This topic describes how to configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance. SSL encryption is used to encrypt the connections from a database client to an RDS instance. This helps you protect the data that is transmitted over the connections.

Background information

SSL is a protocol that is developed to ensure secure communication and protect data. From SSL 3.0 onwards, SSL is renamed as TLS. In this topic, cloud certificates are used to describe how to configure SSL encryption.

Note ApsaraDB RDS for PostgreSQL supports TLS 1.0, TLS 1.1, and TLS 1.2.
The following table provides a comparison of the SSL encryption configurations and benefits among various certificates.
Item Use a cloud certificate to enable SSL encryption Configure a custom certificate on an ApsaraDB RDS for PostgreSQL instance Configure a client CA certificate on an ApsaraDB RDS for PostgreSQL instance
How to obtain Issued by Alibaba Cloud. Issued by a certification authority (CA) or from a self-signed certificate. Issued from a self-signed certificate.
Validity period 365 days. Customized. Customized.
Number of protected endpoints 1. 1 or more. Varies based on the cloud or custom certificate that is used. The number of protected endpoints does not vary based on the CA certificate that is used.
Purpose Used to enable SSL encryption and used by the database client to validate the RDS instance. Used to enable SSL encryption and used by the database client to validate the RDS instance. Used by the RDS instance to validate the database client.
Note
  • To enable SSL encryption, you must configure a cloud certificate or a custom certificate.
  • You can choose not to configure a client CA certificate, which is used by the RDS instance to validate the database client.

Prerequisites

The RDS instance runs PostgreSQL 10 or later with standard SSDs or enhanced SSDs (ESSDs).

Precautions

  • After SSL encryption is enabled, the CPU utilization and the read and write latencies increase.
  • After SSL encryption is enabled, you must close the existing connection and establish a new connection to make SSL encryption take effect.
  • When you configure a cloud certificate, change the endpoint that is protected by the configured cloud certificate, or disable SSL encryption, the RDS instance restarts. The restart process requires about 3 minutes. We recommend that you perform these operations during off-peak hours.

Step 1: Use a cloud certificate to enable SSL encryption

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. Log on to the ApsaraDB RDS console. Find the RDS instance and click the ID of the instance. In the left-side navigation pane, click Data Security. On the page that appears, click the SSL Encryption tab.
    SSL Encryption tab
    Note If the SSL Encryption tab cannot be found, you must check that the RDS instance meets the requirements that are stated in the "Prerequisites" section of this topic.
  3. Click Cloud Certificate. Then, click Configuration next to Configure Database Certificate (to Prevent Database Disguise). In the dialog box that appears, select the endpoint that you want to protect.
    Select a protected endpoint
    Note
    • If you have not applied for a public endpoint, the Select Protected Endpoint dialog box displays only the internal endpoint of the RDS instance. If you have applied for a public endpoint, this dialog box displays both the internal endpoint and public endpoint of the RDS instance. However, each cloud certificate can protect only one endpoint. The internal endpoint is more secure than the public endpoint. Therefore, we recommend that you protect the public endpoint. For more information about how to view the internal endpoint and the public endpoint, see View and change the internal and public endpoints and port numbers of an ApsaraDB RDS for PostgreSQL instance.
    • For more information about how to protect the internal endpoint and the public endpoint at the same time, see Configure a custom certificate on an ApsaraDB RDS for PostgreSQL instance.
    • After a cloud certificate is configured, the status of the RDS instance changes from Running to Modifying SSL. After about 3 minutes, the status changes back to Running.

Step 2: Download the server CA certificate

After a cloud certificate is configured, the RDS instance provides a server CA certificate. When you connect to the RDS instance from the database client, the database client validates the RDS instance by using the server CA certificate.

  1. Click Cloud Certificate. Then, click Download CA Certificate.
    Download CA Certificate button
  2. Decompress the file that you downloaded.
    The file that you downloaded is a package, which contains the following three files:
    • P7B file: contains the server CA certificate that can be imported into a Windows operating system.
    • PEM file: contains the server CA certificate that can be imported into an operating system rather than Windows or an application that is not Windows-based.
    • JKS file: contains the server CA certificate that is stored in a Java-supported truststore. You can use the file to import the CA certificate chain into a Java-based application. The default password is apsaradb.

Step 3: Connect to the RDS instance from the database client

In this example, pgAdmin is used to describe how to connect to the RDS instance over SSL.

You can connect to the RDS instance from the database client over SSL by using one of the following methods:
Note Before you connect to the RDS instance, you must make sure that you have configured IP address whitelists and created accounts on the instance. For more information, see Configure an IP address whitelist for an ApsaraDB RDS for PostgreSQL instance and Create a database and an account on an ApsaraDB RDS for PostgreSQL instance.
  1. Start the pgAdmin 4 client.
    Note If the pgAdmin client runs a later version and you log on the pgAdmin client for the first time, you must specify a master password that is used to protect the saved passwords and other credentials.
  2. Right-click Servers and choose Create > Server.
  3. On the General tab of the Create - Server dialog box, enter the name of the server where the pgAdmin client runs.
  4. Click the Connection tab and enter the information that is used to connect to the RDS instance.
    Parameter Description
    Hostname/address Enter the endpoint of the RDS instance. If you want to connect to the RDS instance over an internal network, enter the internal endpoint of the RDS instance. If you want to connect to the RDS instance over the Internet, enter the public endpoint of the RDS instance. For more information, see View and change the internal and public endpoints and port numbers of an ApsaraDB RDS for PostgreSQL instance.
    Port Enter the port number that is associated with the endpoint.
    Username Enter the username of the account that you use to log on to the RDS instance.
    Password Enter the password of the account that you use to log on to the RDS instance.
  5. Click the SSL tab and configure the required parameters. The following table describes the parameters. SSLconfigure
    Parameter Description
    SSL mode
    For security purposes, we recommend that you set this parameter to Require, Verify-CA, or Verify-Full. The following list provides the meanings of the different values of the SSL mode parameter:
    • Require: The database client encrypts the SSL connections that are used to transmit data. However, the database client does not validate the RDS instance.
    • Verify-CA: The database client encrypts the SSL connections that are used to transmit data and validates the RDS instance.
    • Verify-Full: The database client encrypts the SSL connections that are used to transmit data, validates the RDS instance, and checks whether the CN or Domain Name System (DNS) specified in the server CA certificate is consistent with the value of the Host name/address parameter that you set at connection establishments.
    Root certificate If you set the SSL mode parameter to Verify-CA or Verify-Full, you must set the Root certificate parameter to the save path of the file that contains the server CA certificate.
    Note
    • In this example, the file that contains the server CA certificate is downloaded from the SSL tab and then is decompressed to the D:\CA\aliyunCA\ path on your computer. You can change the path based on your business requirements.
    • In pgAdmin, the file that contains the server CA certificate is in the PEM format.
  6. Click Save.
  7. If the information that you entered is correct, the following page appears, which indicates that the connection to RDS instance is successful.
    Note The postgres database is the default system database of the RDS instance. Do not perform operations on this database.