This topic describes how to enable Secure Sockets Layer (SSL) encryption and install SSL CA certificates to applications. SSL encrypts data over network connections at the transport layer. This enhances data security and integrity but increases network connection response time.

Precautions

  • The validity period of an SSL CA certificate is one year. You must renew the validity period of the SSL CA certificate in your application or client within one year. Otherwise, your application or client that uses an encrypted network connection cannot connect to RDS properly.
  • SSL encryption increases CPU usage. Therefore, we recommend that you enable SSL encryption only for public endpoints when required. In typical cases, private endpoints do not require SSL encryption.
  • SSL encryption cannot be disabled once it is enabled.
  • An RDS instance that uses a read-only address does not support SSL encryption.

Enable SSL encryption

  1. Log on to the RDS console.
  2. In the upper-left corner, select the region where the target RDS instance is located.
    选择地域
  3. Find the target RDS instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. Click the SSL Encryption tab.
  6. Click the switch next to Disabled in the SSL Encryption parameter.

    开启SSL加密
  7. In the Configure SSL dialog box, select the endpoint for which you want to enable SSL encryption, then click OK.
    Note You can choose to encrypt the private or public endpoint, but note that you can encrypt only one endpoint.

    开启SSL加密-选择加密地址
  8. Click Download CA Certificate to download the SSL CA certificate files in a compressed package.

    下载SSL加密CA证书

    The compressed package consists of the following three files:

    • .p7b file: used to import CA certificate files in Windows operating systems.
    • .pem file: used to import CA certificate files in other systems or applications.
    • .jks file: used to import link CA certificate files in Java-based applications. The .jks file is stored in the TrustStore of Java.
      Note When you use the .jks file in JDK 7 or JDK 8, you must modify the default JDK security configuration. Specifically, you must find the jre/lib/security/java.security file on the server where the database you want to access through SSL is located, and then reconfigure the file as follows:
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
      If you do not modify the JDK security configuration, the system reports errors similar to the following:
      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure the SSL CA certificate

After SSL encryption is enabled, you must configure the SSL CA certificate for your application or client when connecting to RDS. This section uses MySQL Workbench as an example to describe how to install the SSL CA certificate.

  1. Start MyQL Workbench.
  2. Choose Database > Manage Connections.
  3. Enable Use SSL and import the SSL CA certificate files.

    配置SSL CA证书-使用MySQL Workbench

Renew the validity period of the SSL CA certificate

Note This operation causes your RDS instance to restart. You must make proper service arrangements before this operation.

更新证书有效期