This topic describes how to configure Secure Sockets Layer (SSL) encryption on your ApsaraDB RDS for MySQL instance. You must enable SSL encryption on your RDS instance and install the SSL certificates issued by certificate authorities (CAs) on your application. SSL is used at the transport layer to encrypt network connections. This allows you to enhance the security and integrity of the transmitted data. However, SSL increases the response time.

Prerequisites

Your RDS instance runs one of the following MySQL versions and RDS editions:

  • MySQL 8.0 on RDS Enterprise Edition
  • MySQL 8.0 on RDS High-availability Edition
  • MySQL 5.7 on RDS Enterprise Edition
  • MySQL 5.7 on RDS High-availability Edition
  • MySQL 5.6

Background information

SSL is developed by Netscape to provide encrypted communication between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgrades SSL 3.0 to TLS. However, the term "SSL encryption" is retained because it is more common in the communications industry. In this topic, SSL encryption refers to TLS encryption.
Note ApsaraDB for RDS supports TLS 1.0, 1.1, and 1.2.

For more information about how to configure SSL encryption on RDS instances that run other database engines, see the following topics:

Precautions

  • An SSL certificate remains valid for one year. Before the used SSL certificate expires, you must update its validity period. In addition, you must download the required SSL certificate file and configure the SSL certificate again. Otherwise, a client cannot connect to your RDS instance over an encrypted connection. For more information, see Update the validity period of an SSL certificate.
  • SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only when you want to encrypt the connections with the public endpoint of your RDS instance. In most cases, connections with the internal endpoint of your RDS instance are secure and do not require SSL encryption.
  • SSL encryption is not supported for the connections with the read/write splitting endpoint of your RDS instance.
  • If you disable SSL encryption, your RDS instance restarts. Proceed with caution.

Enable SSL encryption

  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where the target RDS instance resides.
    Select a region
  3. Find the target instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. Click the SSL Encryption tab.
  6. In the SSL Settings section, turn on SSL Encryption.
  7. In the dialog box that appears, select an endpoint and click OK.
    Note You can encrypt connections with either the internal or public endpoint based on your business requirements.
  8. Click Download CA Certificate to download the SSL certificate files in a compressed package.

    The compressed package contains the following files:

    • .p7b file: the CA certificate file that is used for a Windows operating system.
    • .PEM file: the CA certificate file that is used for an operating system or application that is not Windows-based.
    • .JKS file: the truststore certificate file that is used for Java. You can use this file to import the CA certificate chain to Java programs. The default password is apsaradb.
      Note When you use the .JKS file in JDK 7 or JDK 8, open the jre/lib/security/java.security file on the host where your application resides. Then, modify the following two default JDK security configuration items:
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
      If you do not modify these configuration items, the following error is reported (in most cases, errors may occur due to the security configuration):
      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure an SSL certificate

Before your application or client can connect to your RDS instance, you must configure an SSL certificate on your application or client after you enable SSL encryption. In this topic, MySQL Workbench and Navicat are used as examples. If you are using other applications or clients, see the related instructions.

Perform the following steps to configure an SSL certificate on MySQL Workbench:

  1. Start MySQL Workbench.
  2. Choose Database > Manage Connections.
  3. Enable Use SSL and import the required SSL certificate file.

Perform the following steps to configure an SSL certificate on Navicat:

  1. Start Navicat.
  2. Right-click the database that you want to connect, and select Edit Connection.
  3. Click the SSL tab and select the path of the .pem SSL certificate file, as shown in the following figure.
  4. Click OK.
    Note If the connection is being used error is reported, the previous session is still connected. In this case, restart Navicat.
  5. Double-click the database to check whether it can be connected.

Update the validity period of an SSL certificate

Note
  • The Update Validity operation causes your RDS instance to restart. Proceed with caution.
  • After you perform the Update Validity operation, you must download the required SSL certificate file and configure the SSL certificate again.
Update Validity

Disable SSL encryption

Note
  • If you disable SSL encryption, your RDS instance restarts. To reduce the impact on your workloads, the system triggers a primary/secondary switchover. We recommend that you disable SSL encryption during off-peak hours.
  • After you disable SSL encryption, the access performance of your RDS instance increases. However, the security of your RDS instance decreases. We recommend that you disable SSL encryption only in secure environments.
  1. Log on to the ApsaraDB for RDS console.
  2. In the left-side navigation pane, click Instances. In the top navigation bar, select the region where the target RDS instance resides.
    Select a region
  3. Find the target instance and click the instance ID.
  4. In the left-side navigation pane, click Data Security.
  5. Click the SSL Encryption tab.
  6. Turn off the switch next to Enabled. In the message that appears, click OK.

FAQ

If I do not update the validity period of the expired SSL certificate, will my RDS instance malfunction or its data security deteriorate?

If you do not update the validity period of the expired SSL certificate, your RDS instance can still run and its data security does not deteriorate. However, the applications that communicate with your RDS instance over encrypted connections are disconnected.