This topic describes how to make data transmission more security by configuring SSL encryption. You must enable SSL encryption and install SSL certificates that are issued by certificate authorities (CAs) in the required applications. SSL is used to encrypt connections at the transport layer and enhance the security and integrity of the transmitted data. However, SSL encryption increases the round-trip time.
Precautions
An SSL certificate is valid for one year. You must Update the validity period of the SSL certificate and then download and configure the certificate again. Otherwise, clients that use encrypted network connections cannot connect to your clusters.
SSL encryption may cause a sharp increase in CPU utilization. We recommend that you enable SSL encryption only if you want to encrypt the connections that are established to the public endpoint of your cluster. In most cases, connections that are established to the internal endpoint of your cluster are secure and do not require SSL encryption.
After you disable SSL encryption for a cluster, the cluster is restarted. Proceed with caution.
Enable SSL encryption and download an SSL certificate
Log on to the Apsara PolarDB console.
In the upper-left corner of the page, select the region where the cluster is deployed.
Find the cluster and click the cluster ID.
In the left-side navigation pane, choose .
On the SSL Settings tab, turn on the switch next to SSL to enable SSL encryption.
NoteYou can enable SSL encryption for only the primary endpoints of PolarDB for PostgreSQL clusters.
In the Configure SSL dialog box, click OK.
After the SSL status changes to Enabled, click Download Certificate.
The downloaded package contains the following files:
P7B file: the SSL certificate file that is used for a Windows operating system
PEM file: used to import CA certificates to other operating systems or applications.
JKS file: the Java truststore file. The password is apsaradb. It is used to import the CA certificate chain to Java programs.
NoteWhen the JKS file is used in Java, you must modify the default JDK security configuration in JDK 7 and JDK 8. Open the
jre/lib/security/java.security
file on the server that is connected to Apsara PolarDB and modify the following configurations:jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
If you do not modify these configurations, the following error is returned. In most cases, similar errors are caused by invalid Java security configurations.
javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
Update the validity period of the SSL certificate
After you change the endpoint that has SSL encryption enabled or when the SSL certificate is about to expire, you must update the validity period of the SSL certificate. This section describes how to update the validity period of an SSL certificate.
Log on to the Apsara PolarDB console.
In the upper-left corner of the page, select the region where the cluster is deployed.
Find the cluster and click the cluster ID.
In the left-side navigation pane, choose .
On the SSL Settings tab, click Update Validity Period.
In the Configure SSL dialog box, click OK.
NoteAfter you update the validity period of the certificate, the cluster is restarted. Proceed with caution.
After the SSL certificate is renewed, download and configure the SSL certificate again.
NoteFor more information about how to download a certificate, see Step 7 in the "Enable SSL encryption and download an SSL certificate" section.
Disable SSL encryption
After you disable SSL encryption, the cluster is restarted. We recommend that you perform this operation during off-peak hours.
After SSL encryption is disabled, the performance of your cluster is improved but data security is compromised. We recommend that you disable SSL encryption only in secure environments.
Log on to the Apsara PolarDB console.
In the upper-left corner of the page, select the region where the cluster is deployed.
Find the cluster and click the cluster ID.
In the left-side navigation pane, choose .
On the SSL Settings tab, turn off the switch next to SSL to disable SSL encryption.
In the Configure SSL dialog box, click OK.
FAQ
What will happen if I do not renew an expired SSL certificate? Does my cluster malfunction or data security deteriorate?
If you do not renew the SSL certificate after it expires, your cluster can still run as normal and data security is not compromised. However, applications that connect to your cluster over encrypted connections are disconnected.
Related API operations
Operation | Description |
Queries the SSL encryption settings of a specified PolarDB for MySQL cluster. | |
Enables SSL encryption, disables SSL encryption, or renews the SSL certificate for a specified PolarDB for MySQL cluster. |