This topic describes how to enhance endpoint security. You can enable Secure Sockets Layer (SSL) encryption and install SSL certificates issued by certificate authorities (CAs) on the required application services. SSL is used at the transport layer to encrypt network connections and enhance the security and integrity of communication data. SSL also increases the response time.

Background information

SSL is developed by Netscape to establish an encrypted link between a web server and a browser. It supports different algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgrades SSL 3.0 to TLS. SSL encryption is more common in the industry and refers to TLS encryption in this topic.
Note ApsaraDB for RDS supports TLS 1.0, 1.1, and 1.2.

For more information about how to configure SSL encryption in other database engines, see the following topics:

Prerequisites

The RDS instance runs one of the following MySQL versions and RDS editions:

  • MySQL 8.0 on RDS Enterprise Edition
  • MySQL 8.0 on RDS High-availability Edition
  • MySQL 5.7 on RDS Enterprise Edition
  • MySQL 5.7 on RDS High-availability Edition
  • MySQL 5.6

Precautions

  • An SSL CA certificate is valid for one year. You must update the validity period of the certificate and then download and configure the certificate again. Otherwise, clients that use encrypted connections cannot connect to the RDS instance. For more information, see Update the validity period of an SSL CA certificate.
  • SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only when you want to encrypt connections from the Internet. In most cases, connections that use an internal endpoint do not require SSL encryption.
  • Read/write splitting endpoints do not support SSL encryption.
  • If you disable SSL encryption, the RDS instance restarts. Proceed with caution.

Enable SSL encryption

  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. Click the SSL Encryption tab.
  6. Turn on the switch next to Disabled.
  7. In the Configure SSL dialog box, select the endpoint for which you want to enable SSL encryption and click OK.
    Note You can encrypt connections that use either the internal or public endpoint as required.
  8. Click Download CA Certificate to download the SSL CA certificate files in a compressed package.

    The downloaded package contains the following files:

    • p7b file: used to import CA certificates to the Windows operating system.

    • PEM file: used to import CA certificates to other operating systems or applications.

    • JKS file: the Java truststore file. The password is apsaradb. It is used to import the CA certificate chain to Java programs.

      Note When the JKS file is used in Java, you must modify the default JDK security configuration in JDK 7 and JDK 8. Open the /jre/lib/security/java.security file on the host where your application resides, and modify the following configurations: 
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
      If you do not modify the JDK security configuration, the following error is reported. Similar errors are also caused by the Java security configuration. 
      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure an SSL CA certificate

After you enable SSL encryption, configure the SSL CA certificate on your application or client before they can connect to the RDS instance. This section uses MySQL Workbench and Navicat as examples to describe how to configure an SSL CA certificate. For more information, see the instructions for the other applications or clients.

Configure a certificate on MySQL Workbench.

  1. Start MySQL Workbench.
  2. Choose Database > Manage Connections.
  3. Enable Use SSL and import the SSL CA certificate files.

Configure a certificate on Navicat.

  1. Start Navicat.
  2. Right-click the target database and select Edit Connection.
  3. Click the SSL tab and select the path of the SSL CA certificate file in the .pem format, as shown in the following figure.
  4. Click OK.
    Note If the connection is being used error is reported, the previous session is still connected. Restart Navicat.
  5. Double-click the target database to test whether the database is connected.

Update the validity period of an SSL CA certificate

Note
  • Update Validity causes the RDS instance to restart. Proceed with caution.
  • After you update the validity period, you must download and configure the SSL CA certificate again.
Update the validity period of an SSL CA certificate

Disable SSL encryption

Note
  • If you disable SSL encryption, the RDS instance restarts. To reduce the impact on your business, the system triggers a primary/secondary switchover. We recommend that you disable SSL encryption during off-peak hours.
  • Database access features higher performance but lower security after SSL encryption is disabled. We recommend that you disable SSL encryption only in secure environments.
  1. Log on to the ApsaraDB for RDS console.
  2. In the top navigation bar, select the region where the target RDS instance resides.Select a region
  3. Find the target RDS instance and click its ID.
  4. In the left-side navigation pane, click Data Security.
  5. Click the SSL Encryption tab.
  6. Turn off the switch next to Enabled. In the message that appears, click OK.

FAQ

If I do not update its expired SSL CA certificate, will my RDS instance malfunction or its data security deteriorate?

If you do not update the SSL CA certificate after it expires, your RDS instance can still run and its data security does not deteriorate. However, the applications that use encrypted connections to communicate with your RDS instance are disconnected.