This topic describes how to configure Secure Sockets Layer (SSL) encryption on your ApsaraDB RDS for SQL Server instance. You must enable SSL encryption on your RDS instance and install the SSL certificates issued by certificate authorities (CAs) on your application. SSL is used at the transport layer to encrypt network connections. This allows you to enhance the security and integrity of the transmitted data. However, SSL increases the response time.

Background information

SSL is developed by Netscape to provide encrypted communication between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgrades SSL 3.0 to TLS. However, the term "SSL encryption" is retained because it is more common in the communications industry. In this topic, SSL encryption refers to TLS encryption.
Note ApsaraDB for RDS supports TLS 1.0, 1.1, and 1.2.

Precautions

  • An SSL certificate remains valid for one year. Before the used SSL certificate expires, you must update its validity period. In addition, you must download the required SSL certificate file and configure the SSL certificate again. Otherwise, a client cannot connect to your RDS instance over an encrypted connection.
  • SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only when you want to encrypt the connections with the public endpoint of your RDS instance. In most cases, connections with the internal endpoint of your RDS instance are secure and do not require SSL encryption.
  • SSL encryption cannot be disabled after it is enabled. Proceed with caution.
  • SSL encryption is not supported for the connections with the read/write splitting endpoint of your RDS instance.

Enable SSL encryption

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. Click the SSL Encryption tab.
  6. Turn on the switch next to Disabled.
  7. In the Configure SSL dialog box, select the endpoint for which you want to enable SSL encryption and click OK.
    Note You can encrypt connections that use either the internal or public endpoint as required.
  8. Click Download CA Certificate to download the SSL CA certificate files in a compressed package.

    The downloaded package contains the following files:

    • p7b file: used to import CA certificates to the Windows operating system.

    • PEM file: used to import CA certificates to other operating systems or applications.

    • JKS file: the Java truststore file. The password is apsaradb. It is used to import the CA certificate chain to Java programs.

      Note When the JKS file is used in Java, you must modify the default JDK security configuration in JDK 7 and JDK 8. Open the /jre/lib/security/java.security file on the host where your application resides, and modify the following configurations:
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
      If you do not modify the JDK security configuration, the following error is reported. Similar errors are also caused by the Java security configuration.
      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure an SSL certificate

Before your application or client can connect to your RDS instance, you must configure an SSL certificate on your application or client after you enable SSL encryption. In this section, MySQL Workbench is used as an example. If you are using other applications or clients, see the related instructions.

  1. Start MySQL Workbench.
  2. Choose Database > Manage Connections.
  3. Enable Use SSL and import the required SSL certificate file.

Update the validity period of an SSL CA certificate

Note
  • Update Validity causes the RDS instance to restart. Proceed with caution.
  • After you update the validity period, you must download and configure the SSL CA certificate again.
Update the validity period of an SSL CA certificate