This topic describes how to enhance data transmission security. You can enable secure sockets layer (SSL) encryption and install SSL certificates that are issued by certificate authorities (CAs) to the required applications. SSL is used to encrypt connections at the transport layer and enhance the security and integrity of the transmitted data. However, SSL encryption increases the response time.

Background information

SSL is developed by Netscape to provide encrypted communication between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) has upgraded SSL 3.0 to TLS. However, the term SSL encryption is still commonly used. Therefore, SSL encryption in this topic refers to TLS encryption.

Precautions

  • An SSL certificate remains valid for one year. You must renew an SSL certificate before the SSL certificate expires. In addition, you must download the required SSL certificate file and configure the SSL certificate again after you renew the SSL certificate. Otherwise, clients that are connected to your PolarDB for MySQL cluster through encrypted connections are disconnected. For more information about how to renew an SSL certificate, see Renew an SSL certificate.
  • SSL encryption may cause a sharp increase in CPU utilization. We recommend that you enable SSL encryption only when you want to encrypt the connections that are established to the public endpoint of your instance. In most cases, connections that are established to the internal endpoint of your instance are secure and do not require SSL encryption.
  • To enable SSL encryption, the endpoint of the PolarDB cluster must be less than 64 characters in length. For more information about how to modify an endpoint, see Manage a cluster endpoint.

Enable SSL encryption and download an SSL certificate

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, turn on SSL to enable SSL encryption.
    Enable SSL encryption
    Note
    • You can enable SSL encryption for only the primary endpoints of ApsaraDB PolarDB MySQL-compatible edition 5.6 and ApsaraDB PolarDB MySQL-compatible edition 5.7 clusters.
    • You can enable SSL encryption for the primary endpoints, cluster endpoints, and custom endpoints of ApsaraDB PolarDB MySQL-compatible edition 8.0 clusters.
  6. In the Configure SSL dialog box, select the endpoint for which you want to enable SSL encryption and click OK.
    Note You can select the public or internal endpoint based on your business requirements.
    Configure SSL encryption
  7. After the state of SSL encryption displays Enabled, click Download Certificate.
    Download a certificate

    The downloaded package contains the following files:

    • A P7B file. This file is used to import the CA certificate to a Windows system.
    • A PEM file. This file is used to import the CA certificate to other operating systems or applications.
    • A JKS file. This file is a truststore for Java. The password is apsaradb. The file is used to import the CA certificate chain to Java programs.
      Note When the JKS file is used in Java, you must modify the default JDK security configuration in JDK 7 and JDK 8. Open the jre/lib/security/java.security file on the server that is connected to the PolarDB database and modify the following configurations:
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

      If you do not modify these configurations, the following error is returned. In most cases, other similar errors are also caused by invalid Java security configurations.

      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
    If you want to change the endpoint that has SSL encryption enabled, click Configure SSL. Configure SSL
    Notice After you change the endpoint, the SSL certificate is automatically renewed and the PolarDB for MySQL cluster is restarted. Proceed with caution.

Configure an SSL certificate

After you enable SSL encryption, you must configure an SSL certificate. The SSL certificate is required when your application or client connects to your PolarDB cluster. In this section, MySQL Workbench and Navicat are used as examples to describe how to configure an SSL certificate. If you use other applications or clients, see the related instructions.

Perform the following steps to configure an SSL certificate on MySQL Workbench:

  1. Start MySQL Workbench.
  2. Choose Database > Manage Connections.
  3. Enable Use SSL and import the SSL certificate file, as shown in the following figure.
    1

Perform the following steps to configure an SSL certificate on Navicat:

  1. Start Navicat.
  2. Right-click the database and click Edit Connection.
    2
  3. Click the SSL tab and select the path of the PEM certificate file, as shown in the following figure.
    3
  4. Click OK.
    Note If the Connection with same connection name already exists in the project. erroris returned, Navicat is still connected to the database. Stop Navicat and launch it again.
  5. Double-click your database to check whether Navicat can connect to the database.
    4

Renew an SSL certificate

After you change the endpoint that has SSL encryption enabled or when the SSL certificate is about to expire, you must renew the SSL certificate. This section describes how to renew an SSL certificate.
Note After you renew the SSL certificate, the cluster is automatically restarted. Proceed with caution.
  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, click Update Validity Period.
    Renew an SSL certificate
  6. In the dialog box that appears, click OK.
  7. After the SSL certificate is renewed, download and configure the SSL certificate again.
    Note

Disable SSL encryption

Note
  • After you disable SSL encryption, the cluster is restarted. We recommend that you perform this operation during off-peak hours.
  • After SSL encryption is disabled, the performance of your database is improved but data security is compromised. We recommend that you disable SSL encryption only in secure environments.
  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster is deployed.
  3. Find the cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, turn off SSL to disable SSL encryption.
  6. In the message that appears, click OK.

Related API operations

API operation Description
DescribeDBClusterSSL Queries the SSL settings of a specified PolarDB cluster.
ModifyDBClusterSSL Enables SSL encryption, disables SSL encryption, or renews the SSL certificate for a specified PolarDB cluster.