Configure SSL Encryption to Secure AnalyticDB MySQL Connections - AnalyticDB for MySQL

Important

This feature is in beta. The console interface and API operations are subject to change and may not yet be stable.

SSL encryption secures network connections at the transport layer, protecting data in transit from interception and tampering. This topic describes how to enable SSL encryption on your AnalyticDB for MySQL cluster, download the CA certificate, renew the certificate before it expires, and disable encryption.

Note

In this topic, SSL encryption refers to TLS encryption. The term "SSL" remains widely used even though the Internet Engineering Task Force (IETF) upgraded SSL 3.0 to Transport Layer Security (TLS).

Prerequisites

Before you begin, ensure that you have:

An AnalyticDB for MySQL cluster running kernel version 3.2.1.0 or later

To check or update the kernel version, go to the Configuration Information section of the Cluster Information page in the AnalyticDB for MySQL console. For instructions, see Update the minor version of a cluster.

Usage notes

Certificate expiry: SSL certificates are valid for one year. Renew the certificate before it expires — expired certificates cause client connections to fail.
Performance impact: SSL encryption increases CPU utilization. Enable it only when connection security is a requirement.
Controller node restart: Enabling SSL, disabling SSL, or updating a certificate restarts the Controller node and causes transient connection errors. Perform these operations during off-peak hours and make sure your application has a reconnection mechanism.
One endpoint per cluster: You can encrypt either the internal endpoint or the public endpoint, but not both simultaneously.

Enable SSL encryption

Log on to the AnalyticDB for MySQL console. In the upper-left corner, select a region. In the left-side navigation pane, click Clusters, then click the cluster ID.
Navigate to the SSL configuration page based on your edition:
Edition Navigation path
Enterprise Edition, Basic Edition, Data Lakehouse Edition Left pane → Cluster Settings
Data Warehouse Edition Left pane → Data Security
On the SSL Settings tab, turn on the SSL Status switch.
In the Configure SSL Encryption dialog box, select the endpoint to protect — internal or public — then click OK.
Important
To encrypt a public endpoint, first enable a public endpoint for the cluster. After SSL is enabled, click Configure SSL Encryption again to change the encrypted endpoint. Changing the endpoint automatically updates the certificate and restarts the Controller node.
Click Download Certificate.

Edition	Navigation path
Enterprise Edition, Basic Edition, Data Lakehouse Edition	Left pane → Cluster Settings
Data Warehouse Edition	Left pane → Data Security

The downloaded compressed package contains three certificate files:

File	Use
`.p7b`	Import the CA certificate on Windows
`.pem`	Import the CA certificate on other systems or other applications
`.jks`	TrustStore certificate for Java applications; password is `apsaradb`

Configure JDK security settings (JDK 7 and JDK 8 only)

When using the .jks file in Java, modify two settings in jre/lib/security/java.security on the host running your application:

jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

Without these changes, the JDK security manager rejects the certificate and throws:

javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Update the validity period of an SSL certificate

Renew the certificate before it expires to prevent connection failures.

Log on to the AnalyticDB for MySQL console. Select a region, click Clusters, then click the cluster ID.
Navigate to the SSL configuration page:
Edition Navigation path
Enterprise Edition, Basic Edition, Data Lakehouse Edition Left pane → Cluster Settings
Data Warehouse Edition Left pane → Data Security
On the SSL Settings tab, click Update Validity Period.

Edition	Navigation path
Enterprise Edition, Basic Edition, Data Lakehouse Edition	Left pane → Cluster Settings
Data Warehouse Edition	Left pane → Data Security

Disable SSL encryption

Log on to the AnalyticDB for MySQL console. Select a region, click Clusters, then click the cluster ID.
Navigate to the SSL configuration page:
Edition Navigation path
Enterprise Edition, Basic Edition, Data Lakehouse Edition Left pane → Cluster Settings
Data Warehouse Edition Left pane → Data Security
On the SSL Settings tab, turn off the SSL Status switch.
In the Disable SSL Encryption dialog box, click OK.

Edition	Navigation path
Enterprise Edition, Basic Edition, Data Lakehouse Edition	Left pane → Cluster Settings
Data Warehouse Edition	Left pane → Data Security

API reference

API	Description
ModifyDBClusterSSL	Enables or disables SSL encryption for a Data Warehouse Edition cluster
DescribeDBClusterSSL	Queries the SSL configuration of a Data Warehouse Edition cluster