All Products
Search

This Product

    AnalyticDB:SSL encryption

    Document Center

    AnalyticDB:SSL encryption

    Last Updated:Oct 27, 2025

    To improve connection security, you can enable Secure Sockets Layer (SSL) encryption and install a Certificate Authority (CA) certificate for your applications. SSL encrypts network connections at the transport layer to enhance data security and integrity. This prevents data from being monitored, intercepted, or tampered with by third parties. However, SSL encryption increases network connection response times. This topic describes how to enable and disable SSL encryption.

    Important

    This feature is in beta. The console interface and API operations are not yet stable and may change.

    Prerequisites

    The AnalyticDB for MySQL cluster runs kernel version 3.2.1.0 or later.

    Note

    To view and update the minor version of an AnalyticDB for MySQL cluster, log on to the AnalyticDB for MySQL console and go to the Configuration Information section of the Cluster Information page.

    Background information

    SSL was developed by Netscape to allow encrypted communications between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgraded SSL 3.0 to Transport Layer Security (TLS). However, the term "SSL encryption" is still commonly used. In this topic, SSL encryption refers to TLS encryption.

    Note

    We recommend that you use the TLS 1.2 protocol for secure communication with AnalyticDB for MySQL.

    Usage notes

    • An SSL certificate is valid for one year. You must renew the certificate before it expires. Otherwise, client applications that use encrypted connections will fail to connect.

    • Enabling SSL encryption increases CPU utilization. Enable this feature only if necessary.

    • Enabling or disabling SSL encryption, or updating a certificate, restarts the Controller node. This causes transient connection errors. Perform these operations during off-peak hours and ensure that your application has a reconnection mechanism.

    Enable SSL encryption

    1. Log on to the AnalyticDB for MySQL console. In the upper-left corner of the console, select a region. In the left-side navigation pane, click Clusters. Find the cluster that you want to manage and click the cluster ID.

    2. Navigate to the SSL configuration page.

      • Enterprise Edition, Basic Edition, and Data Lakehouse Edition: In the navigation pane on the left, click Cluster Settings.

      • Data Warehouse Edition: In the navigation pane on the left, click Data Security.

    3. On the SSL Settings tab, turn on the SSL Status switch.

    4. In the Configure SSL Encryption dialog box, select the endpoint to protect and click OK.

      Important

      • AnalyticDB for MySQL supports encryption for internal and public endpoints. However, you can encrypt only one endpoint per cluster. After you enable SSL encryption, you can click Set SSL to change the encrypted endpoint. This change automatically updates the certificate and restarts the Controller node.

      • To encrypt a public endpoint, you must first enable a public endpoint for the cluster. Otherwise, the public endpoint cannot be encrypted.

    5. After SSL Encryption is enabled, click Download Certificate.

      The downloaded file is a compressed package that contains the following files:

      • .p7b file: Used to import the CA certificate on Windows systems.

      • .pem file: Used to import the CA certificate on other systems or for other applications.

      • .jks file: A TrustStore certificate file for Java. The password is `apsaradb`. Use this file to import the CA certificate chain into Java applications.

        When you use the JKS file in Java, you must modify the default security configurations for JDK 7 and JDK 8. On the host where the application runs, modify the following two configurations in the `jre/lib/security/java.security` file:

        jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

        If you do not modify the JDK security configuration, an error is reported. Other similar errors are also typically caused by Java security configurations.

        javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

    Update the validity period of an SSL certificate

    1. Log on to the AnalyticDB for MySQL console. In the upper-left corner of the console, select a region. In the left-side navigation pane, click Clusters. Find the cluster that you want to manage and click the cluster ID.

    2. Navigate to the SSL configuration page.

      • Enterprise Edition, Basic Edition, and Data Lakehouse Edition: In the navigation pane on the left, click Cluster Settings.

      • Data Warehouse Edition: In the navigation pane on the left, click Data Security.

    3. On the SSL Settings tab, click Update Validity Period.

    Disable SSL encryption

    1. Log on to the AnalyticDB for MySQL console. In the upper-left corner of the console, select a region. In the left-side navigation pane, click Clusters. Find the cluster that you want to manage and click the cluster ID.

    2. Navigate to the SSL configuration page.

      • Enterprise Edition, Basic Edition, and Data Lakehouse Edition: In the navigation pane on the left, click Cluster Settings.

      • Data Warehouse Edition: In the navigation pane on the left, click Data Security.

    3. On the SSL Settings tab, turn off the SSL Status switch.

    4. In the Disable SSL dialog box, click OK.

    Related API operations

    API

    Description

    ModifyDBClusterSSL

    Enables or disables SSL encryption for a Data Warehouse Edition cluster.

    DescribeDBClusterSSL

    Queries the SSL configuration of a Data Warehouse Edition cluster.