This topic describes how to enhance endpoint security. You can enable Secure Sockets Layer (SSL) encryption and install SSL certificates issued by certificate authorities (CAs) on the necessary application services. SSL is used on the transport layer to encrypt network connections and enhance the security and integrity of communication data. However, SSL also increases the response time.

Precautions

  • The SSL certificate is valid for one year. Renew the validity period of the certificate, and then download and configure the certificate again. Otherwise, clients that use encrypted connections cannot connect to your databases. For more information, see Renew the validity period of a certificate.
  • SSL encryption may cause a significant increase in CPU usage. We recommend that you enable SSL encryption only when you want to encrypt connections from an external network. In most cases, internal endpoints do not require SSL encryption.
  • After you disable SSL encryption for a cluster, the cluster will be restarted. Proceed with caution.

Enable SSL encryption and download a certificate

  1. Log on to the Apsara PolarDB console.
  2. In the upper-left corner of the page, select the region where the target cluster is deployed.
    Select the region where the target cluster is deployed
  3. Find the target cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, click the switch on the right of SSL to enable SSL encryption.
    Enable SSL encryption
  6. In the Configure SSL dialog box, click OK.
  7. After the SSL status changes to Enabled, click Download Certificate.
    Download a certificate

    The downloaded package contains three files:

    • p7b file: used to import CA certificates to the Windows system.
    • pem file: used to import CA certificates to other operating systems or applications.
    • jks file: stores truststore certificates in Java. The password is apsaradb. It is used to import the CA certificate chain to Java programs.
      Note When the jks file is used in Java, you must modify the default JDK security configuration in JDK 7 and JDK 8. Open the jre/lib/security/java.security file on the server that is connected to Apsara PolarDB and modify the following configurations: 
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

      If you do not modify the JDK security configuration, the following error will be returned. Other similar errors are also caused by Java security configurations. 

      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Renew the validity period of a certificate

If you have modified the SSL endpoint or the certificate validity is about to expire, you must renew the validity period of the certificate. This section describes how to renew the validity period of a certificate.

  1. Log on to the Apsara PolarDB console.
  2. In the upper-left corner of the page, select the region where the target cluster is deployed.
    Select the region where the target cluster is deployed
  3. Find the target cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, click Update Validity Period.
    Renew the validity period of a certificate
  6. In the Configure SSL dialog box, click OK.
    Note After you renew the validity period of the certificate, the cluster will be restarted. Proceed with caution.
  7. After the validity period of the certificate is renewed, you must download and configure the certificate again.
    Note For more information about how to download a certificate, see Step 7 in Enable SSL encryption and download a certificate.

Disable SSL encryption

Note
  • After you disable SSL encryption for a cluster, the cluster will be restarted. We recommend that you perform this operation during off-peak hours.
  • After SSL encryption is disabled, the performance of your database is increased but its security is compromised. We recommend that you disable SSL encryption only in secure environments.
  1. Log on to the Apsara PolarDB console.
  2. In the upper-left corner of the page, select the region where the target cluster is deployed.
    Select the region where the target cluster is deployed
  3. Find the target cluster and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, click the switch on the right of SSL to disable SSL encryption.
    Disable SSL encryption
  6. In the Configure SSL dialog box, click OK.

FAQ

Q: What happens if I do not renew an expired SSL certificate? Will my instance malfunction or the security of my data be compromised?

A: If you do not renew the SSL certificate after it expired, your instance can still run and your data security is not compromised. However, the applications that use encrypted connections to communicate with your instance are disconnected.

Related API operations

API Description
DescribeDBClusterSSL Queries the SSL settings of a specified PolarDB cluster.
ModifyDBClusterSSL Enables or disables SSL encryption, or updates the SSL certificate that is issued by a CA for a specified PolarDB cluster.