All Products
Search
Document Center

ApsaraDB RDS:Configure SSL encryption for a database proxy endpoint

Last Updated:Jan 11, 2024

ApsaraDB RDS for MySQL supports SSL encryption for database proxy endpoints. You can enable the SSL encryption feature and install an SSL certificate on your applications to improve the connection security of your RDS instance. This topic describes how to configure SSL encryption for a database proxy endpoint.

SSL encrypts the network connections at the transport layer between your RDS instance and your application. This enhances the security and integrity of data in transit but increases the response time.

Prerequisites

  • The RDS instance runs one of the following MySQL versions:

    • MySQL 8.0 with a minor engine version of 20200831 or later on RDS High-availability Edition

    • MySQL 8.0 on RDS Cluster Edition

    • MySQL 5.7 on RDS Cluster Edition

    • MySQL 5.7 with a minor engine version of 20200831 or later on RDS High-availability Edition

    • MySQL 5.6 with a minor engine version of 20200831 or later on RDS High-availability Edition

    Note

    If your RDS instance is attached with read-only RDS instances, the read-only RDS instances must meet the requirements that are described in Update the minor engine version.

  • The database proxy feature is enabled. For more information, see Enable the database proxy feature.

  • The database proxy version is 1.12.8 or later. For more information, see Upgrade the database proxy version.

  • The total length of the dedicated proxy endpoint that you want to protect does not exceed 64 characters.

Usage notes

  • SSL encryption can be configured for only one dedicated proxy endpoint per proxy terminal.

  • If you enable or disable SSL encryption, change the protected database proxy endpoint, or update the validity period of an SSL certificate, your proxy instance restarts. Proceed with caution.

Enable SSL encryption

Important

This operation triggers a restart of your RDS instance. Proceed with caution.

  1. Log on to the ApsaraDB RDS console and go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the instance ID.

  2. In the left-side navigation pane, click Database Proxy.

  3. In the Connection Information section, move the pointer over the ID of the database proxy endpoint. In the SSL Encryption Configuration section of the dialog box that appears, click Enable to the right of SSL Encryption.

  4. In the dialog box that appears, select the endpoint that you want to encrypt and click OK.

  1. After the SSL encryption status changes to Enabled, click Download CA Certificate next to SSL Encryption.

    Note
    • The file that you downloaded is a package that contains the following files:

      • PEM file: suitable for most scenarios.

      • JKS file: suitable for Java applications. In most cases, the PEM-formatted CA certificate file must be imported to a truststore for conversion into a JKS file. You can use the JKS file in Java applications. The password of the file is apsaradb.

      • P7B file: suitable for a small number of Windows applications that require PKCS#7-formatted certificate files.

    • You can use the configured SSL certificate to verify the certificate for the database server.

    • When you use the .jks file in Java Development Kit (JDK) 7 or JDK 8, go to the jre/lib/security/java.security directory on the host where your application resides and run the following code to modify the default values of two configuration items:

      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

      If you do not modify these configurations, the following error is reported. In most cases, other similar errors are also caused by invalid Java security configurations:

      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure an SSL certificate

After you enable SSL encryption and download the CA certificate, you can configure the SSL certificate. For more information, see Download the CA certificate.

Change the protected proxy endpoint

Important

This operation triggers an update to the validity period of the SSL certificate. This operation also triggers a restart of your RDS instance. Proceed with caution.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Database Proxy.

  3. In the Connection Information section, move the pointer over the ID of the database proxy endpoint. In the SSL Encryption Configuration section of the dialog box that appears, click Change Protected Endpoint below Protected Endpoint.

  4. Select the endpoint that you want to encrypt and click OK.

Update the validity period of the SSL certificate

Important

This operation triggers a restart of your RDS instance. Proceed with caution.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Database Proxy.

  3. In the Connection Information section, move the pointer over the ID of the database proxy endpoint. In the SSL Encryption Configuration section of the dialog box that appears, click Update Expiration Time to the right of SSL Certificate Expiration Time. In the dialog box that appears, click OK.

Disable SSL encryption

Important

This operation triggers a restart of your RDS instance. Proceed with caution.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Database Proxy.

  3. In the Connection Information section, move the pointer over the ID of the database proxy endpoint. In the SSL Encryption Configuration section of the dialog box that appears, click Disable to the right of SSL Encryption. In the dialog box that appears, click OK.

Related operations

Operation

Description

ModifyDbProxyInstanceSsl

Configures SSL encryption for a database proxy endpoint.

GetDbProxyInstanceSsl

Queries SSL encryption settings of a database proxy endpoint.

References

Sample code for connecting to a database over SSL

For more information, see Application code.

FAQ about SSL encryption

For more information, see FAQ.