This topic describes how to use the Secure Socket Layer (SSL) link encryption feature.
OceanBase Database supports SSL link encryption to ensure secure data transmission between clients and servers.
SSL uses mutual authentication to ensure integrity based on digital signatures and privacy based on encryption. It establishes a secure communication link between the client and the server.
SSL link encryption is supported in OceanBase V2.2.76 and later.
In the left-side navigation pane, click Clusters and select the target cluster to go to the Cluster Workspace page.
In the left-side navigation pane, click Security Settings.
Click the SSL Link Encryption tab. You can perform the following operations:
Click the toggle switch to enable SSL link encryption.
Click Download CA Certificate to download the certificate.
The downloaded package contains three files:
.p7b file: used to import CA certificates in Windows operating systems.
.pem file: used to import CA certificates in other systems or applications.
.jks file: a Java TrustStore certificate file used to import CA certificate chains in Java programs. The password is apsaradb.
When you use the .jks file in JDK 7 or JDK 8, you must modify the default JDK security configuration. Specifically, you must find the
jre/lib/security/java.securityfile on the server where the program is located, and then reconfigure the file as follows:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024If you do not modify the JDK security configuration, the following error will be reported. Other similar errors are also caused by Java security configuration.
javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
Click Update Validity Period to update the SSL Certificate Validity Period.