All Products
Search

This Product

    ApsaraDB RDS:ModifyDBInstanceSSL

    Document Center

    ApsaraDB RDS:ModifyDBInstanceSSL

    Last Updated:May 29, 2023

    Modifies the SSL encryption settings of an instance.

    Operation Description

    This operation is used to configure SSL encryption for an instance. For more information, see .

    Note

    • Before you call this operation, make sure that your instance is one of the following instances:

      • ApsaraDB RDS for MySQL instances that do not run RDS Basic Edition
      • ApsaraDB RDS for SQL Server instances
      • ApsaraDB RDS for PostgreSQL instances that use cloud disks

    • SSL encryption is not supported for the connections to the read/write splitting endpoint of an instance.

    Authorization information

    The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

    • Operation: the value that you can use in the Action element to specify the operation on a resource.
    • Access level: the access level of each operation. The levels are read, write, and list.
    • Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
      • The required resource types are displayed in bold characters.
      • If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
    • Condition Key: the condition key that is defined by the cloud service.
    • Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.
    OperationAccess levelResource typeCondition keyAssociated operation
    rds:ModifyDBInstanceSSLWRITE
    • RDS
      acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}
    • rds:ResourceTag
    		none

    Request parameters

    ParameterTypeRequiredDescriptionExample
    DBInstanceIdstringYes

    The ID of the instance.

    		rm-uf6wjk5xxxxxxx
    ConnectionStringstringYes

    The internal or public endpoint for which the server certificate needs to be created or updated.

    		rm-uf6wjk5xxxxx.mysql.rds.aliyuncs.com
    SSLEnabledintegerNo

    Specifies whether to enable or disable the SSL encryption feature. Valid values:

    • 1: enables the feature.
    • 0: disables the feature.
    		1
    CATypestringNo

    The type of the server certificate. This parameter is supported only when the instance runs PostgreSQL with cloud disks. If you set SSLEnabled to 1, the default value of this parameter is aliyun. Valid values:

    • aliyun: a cloud certificate
    • custom: a custom certificate
    		aliyun
    ServerCertstringNo

    The content of the server certificate. This parameter is supported only when the instance runs PostgreSQL with cloud disks. This parameter must be specified when CAType is set to custom.

    		-----BEGIN CERTIFICATE-----MIID*****QqEP-----END CERTIFICATE-----
    ServerKeystringNo

    The private key of the server certificate. This parameter is supported only when the instance runs PostgreSQL with cloud disks. This parameter must be specified when CAType is set to custom.

    		-----BEGIN PRIVATE KEY-----MIIE****ihfg==-----END PRIVATE KEY-----
    ClientCAEnabledintegerNo

    Specifies whether to enable the public key of the CA that issues client certificates. This parameter is supported only when the instance runs PostgreSQL with cloud disks. Valid values:

    • 1: enables the public key.
    • 0: disables the public key.
    		1
    ClientCACertstringNo

    The public key of the CA that issues client certificates. This parameter is supported only when the instance runs PostgreSQL with cloud disks. This parameter must be specified when ClientCAEbabled is set to 1.

    		-----BEGIN CERTIFICATE-----MIID*****viXk=-----END CERTIFICATE-----
    ClientCrlEnabledintegerNo

    Specifies whether to enable a certificate revocation list (CRL) that contains revoked client certificates. This parameter is supported only when the instance runs PostgreSQL with cloud disks. In addition, this parameter is available only when the public key of the CA that issues client certificates is enabled. Valid values:

    • 1: enables the CRL.
    • 0: disables the CRL.
    		1
    ClientCertRevocationListstringNo

    The CRL that contains revoked client certificates. This parameter is supported only when the instance runs PostgreSQL with cloud disks. This parameter must be specified when ClientCrlEnabled is set to 1.

    		-----BEGIN X509 CRL-----MIIB****19mg==-----END X509 CRL-----
    ACLstringNo

    The method that is used to verify the identities of clients. This parameter is supported only when the instance runs PostgreSQL with cloud disks. In addition, this parameter is available only when the public key of the CA that issues client certificates is enabled. Valid values:

    • cert
    • perfer
    • verify-ca
    • verify-full (supported only when the instance runs PostgreSQL 12 or later)
    		cert
    ReplicationACLstringNo

    The method that is used to verify the replication permission. This parameter is supported only when the instance runs PostgreSQL with cloud disks. In addition, this parameter is available only when the public key of the CA that issues client certificates is enabled. Valid values:

    • cert
    • perfer
    • verify-ca
    • verify-full (supported only when the instance runs PostgreSQL 12 or later)
    		cert

    Response parameters

    ParameterTypeDescriptionExample
    object
    RequestIdstring

    The ID of the request.

    		777C4593-8053-427B-99E2-105593277CAB

    Examples

    Sample success responses

    JSONformat

    {
  "RequestId": "777C4593-8053-427B-99E2-105593277CAB"
}

    Error codes

    HTTP status codeError codeError messageDescription
    400InvalidServerCertOrPrivateKeySpecify server certificate or private key is invalid.The server certificate type or the private key is invalid.
    400InvalidClientCACertSpecify client ca certificate is invalid.The client CA certificate is invalid.
    400InvalidClientCrlSpecify client certificate revocation list is invalid.The client CRL is invalid.
    400InvalidCAType.NotFoundSpecify ca type is not found.The server certificate type is invalid.
    400InvalidACL.NotFoundSpecify acl is not found.The access control type is invalid.
    400InvalidSSLStatusSpecify ssl status is invalid.The operation failed. The setting of SSL encryption is invalid.
    400IncorrectDBSslStatusSpecified DB SSLStatus does not support this operation.The specified database SSL status is invalid.
    400InvalidModifyMode.FormatSpecified modify mode is not valid.-
    403InvalidClientCrl.PermissionClient ca certificate is set first if need to set client certificate revocation list.The operation failed due to permission errors. Configure the client CA certificate and try again.
    403InvalidACL.PermissionClient ca certificate is set first if need to set acl.The operation failed. Configure the client CA certificate and try again.

    For a list of error codes, visit the Service error codes.

    Change history

    Change timeSummary of changesOperation
    2022-06-23API Description Update,The error codes of the API operation change.
    Change itemChange content
    API DescriptionAPI Description Update
    Error CodesThe error codes of the API operation change.
      delete Error Codes: 400
      delete Error Codes: 403