PolarDB:Configure SSL encryption

Prerequisites

The version of your PolarDB-X instance is 5.4.10 or later. You can view the instance version information on the Basic information page in the PolarDB-X console.

Note

• The validity period of an SSL certificate is one year. Before an SSL certificate expires, update the validity period of the SSL certificate and download and configure the SSL certificate again. Otherwise, clients cannot connect to your instance over encrypted connections. For more information about how to update the validity period of an SSL certificate, see Update the validity period of an SSL certificate.

• SSL encryption can cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only for connections to the public endpoint of your instance. In most cases, connections to the private endpoint are secure and do not require SSL encryption.

• Each time you enable or disable SSL encryption for an instance, the instance is restarted. Proceed with caution.

Enable SSL encryption

1. Log on to the PolarDB for Xscale console.

2. In the top navigation bar, select the region where the target instance is located.

3. On the Instances page, click the PolarDB-X 2.0 tab.

4. Find the target instance and click its ID.

5. In the left-side navigation pane, choose Configuration Management > Safety management.

6. Click the SSL configuration tab.

7. Turn on the switch next to SSL configuration.

   

   Note

   After you turn on the switch, the value of SSL protected address that is displayed on the page is the private endpoint. You can change the value to the public endpoint. For more information, see Change the protected endpoint for SSL encryption.

8. In the message that appears, click OK.

   Important

   After you click OK, the instance is restarted. We recommend that you enable or disable your instance during off-peak hours and make sure that your applications can automatically reconnect to the instance.

9. After SSL encryption is enabled, click Download CA certificate.

   The downloaded package contains the following files.

   • The .p7b file is used to import the SSL certificate to Windows systems.

   • The .pem file is used to import the SSL certificate to non-Windows systems and applications.

   • The .jks file stores truststore certificates for Java. The password is apsaradb. The file is used to import the CA certificate chain to Java programs.

     Note

     When you use the .jks file in Java Development Kit (JDK) 7 or JDK 8, go to the jre/lib/security/java.security directory on the host where your application resides and run the following code to modify the default values of two configuration items:

     jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
     jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

     Otherwise, the following error is returned. In most cases, similar errors are also caused by invalid Java security configurations.

     javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure an SSL certificate

After you enable SSL encryption, configure an SSL certificate to allow your application or your client to connect to PolarDB-X. This section provides examples to show how to configure an SSL certificate. In the examples, MySQL Workbench and Navicat are used. If you use other applications or clients, see the corresponding instructions.

Configure an SSL certificate on MySQL Workbench

1. Start MySQL Workbench.

2. Choose Database > Manage Connections.

3. Select If available in the Use SSL drop-down list and import the SSL certificate file.

Configure an SSL certificate on Navicat

1. Start Navicat.

2. Right-click the database that you want to connect and select Edit Connection.

   

3. Click the SSL tab and select the path of the .pem SSL certificate file.

   

4. Click OK.

   Note

   If the connection is being used error message is returned, the previous session is active. In this case, you must restart Navicat.

5. Double-click the database to check whether the database is connected.

   

Update the validity period of an SSL certificate

Change the protected endpoint for SSL encryption

1. Log on to the PolarDB for Xscale console.

2. In the top navigation bar, select the region where the target instance is located.

3. On the Instances page, click the PolarDB-X 2.0 tab.

4. Find the target instance and click its ID.

5. In the left-side navigation pane, choose Configuration and Management > Safety management.

6. Click the SSL configuration tab.

7. Click Set SSL.

8. In the dialog box that appears, select the endpoint to which the connections you want to encrypt.

   Note

   • After you turn on the switch next to the SSL configuration parameter, the value of SSL protected address that is displayed on the page is the private endpoint. You can change the private endpoint to the public endpoint.

   • After you change the endpoint to which connections are encrypted by the SSL certificate, the instance is restarted. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.

   • After you change the endpoint for SSL encryption, you must download and configure the SSL certificate again.

9. Click OK.

Disable SSL encryption

1. Log on to the PolarDB for Xscale console.

2. In the top navigation bar, select the region where the target instance is located.

3. On the Instances page, click the PolarDB-X 2.0 tab.

4. Find the target instance and click its ID.

5. In the left-side navigation pane, choose Configuration and Management > Safety management.

6. Click the SSL configuration tab.

7. Disable the SSL configuration.

   

8. In the message that appears, click OK.