All Products
Search
Document Center

SSL link encryption

Last Updated: Sep 29, 2021

This topic describes how to use the Secure Socket Layer (SSL) link encryption feature.

Background

OceanBase Database supports SSL link encryption to ensure secure data transmission between clients and servers.

SSL uses mutual authentication to ensure integrity based on digital signatures and privacy based on encryption. It establishes a secure communication link between the client and the server.

Note

SSL link encryption is supported in OceanBase V2.2.76 and later.

Procedure

  1. In the left-side navigation pane, click Clusters and select the target cluster to go to the Cluster Workspace page.

  2. In the left-side navigation pane, click Security Settings.

  3. Click the SSL Link Encryption tab. You can perform the following operations:

    1. Click the toggle switch to enable SSL link encryption.

    2. Click Download CA Certificate to download the certificate.

      The downloaded package contains three files:

      • .p7b file: used to import CA certificates in Windows operating systems.

      • .pem file: used to import CA certificates in other systems or applications.

      • .jks file: a Java TrustStore certificate file used to import CA certificate chains in Java programs. The password is apsaradb.

      Note

      When you use the .jks file in JDK 7 or JDK 8, you must modify the default JDK security configuration. Specifically, you must find the jre/lib/security/java.security file on the server where the program is located, and then reconfigure the file as follows:

      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
      If you do not modify the JDK security configuration, the following error will be reported. Other similar errors are also caused by Java security configuration.
      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
    3. Click Update Validity Period to update the SSL Certificate Validity Period.1