All Products
Search
Document Center

PolarDB:Configure SSL encryption

Last Updated:Jul 26, 2023

This topic describes how to make data transmission more security by configuring SSL encryption. You must enable SSL encryption and install SSL certificates that are issued by certificate authorities (CAs) in the required applications. SSL is used to encrypt connections at the transport layer and enhance the security and integrity of the transmitted data. However, SSL encryption increases the round-trip time.

Precautions

  • An SSL certificate is valid for one year. You must Update the validity period of the SSL certificate and then download and configure the certificate again. Otherwise, clients that use encrypted network connections cannot connect to your clusters.

  • SSL encryption may cause a sharp increase in CPU utilization. We recommend that you enable SSL encryption only if you want to encrypt the connections that are established to the public endpoint of your cluster. In most cases, connections that are established to the internal endpoint of your cluster are secure and do not require SSL encryption.

  • After you disable SSL encryption for a cluster, the cluster is restarted. Proceed with caution.

Enable SSL encryption and download an SSL certificate

  1. Log on to the Apsara PolarDB console.

  2. In the upper-left corner of the page, select the region where the cluster is deployed.

  3. Find the cluster and click the cluster ID.

  4. In the left-side navigation pane, choose Settings and Management > Security Management.

  5. On the SSL Settings tab, turn on the switch next to SSL to enable SSL encryption.

    Note

    You can enable SSL encryption for only the primary endpoints of PolarDB for PostgreSQL clusters.

  6. In the Configure SSL dialog box, click OK.

  7. After the SSL status changes to Enabled, click Download Certificate.

    The downloaded package contains the following files:

    • P7B file: the SSL certificate file that is used for a Windows operating system

    • PEM file: used to import CA certificates to other operating systems or applications.

    • JKS file: the Java truststore file. The password is apsaradb. It is used to import the CA certificate chain to Java programs.

      Note

      When the JKS file is used in Java, you must modify the default JDK security configuration in JDK 7 and JDK 8. Open the jre/lib/security/java.security file on the server that is connected to Apsara PolarDB and modify the following configurations:

      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

      If you do not modify these configurations, the following error is returned. In most cases, similar errors are caused by invalid Java security configurations.

      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Update the validity period of the SSL certificate

After you change the endpoint that has SSL encryption enabled or when the SSL certificate is about to expire, you must update the validity period of the SSL certificate. This section describes how to update the validity period of an SSL certificate.

  1. Log on to the Apsara PolarDB console.

  2. In the upper-left corner of the page, select the region where the cluster is deployed.

  3. Find the cluster and click the cluster ID.

  4. In the left-side navigation pane, choose Settings and Management > Security Management.

  5. On the SSL Settings tab, click Update Validity Period.

  6. In the Configure SSL dialog box, click OK.

    Note

    After you update the validity period of the certificate, the cluster is restarted. Proceed with caution.

  7. After the SSL certificate is renewed, download and configure the SSL certificate again.

    Note

    For more information about how to download a certificate, see Step 7 in the "Enable SSL encryption and download an SSL certificate" section.

Disable SSL encryption

Note
  • After you disable SSL encryption, the cluster is restarted. We recommend that you perform this operation during off-peak hours.

  • After SSL encryption is disabled, the performance of your cluster is improved but data security is compromised. We recommend that you disable SSL encryption only in secure environments.

  1. Log on to the Apsara PolarDB console.

  2. In the upper-left corner of the page, select the region where the cluster is deployed.

  3. Find the cluster and click the cluster ID.

  4. In the left-side navigation pane, choose Settings and Management > Security Management.

  5. On the SSL Settings tab, turn off the switch next to SSL to disable SSL encryption.

  6. In the Configure SSL dialog box, click OK.

FAQ

What will happen if I do not renew an expired SSL certificate? Does my cluster malfunction or data security deteriorate?

If you do not renew the SSL certificate after it expires, your cluster can still run as normal and data security is not compromised. However, applications that connect to your cluster over encrypted connections are disconnected.

Related API operations

Operation

Description

DescribeDBClusterSSL

Queries the SSL encryption settings of a specified PolarDB for MySQL cluster.

ModifyDBClusterSSL

Enables SSL encryption, disables SSL encryption, or renews the SSL certificate for a specified PolarDB for MySQL cluster.