This topic describes how to enhance endpoint security. You can enable Secure Sockets Layer (SSL) encryption and install SSL certificates issued by certificate authorities (CAs) on the necessary application services. SSL is used on the transport layer to encrypt network connections. SSL enhances the security and integrity of communication data. SSL can also increase the response time for network connections.

Precautions

  • Update the validity period of a CA certificate, and then download and configure the certificate again. Otherwise, client programs that use encrypted connections cannot be accessed. For more information, see Update the validity period of a certificate.
  • The inherent defects of SSL encryption cause a significant increase in CPU usage. We recommend that you enable SSL encryption only when external endpoints need to be encrypted. Typically, internal endpoints do not require SSL encryption.
  • The endpoint of an Apsara PolarDB cluster that supports SSL encryption must be less than 64 characters in length. For more information about how to modify an endpoint, see Set or release a cluster address.
  • Disabling SSL encryption will cause the cluster to restart. Proceed with caution.

Enable SSL encryption and download a certificate

  1. Log on to the Apsara PolarDB console.
  2. In the upper-left corner of the page, select the region where the target cluster is located.
    Select the region where the cluster is deployed
  3. Find the target cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, turn on the switch on the right of SSL to enable SSL encryption.
    Enable SSL encryption
  6. In the Configure SSL dialog box, select the endpoint for which you want to enable SSL encryption, and click OK.
    Note You can encrypt either the internal endpoint or the public endpoint as needed.
    Configure SSL encryption
  7. After the SSL status turns to Enabled, click Download Certificate.
    Download a certificate

    The downloaded package contains three files:

    • p7b file: used to import CA certificates to the Windows system.
    • pem file: used to import CA certificates to other operating systems or applications.
    • jks file: stores truststore certificates in Java. The password is apsaradb. It is used to import the CA certificate chain to Java programs.
      Note When the jks file is used in Java, you must modify the default JDK security configuration in JDK 7 and JDK 8. Open the /jre/lib/security/java.security file on the server that is connected to Apsara PolarDB and modify the following configurations:
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

      If you do not modify the JDK security configuration, the following error will be prompted. Typically, other similar errors are also caused by Java security configurations.

      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure an SSL CA certificate

After the SSL encryption feature is enabled, configure the SSL CA certificate for your application or client to connect to Apsara PolarDB. This section uses MySQL Workbench and Navicat as an example to describe how to install an SSL CA certificate. For more information, see the instructions for the corresponding applications or clients.

Configure a certificate on MySQL Workbench

  1. Start MySQL Workbench.
  2. Choose Database > Manage Connections.
  3. Enable Use SSL and import the SSL CA certificate, as shown in the following figure.

Configure a certificate on Navicat

  1. Start Navicat.
  2. Right-click the target database and choose Edit Connection from the shortcut menu.
  3. Click the SSL tab and select the path of the CA certificate in the .pem format.
  4. Click OK.
    Note If the Connection is being used error is displayed, the previous session is still connected. Restart Navicat.
  5. Double-click the target database to test whether the database is connected.

Update the validity period of a certificate

If you have modified the SSL endpoint or the certificate validity is about to expire, you must update the validity period of the certificate. This section describes how to update the validity period of a certificate.

  1. Log on to the Apsara PolarDB console.
  2. In the upper-left corner of the page, select the region where the target cluster is located.
    Select the region where the cluster is deployed
  3. Find the target cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, click Update Validity Period.
    Update the validity period of a certificate
  6. On the Configure SSL message, click OK.
    Note Updating the validity period will cause the cluster to restart. Proceed with caution.
  7. After the validity period of the certificate is updated, download and configure the certificate again.
    Note

Disable SSL encryption

Note
  • Disabling SSL encryption will cause the cluster to restart. We recommend that you perform this operation during off-peak hours.
  • After SSL encryption is disabled, database access features higher performance but lower security. We recommend that you disable SSL encryption only in secure environments.
  1. Log on to the Apsara PolarDB console.
  2. In the upper-left corner of the page, select the region where the target cluster is located.
    Select the region where the cluster is deployed
  3. Find the target cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, turn on the switch on the right of SSL to enable SSL encryption.
    Disable SSL encryption
  6. On the Configure SSL message, click OK.

FAQ

Q: If I do not update the expired SSL certificate, will my instance malfunction or my data security deteriorate?

A: If you do not update the SSL certificate after it expired, your instance can still run and your data security does not deteriorate. However, the applications that use encrypted connections to communicate with your instance are disconnected.

Related operations

Operation Description
DescribeDBClusterSSL Queries SSL settings of an Apsara PolarDB cluster.
ModifyDBClusterSSL Enables or disables SSL encryption, or updates the SSL certificate issued by a CA for an Apsara PolarDB cluster.