the database on the remote DBMS.
|
Many of the built-in roles that Neo4j provides have access to all databases, this includes any remote database alias. |
The following examples describe how to set up access to a remote database via a remote database alias by using either stored native credentials, or OIDC credential forwarding. They assume that you have two separate DBMS instances: a local DBMS A and a remote DBMS B.
Setup example with stored native credentials
In this example, Alice is an administrator of DBMS A, Bob is an administrator of DBMS B, and Carol is a user who needs access to a database managed by Bob.
A remote database alias is only accessible to users with appropriate privileges.
In this example, Bob is the administrator responsible for deciding which database (db1 or db2) the remote database alias can write and/or read.
Meanwhile, Alice is the administrator that assigns who has access to the privileges set by Bob.
In the example, Alice assigns that access to Carol.
See DBMS privileges for more information.
Bob creates a user profile on DBMS B, grants it access to database db1 and shares the credentials with Alice.
Then, Alice creates a remote database alias db1-remote-alias on DBMS A that connects to db1 on DBMS B using the shared credentials.
After Alice grants Carol access to the remote database alias, Carol can log in to the local DBMS A, using her own credentials, and through the remote database alias connect to db1 on DBMS B.
|
All operations executed on the remote DBMS are performed under the identity of the user associated with the remote database alias.
When using For example, suppose the shared user on DBMS B, who is shared and configured for the remote database alias on the DBMS A, is assigned the built-in role |
Configure the remote DBMS B (Bob)
As Bob, you are responsible for the remote DBMS B. You can create and delete users and grant or deny privileges on the databases managed by DBMS B.
In this example, you create a user called remote_user, which will be used by the remote database alias to connect to db1, and share the credentials with Alice.
-
Create the user profile to share with Alice:
CREATE USER remote_user SET PASSWORD 'secretpassword' -
Create a custom role to track all users shared on a remote connection, so that they remain trackable:
CREATE ROLE shared_to_remote -
Grant the
shared_to_remoterole access todb1and assign the role to the user profile created for the remote database alias,remote_user:GRANT ACCESS ON DATABASE db1 TO shared_to_remote GRANT MATCH {*} ON GRAPH db1 TO shared_to_remote GRANT ROLE shared_to_remote TO remote_user -
Set up the SSL framework and check whether the database accepts non-local connections if required.
# accept non-local connections server.default_listen_address=0.0.0.0 # configure ssl for bolt dbms.ssl.policy.bolt.enabled=true dbms.ssl.policy.bolt.base_directory=certificates/bolt dbms.ssl.policy.bolt.private_key=private.key dbms.ssl.policy.bolt.public_certificate=public.crt dbms.ssl.policy.bolt.client_auth=NONE # enforcing ssl connection server.bolt.tls_level=REQUIRED
-
Securely transmit the credentials to Alice, setting up the link to database
db1.
Configure the local DBMS A and grant access to Carol (Alice)
As Alice, you are responsible for setting up DBMS А. You can create and delete database aliases and grant or deny users' access to them.
In this example, you create a remote database alias, called db1-remote-alias, which connects to db1 on DBMS B using the credentials shared by Bob.
Generate an encryption key
First, you need to generate an encryption key.
In this case, the credentials of the user remote_user of DBMS B are reversibly encrypted and stored in the system database of DBMS A.
Since the algorithm used is AES/GCM, you must provide an AES encryption key of length 256 and store it in a password-protected keystore in the PKCS12 format.
The key can be generated by using the following keytool command in your terminal, which is included in Java Platform, Standard Edition:
keytool -genseckey -keyalg aes -keysize 256 -storetype pkcs12 -keystore [keystore-name] -alias [key-name] -storepass [keystore-password]|
It is recommended to generate the keystore using the same Java version as the one on which Neo4j is run, as the supported encryption algorithms may vary. For details on the version of Java required by Neo4j, see System requirements → Java. |
Configure the keystore settings
After generating the keystore file, you need to configure DBMS A to use it by setting the following configuration parameters in the neo4j.conf file:
| Configuration | Description |
|---|---|
The absolute path to the keystore file, including the file name. |
|
The password to the keystore file. Use Command expansion to set the password. |
|
The name of the secret key. |
|
To prevent unauthorized access, you must store the keystore file in a trusted location.
This is the main way to protect the encrypted passwords that will be stored in the |
In a cluster, you must share the same keystore file among all servers. For example, these would be valid additions to the configuration when using the suggested keytool command:
dbms.security.keystore.path=/home/secure-folder/keystore-name.pkcs12 dbms.security.keystore.password=$(conf/password.sh) dbms.security.key.name=key-name
Where password.sh might look like this:
#!/bin/bash
echo "$KEYSTORE_PASSWORD_ENVIRONMENT_VARIABLE"Additionally, do not forget to change the permissions of the configuration file and start Neo4j with the command expansion flag:
chmod 640 conf/neo4j.conf
bin/neo4j start --expand-commandsCreate the remote database alias and grant access to Carol
You create the remote database alias using alias administrative commands and grant Carol access to it.
|
It is strongly recommended to connect to a remote database alias with a secured connection.
Note that only client-side SSL is supported.
By default, remote database aliases require a secured URI scheme such as |
-
Use the following command to create a remote database alias with the stored native credentials shared by Bob:
CREATE ALIAS `db1-remote-alias` FOR DATABASE `db1` AT "neo4j+s://location:7687" USER remote_user PASSWORD 'secretpassword' -
Create a custom role to track all users who have access to the remote database alias (or choose an already existing role):
CREATE ROLE remote_access -
Grant the
remote_accessrole access to the remote database alias and assign it to Carol. SeeACCESSprivileges for more information.GRANT ACCESS ON DATABASE `db1-remote-alias` TO remote_access GRANT ROLE remote_access TO carol
|
If a transaction modifies an alias (e.g. changing the database targeted on DBMS B), other transactions concurrently executing against that alias may be aborted and rolled back for safety. This prevents issues such as a transaction executing against multiple target databases for the same alias. |
Changing the encryption key
If the encryption key in the keystore is changed, the encrypted credentials for all existing remote database aliases requires updating, as they will no longer be readable with the new key.
|
In case of a failure when reading the keystore file, investigate the |
Setup example with OIDC credential forwardingIntroduced in 2026.01
In order to use OIDC credential forwarding, both DBMS A and DBMS B must support the same OIDC identity provider. See the SSO integration on how to enable OIDC.
In this example, Alice is an administrator of DBMS A, Bob is an administrator of DBMS B, and Carol is a user who needs access to a database managed by Bob.
Carol logs into the local DBMS A through an OIDC-compliant identity provider by offering a token from the provider. The token is used to set the username and determine the identity provider groups to which the user belongs.
Alice is the administrator of the local DBMS A and sets up SSO for the identity provider and configures the mapping of the identity provider groups to the Neo4j roles, such that Carol can use the remote database alias, db1-remote-alias, to connect to the remote database db1.
Bob configures the remote DBMS B to support SSO with the same identity provider used by Carol to log in to DBMS A.
He also configures the mapping of the identity provider groups to the Neo4j roles such that the Carol’s identity provider groups grant the appropriate privileges to access db1 on the DBMS B.
|
A user’s effective permissions are not dictated by the identity provider groups alone, but by the mapping of those groups to roles defined within each Neo4j DBMS. See Map the identity provider groups to the Neo4j roles. As a result, different OIDC configurations across distinct DBMS instances may lead to the same user having different effective privileges on those instances, (DBMS A and DBMS B in this example). While it is possible to use different OIDC configurations across DBMS instances, database administrators must be aware of any privilege disparity that may arise from this and ensure that group-to-role mappings intended to grant equivalent access remain consistent across DBMSs. This is to avoid privilege inconsistency, such as over-privileging or unexpected access denial. |
Configure the local DBMS A and grant access to Carol (Alice)
As Alice, you are responsible for setting up the local DBMS A. You can create and delete database aliases and grant or deny users' access to them.
In this case, you need to set up a remote database alias that connects to db1 on DBMS B using OIDC credential forwarding and grant Carol access to it.
Create the remote database alias and grant access to Carol
You create the remote database alias using alias administrative commands.
|
It is strongly recommended to connect to a remote database alias with a secured connection.
Note that only client-side SSL is supported.
By default, remote database aliases require a secured URI scheme such as |
-
Use the following command to create a remote database alias using OIDC credential forwarding:
CREATE ALIAS `db1-remote-alias` FOR DATABASE `db1` AT "neo4j+s://location:7687" OIDC CREDENTIAL FORWARDING -
Create a custom role to track all users who have access to the remote database alias (or choose an already existing role):
CREATE ROLE remote_access -
Grant the
remote_accessrole access to the remote database alias. The role will be assigned to Carol on login via the mapping of identity provider groups to the Neo4j roles:GRANT ACCESS ON DATABASE `db1-remote-alias` TO remote_accessIf a transaction modifies an alias (e.g. changing the database targeted on DBMS B), other transactions concurrently executing against that alias may be aborted and rolled back for safety. This prevents issues such as a transaction executing against multiple target databases for the same alias.
Set up SSO on the local DBMS and map the identity provider groups to the Neo4j roles
In order for Carol to get access to the remote database alias, she needs to be in an identity provider group that is mapped to a Neo4j role that is granted access to that alias.
You set up SSO on the local DBMS A and map the identity provider groups to the Neo4j roles. For details, see the SSO configuration tutorial and Map the identity provider groups to the Neo4j roles.
dbms.security.oidc.<provider>.well_known_discovery_uri=http://example.com/.well-known/discovery
<...>
dbms.security.oidc.<provider>.claims.groups=groups
dbms.security.oidc.<provider>.authorization.group_to_role_mapping= "engineers" = admin; \
"collaborators" = reader; \
"remote_users" = remote_access
Configure the remote DBMS B (Bob)
As Bob, you are responsible for setting up the remote DBMS B. You can create and delete users and grant or deny privileges on the databases managed by DBMS B.
In this example, you need to ensure that Carol can access db1 on DBMS B using OIDC credential forwarding.
-
Create a custom role or choose an existing one. The roles will be assigned to the users on login via the mapping of identity provider groups to the Neo4j roles:
CREATE ROLE db1_access -
Grant the
db1_accessrole access todb1:GRANT ACCESS ON DATABASE db1 TO db1_access GRANT MATCH {*} ON GRAPH db1 TO db1_access -
Set up SSO on the remote DBMS B and map the identity provider groups to the Neo4j roles. For details, see the SSO configuration tutorial and Map the identity provider groups to the Neo4j roles.
dbms.security.oidc.<provider>.well_known_discovery_uri=http://example.com/.well-known/discovery <...> dbms.security.oidc.<provider>.claims.groups=groups dbms.security.oidc.<provider>.authorization.group_to_role_mapping= "engineers" = admin; \ "collaborators" = reader; \ "remote_users" = db1_access -
Set up the SSL framework and check whether the database accepts non-local connections if required.
# accept non-local connections server.default_listen_address=0.0.0.0 # configure ssl for bolt dbms.ssl.policy.bolt.enabled=true dbms.ssl.policy.bolt.base_directory=certificates/bolt dbms.ssl.policy.bolt.private_key=private.key dbms.ssl.policy.bolt.public_certificate=public.crt dbms.ssl.policy.bolt.client_auth=NONE # enforcing ssl connection server.bolt.tls_level=REQUIRED
Connect to remote database aliases
You can connect to a remote database alias the same way as you would connect to a standard database using any of the following options:
-
Connecting directly to the remote database alias.
-
Querying a remote database alias that you are not directly connected to using the Cypher
USEclause:USE `db1-remote-alias` MATCH (n) RETURN * -
Connecting to a remote database alias as a home database. This needs to be set by an administrator, in this case Alice. See User Management for more information.
ALTER USER carol SET HOME DATABASE `db1-remote-alias`
Important notes
When using remote database aliases, keep in mind that:
-
Remote database alias transactions will not be visible in
SHOW TRANSACTIONSon the local DBMS. However, they can be accessed and terminated on the remote database when connecting with the same user. -
Actions on the remote DBMS are all attributed to the user configured for the remote database alias. In the case of using
STORED NATIVE CREDENTIALS, the same credentials are used to connect to the remote DBMS regardless of which end-user made the query targeting the remote database alias. This will result in the stored native user being logged in the audit trails on the remote DBMS for all queries using the remote database alias. When usingOIDC CREDENTIAL FORWARDING, the actual end-user’s credentials and permissions are used, resulting in per-user audit trails being logged on the remote DBMS. -
When using a remote database alias with OIDC credential forwarding, the user needs to be logged into the local DBMS with OIDC, otherwise there is no token to forward, and the access to the remote database will be denied with GQLSTATUS
42NFF.