All Products
Search
Document Center

ApsaraDB RDS:Configure SSL encryption

Last Updated:Nov 14, 2023

This topic describes how to configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance. SSL encryption is used to encrypt the connections from a database client to an RDS instance. This helps you protect the data that is transmitted over the connections.

Background information

SSL is a protocol that is developed to ensure secure communication and protect data. From SSL 3.0 onwards, SSL is renamed as TLS. In this topic, cloud certificates are used to describe how to configure SSL encryption.

Note

ApsaraDB RDS for PostgreSQL supports TLS 1.0, TLS 1.1, and TLS 1.2.

The following table provides a comparison of the SSL encryption configurations and benefits among various certificates.

Item

Cloud certificate

Custom certificate

Client CA certificate

Method to obtain

Issued by Alibaba Cloud.

Issued by a certification authority (CA) or from a self-signed certificate.

Issued from a self-signed certificate.

Validity period

365 days.

Customized.

Customized.

Number of protected endpoints

1

1 or more.

Varies based on the cloud certificate or custom certificate that is used. The number of protected endpoints does not vary based on the CA certificate that is used.

Purpose

Used to enable SSL encryption and used by the database client to validate the RDS instance.

Used to enable SSL encryption and used by the database client to validate the RDS instance.

Used by the RDS instance to validate the database client.

Note
  • To enable SSL encryption, you must configure a cloud certificate or a custom certificate.

  • You can choose not to configure a client CA certificate, which is used by the RDS instance to validate the database client.

Prerequisites

  • The RDS instance runs PostgreSQL 10 or later and uses cloud disks.

  • The pgAdmin 4 client is downloaded. For more information, see pgAdmin 4.

Usage notes

  • An SSL certificate remains valid for one year. If an SSL certificate is about to expire, Alibaba Cloud notifies you by email and internal message and automatically renews the SSL certificate within a specific period of time. You can view internal messages on the Event Center page. You can customize the time to renew the SSL certificate in the Schedule Event dialog box. For more information, see Manage scheduled events.

  • After SSL encryption is enabled, the CPU utilization and the read and write latencies increase.

  • After SSL encryption is enabled, you must close the existing connection and establish a new connection to make SSL encryption take effect.

  • When you configure a cloud certificate, change the endpoint that is protected by the configured cloud certificate, or disable SSL encryption, the RDS instance restarts. The restart process requires approximately 3 minutes. We recommend that you perform these operations during off-peak hours.

Step 1: Use a cloud certificate to enable SSL encryption

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. Log on to the ApsaraDB RDS console. Find the RDS instance and click the ID of the instance. In the left-side navigation pane of the page that appears, click Data Security. On the page that appears, click the SSL tab.

    Note

    If the SSL tab does not appear, you must check whether the RDS instance meets the requirements in Prerequisites.

  3. On the tab that appears, select Cloud Certificate for Select Certificate Source and click Configuration to the right of Configure Database Certificate (to Prevent Database Disguise). In the dialog box that appears, select the endpoint that you want to protect.

    选择保护的连接串
    Note
    • If you have not applied for a public endpoint, the Select Protected Endpoint dialog box displays only the internal endpoint of the RDS instance. If you have applied for a public endpoint, this dialog box displays both the internal endpoint and public endpoint of the RDS instance. However, each cloud certificate can protect only one endpoint. The internal endpoint is more secure than the public endpoint. Therefore, we recommend that you protect the public endpoint. For more information about how to view the internal endpoint and the public endpoint, see View and change the internal and public endpoints and port numbers of an ApsaraDB RDS for PostgreSQL instance.

    • For more information about how to protect the internal endpoint and the public endpoint at the same time, see Configure a custom certificate.

    • After a cloud certificate is configured, the status of the RDS instance changes from Running to Modifying SSL. After about 3 minutes, the status changes back to Running.

Step 2: Download the server CA certificate

After a cloud certificate is configured, the RDS instance provides a server CA certificate. When you connect to the RDS instance from the database client, the database client validates the RDS instance by using the server CA certificate.

  1. Select Cloud Certificate for Select Certificate Source. Then, click Download CA Certificate.

    下载CA证书
  2. Decompress the file that you downloaded.

    The file that you downloaded is a package that contains the following files:

    • PEM file: suitable for most scenarios.

    • JKS file: In most cases, the PEM-formatted certification authority (CA) certificate file must be imported to a truststore for the conversion into a JKS file for use in Java applications. The password is apsaradb.

    • P7B file: suitable for a small number of Windows applications that require PKCS#7-formatted certificate files.

Step 3: Connect to the RDS instance from the database client

In this example, pgAdmin is used to describe how to connect to the RDS instance over SSL connections.

You can connect to an RDS instance by using multiple methods, such as the psql command-line client and Java Database Connectivity (JDBC). For more information, see Connect to an ApsaraDB RDS for PostgreSQL instance over SSL connections.

Note
  1. Start pgAdmin 4.

    Note

    If this is the first time you log on to pgAdmin of a later version, you must specify a master password that is used to protect saved passwords and other credentials.

  2. Right-click Servers and choose Register > Server.

  3. On the General tab of the Register - Server dialog box, enter the name of the server on which pgAdmin is installed.

  4. Click the Connection tab and enter the information that is used to connect to the RDS instance. 连接信息

    Parameter

    Description

    Host name/address

    The endpoint and port that are used to connect to the RDS instance.

    • If you want to connect to the RDS instance over an internal network, enter the internal endpoint and internal port of the RDS instance.

    • If you want to connect to the RDS instance over the Internet, enter the public endpoint and public port of the RDS instance.

    You can view the preceding information on the Database Connection page of the RDS instance.

    For more information, see View and change the endpoints and port numbers of an ApsaraDB RDS for PostgreSQL instance.

    Port

    Username

    The username and password that are used to log on to the RDS instance.

    For more information about how to create an account on an RDS instance, see Create a database and an account on an ApsaraDB RDS for PostgreSQL instance.

    Password

  5. On the Parameters tab, configure the parameters related to the SSL authentication mode and configure the certificate.

    Parameter

    Description

    SSL mode

    For security purposes, we recommend that you set this parameter to Require, Verify-CA, or Verify-Full. The following list provides the meanings of the different values of the SSL mode parameter:

    • Require: The database client encrypts the SSL connections that are used to transmit data. However, the database client does not validate the RDS instance.

    • Verify-CA: The database client encrypts the SSL connections that are used to transmit data and validates the RDS instance.

    • Verify-Full: The database client encrypts the SSL connections that are used to transmit data, validates the RDS instance, and checks whether the CN or Domain Name System (DNS) specified in the server CA certificate is consistent with the value of the Host name/address parameter that you set at connection establishments.

    Root certificate

    If you set the SSL mode parameter to Verify-CA or Verify-Full, you must set the Root certificate parameter to the save path of the file that contains the server CA certificate.

    Note
    • In this example, the file that contains the server CA certificate is downloaded from the SSL tab and then is decompressed to the D:\CA\aliyunCA\ path on your computer. You can change the path based on your business requirements.

    • In pgAdmin, the file that contains the server CA certificate is in the PEM format.

  6. Click Save.

    If the information that you enter is correct, the page that is shown in the following figure appears, which indicates that the connection to the RDS instance is successful.

    Important

    The postgres database is the default system database. Do not perform operations on the postgres database.