Configure SSL encryption for an ApsaraDB for Redis instance - User Guide| Alibaba Cloud Documentation Center

This topic describes how to enhance link security by enabling SSL encryption and installing SSL certification authority (CA) certificates on your application services. The SSL encryption feature encrypts network connections at the transport layer to improve data security and ensure data integrity during communication.

Prerequisites

The major version of your ApsaraDB for Redis instance is Redis 2.8. The instance is a standard master-replica instance or a cluster master-replica instance. For more information, see Standard master-replica instances or Cluster master-replica instances.
The major version of your ApsaraDB for Redis instance is Redis 4.0 or Redis 5.0. The instance is a cluster master-replica instance. For more information, see Cluster master-replica instances.

Precautions

SSL encryption may increase the network latency of instances. We recommend that you enable this feature only when required. For example, you can enable SSL encryption if you connect to an ApsaraDB for Redis instance over the Internet.
The instance restarts after you enable SSL encryption or update the certificate. During the restart, the instance is disconnected for a few seconds. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.
After you enable SSL encryption for an instance, both SSL and non-SSL connections are supported.

Procedure

Log on to the ApsaraDB for Redis console.
In the top navigation bar of the page, select the region in which the instance is deployed.
On the Instances page, click the ID of the instance.

Perform one of the following operations.

Figure 1. Configure SSL encryption for an ApsaraDB for Redis instance


Operation	Description
Enable or disable SSL encryption	Turn on or off SSL Certificate.
Modify the earliest TLS version supported by the instance	Click SSL next to Minimum TLS version, select a TLS version from the drop-down list, and then click Save. The default value is TLSv1. Note If the Minimum TLS version drop-down list is unavailable, you must update your instance to the latest minor version. For more information, see Update the minor version. This operation is not supported if you use a standard master-replica instance that runs Redis 2.8. For more information, see Standard master-replica instances.
Update the CA certificate	Click Update Validity in the upper-right corner of the page and click OK.
Download the CA certificate	In the upper-right corner of the page, click Download SSL Certificate.

FAQ

Q: What do I do if the error message "version not supported" appears?
A: You must update your instance to the latest minor version. For more information, see Update the minor version.
Q: What files are included in the downloaded CA certificate?
A: The downloaded CA certificate is a compressed package that consists of the following files:
- ApsaraDB-CA-Chain.p7b: imports the CA certificate into the Windows system.
- ApsaraDB-CA-Chain.pem: imports the CA certificate into other systems such as the Linux system or applications.
- ApsaraDB-CA-Chain.jks: stores truststore certificates in Java and imports the CA certificate chain into Java applications.

SSL connection methods

References


API operation	Description
ModifyInstanceSSL	Configures SSL encryption for an ApsaraDB for Redis instance.