This topic describes how to enhance endpoint security. You can enable secure sockets layer (SSL) encryption and install SSL certificates that are issued by certificate authorities (CAs) to the required application services. SSL is used on the transport layer to encrypt network connections and enhance the security and integrity of communication data. However, SSL also increases the response time.

Notes

  • The SSL certificate is valid for one year. Update the validity period of the certificate, and then download and configure the certificate again. Otherwise, clients that use encrypted connections cannot connect to your databases. For more information, see Update the validity period of a certificate.
  • SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only when you want to encrypt the connections with the public endpoint of your instances. In most cases, connections with the internal endpoint of your instances are secure and do not require SSL encryption.
  • The endpoint of a PolarDB cluster that supports SSL encryption must be less than 64 characters in length. For more information about how to modify an endpoint, see Modify and delete a cluster endpoint.
  • After you disable SSL encryption for a cluster, the cluster is restarted. Proceed with caution.

Enable SSL encryption and download a certificate

  1. Log on to the PolarDB console.
  2. On the top of the page, select the region where the target cluster is located.
  3. Find the target cluster and click the cluster ID to go to the Overview page.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, turn on the switch on the right side of SSL to enable SSL encryption.
    Enable SSL encryption
    Note
    • You can enable SSL encryption for only the primary endpoints of PolarDB for MySQL 5.6 and PolarDB for MySQL 5.7 clusters.
    • You can enable SSL encryption for the primary endpoints, cluster endpoints, and custom cluster endpoints of PolarDB for MySQL 8.0 clusters.
  6. In the Configure SSL dialog box, select the endpoint for which you want to enable SSL encryption, and click OK.
    Note You can select the internal endpoint or the public endpoint based on your business requirements.
    Configure SSL encryption
  7. After the SSL status changes to Enabled, click Download Certificate.
    Download a certificate

    The compressed package contains the following files:

    • .p7b file: used to import CA certificates to the Windows system.
    • .pem file: used to import CA certificates to the other operating systems or applications.
    • .jks file: stores truststore certificates for Java. The password is apsaradb. The file is used to import the CA certificate chain to Java programs.
      Note When the .jks file is used in Java, you must modify the default JDK security configuration in JDK 7 and JDK 8. Open the jre/lib/security/java.security file on the server that is connected to the PolarDB database and modify the following configurations:
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

      If you do not modify the JDK security configuration, the following error is reported. Typically, other similar errors are also caused by invalid Java security configurations.

      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure SSL CA certificates

After the SSL encryption feature is enabled, configure the SSL CA certificate for your applications or clients to connect to PolarDB. In this section, MySQL Workbench and Navicat are used as examples. If you use other applications or clients, see the related instructions.

Perform the following steps to configure an SSL CA certificate on MySQL Workbench:

  1. Start MySQL Workbench.
  2. Choose Database > Manage Connections.
  3. Enable Use SSL and import the SSL CA certificate file.
    1

Perform the following steps to configure an SSL CA certificate on Navicat:

  1. Start Navicat.
  2. Right-click the database and click Edit Connection.
    2
  3. Click the SSL tab and select the path of the .pem file for the SSL certificate, as shown in the following figure.
    3
  4. Click OK.
    Note You may receive the following error: connection with the same connection name already exists in the project. The cause of this error is that the previous session is connected. In this case, restart Navicat.
  5. Double-click the database to check whether it can be connected.
    4

Update the validity period of a certificate

If you have modified the SSL endpoint or the certificate validity is about to expire, you must update the validity period of the certificate. This section describes how to update the validity period of a certificate.

  1. Log on to the PolarDB console.
  2. On the top of the page, select the region where the target cluster is located.
  3. Find the target cluster and click the cluster ID to go to the Overview page.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, click Update Validity Period.
    Update the validity period of a certificate
  6. In the Configure SSL message, click OK.
    Note After you update the validity period of the certificate, the cluster is restarted. Proceed with caution.
  7. After the validity period of the certificate is updated, download and configure the certificate again.
    Note

Disable SSL encryption

Note
  • After you disable SSL encryption for a cluster, the cluster is restarted. We recommend that you perform this operation during off-peak hours.
  • After SSL encryption is disabled, the performance of your database is increased but its security is compromised. We recommend that you disable SSL encryption only in secure environments.
  1. Log on to the PolarDB console.
  2. On the top of the page, select the region where the target cluster is located.
  3. Find the target cluster and click the cluster ID to go to the Overview page.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, turn off the switch on the right of SSL to disable SSL encryption.
    Disable SSL encryption
  6. In the Configure SSL message, click OK.

FAQ

What happens if I do not update an expired SSL certificate? Will my instance malfunction or the security of my data be compromised?

If you do not update the SSL certificate after it expired, your instance can still run and your data security is not compromised. However, the client applications that use encrypted connections to communicate with your instance are disconnected.

Related API operations

API Description
DescribeDBClusterSSL Queries the SSL settings of a specified PolarDB cluster.
ModifyDBClusterSSL Enables or disables SSL encryption, or updates the SSL certificate that is issued by a CA for a specified PolarDB cluster.