This topic describes how to configure Secure Sockets Layer (SSL) encryption for an ApsaraDB RDS for MySQL instance. You can enable SSL encryption for your RDS instance and install the SSL certificates that are issued by certificate authorities (CAs) on your application. Then, SSL encrypts the network connection at the transport layer between your RDS and your application. This enhances the security and integrity of the data in transit. However, SSL increases the response time.

Prerequisites

Your RDS instance runs one of the following MySQL versions and RDS editions:

  • MySQL 8.0 on RDS Enterprise Edition
  • MySQL 8.0 on RDS High-availability Edition
  • MySQL 5.7 on RDS Enterprise Edition
  • MySQL 5.7 on RDS High-availability Edition
  • MySQL 5.6

Background information

SSL is developed by Netscape to provide encrypted communication between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgrades SSL 3.0 to TLS. However, the term "SSL encryption" is retained because it is more common in the communications industry. In this topic, SSL encryption refers to TLS encryption.
Note ApsaraDB RDS supports TLS 1.0, TLS 1.1, and TLS 1.2.

For more information about how to configure SSL encryption for RDS instances that run other database engines, see the following topics:

Precautions

  • The validity period of an SSL certificate is one year. Before the used SSL certificate expires, you must update its validity period. In addition, you must download the SSL certificate file and configure the SSL certificate again. Otherwise, a client cannot connect to your RDS instance over an encrypted connection. For more information, see Update the validity period of an SSL certificate.
  • Due to its implementation principles, SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only when you need to encrypt the connection to the public endpoint of your RDS instance. In most cases, the connection to the internal endpoint of your RDS instance is secure and therefore does not require SSL encryption.
  • SSL encryption is not supported for the connection to the read/write splitting endpoint of your RDS instance.
  • If you disable SSL encryption, your RDS instance restarts. Proceed with caution.

Enable SSL encryption

  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. Click the SSL Encryption tab.
  4. In the SSL Settings section, turn on SSL Encryption.
  5. In the dialog box that appears, select the endpoint that you want to protect, and click OK.
    Note You can encrypt the connection to the internal or public endpoint based on your business requirements. Only one connection can be encrypted.
  6. Click Download CA Certificate to download the SSL certificate files as a compressed package.

    The compressed package contains the following files:

    • .p7b file: the SSL certificate file that is used for a Windows operating system.
    • .PEM file: the SSL certificate file that is used for an operating system or application that is not Windows-based.
    • .JKS file: the SSL certificate file that is stored in the Java-supported truststore. You can use this file to import the SSL certificate files from a CA certificate chain into Java-based applications. The default password is apsaradb.
      Note When you use the .JKS file in JDK 7 or JDK 8, open the jre/lib/security/java.security file on the host where your application resides. Then, modify the following two default JDK security configuration items: 
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
      If you do not modify these configuration items, the following error is reported (in most cases, other similar errors are also caused by invalid Java security configurations): 
      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure an SSL certificate

After SSL encryption is enabled, you must configure an SSL certificate on your application or client. Otherwise, your application or client cannot connect to your RDS instance. In this topic, MySQL Workbench and Navicat are used as examples. If you use other applications or clients, see the related instructions.

Perform the following steps to configure an SSL certificate on MySQL Workbench:

  1. Start MySQL Workbench.
  2. Choose Database > Manage Connections.
  3. Enable Use SSL and import the SSL certificate file.

Perform the following steps to configure an SSL certificate on Navicat:

  1. Start Navicat.
  2. Right-click the database that you want to connect, and select Edit Connection.
  3. Click the SSL tab and select the path of the .pem SSL certificate file, as shown in the following figure.
  4. Click OK.
    Note If the " connection is being used" error is reported, the previous session is still connected. In this case, restart Navicat.
  5. Double-click the database that you want to connect, and check whether the database is connected.

Update the validity period of an SSL certificate

Note
  • The Update Validity operation causes your RDS instance to restart. Proceed with caution.
  • After you perform the Update Validity operation, you must download the SSL certificate file and configure the SSL certificate again.
Update Validity

Disable SSL encryption

Note
  • If you disable SSL encryption, your RDS instance restarts. In this case, ApsaraDB RDS triggers a primary/secondary switchover to reduce the impacts on your workloads. However, we still recommend that you disable SSL encryption during off-peak hours.
  • After you disable SSL encryption, access performance increases, but security decreases. We recommend that you disable SSL encryption only in secure environments.
  1. Visit the RDS instance list, select a region above, and click the target instance ID.
  2. In the left-side navigation pane, click Data Security.
  3. Click the SSL Encryption tab.
  4. Turn off SSL Encryption. In the message that appears, click OK.

FAQ

If I do not update the validity period of the expired SSL certificate, does my RDS instance malfunction or data security deteriorate?

If you do not update the expired SSL certificate, your RDS instance still runs as normal and no security risks occur. However, if your application communicates with your RDS instance over an encrypted connection, your application is disconnected.