This topic describes how to configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance. SSL encryption is used to encrypt the connections from a database client to an RDS instance. This helps you protect the data that is transmitted over the connections.
Background information
SSL is a protocol that is developed to ensure secure communication and protect data. From SSL 3.0 onwards, SSL is renamed as TLS. In this topic, cloud certificates are used to describe how to configure SSL encryption.
Item | Use a cloud certificate to enable SSL encryption | Configure a custom certificate on an ApsaraDB RDS for PostgreSQL instance | Configure a client CA certificate on an ApsaraDB RDS for PostgreSQL instance |
---|---|---|---|
How to obtain | Issued by Alibaba Cloud. | Issued by a certification authority (CA) or from a self-signed certificate. | Issued from a self-signed certificate. |
Validity period | 365 days. | Customized. | Customized. |
Number of protected endpoints | 1. | 1 or more. | Varies based on the cloud or custom certificate that is used. The number of protected endpoints does not vary based on the CA certificate that is used. |
Purpose | Used to enable SSL encryption and used by the database client to validate the RDS instance. | Used to enable SSL encryption and used by the database client to validate the RDS instance. | Used by the RDS instance to validate the database client. |
- To enable SSL encryption, you must configure a cloud certificate or a custom certificate.
- You can choose not to configure a client CA certificate, which is used by the RDS instance to validate the database client.
Prerequisites
- The RDS instance runs PostgreSQL 10 or later with standard SSDs or enhanced SSDs (ESSDs).
- The pgAdmin 4 client is downloaded. For more information, see pgAdmin 4.
- The RDS instance does not use a new general-purpose instance type.
Note The new general-purpose instance types provide better scalability and performance and reduce the time to create an RDS instance or change the specifications of an RDS instance. The new general-purpose instance types do not support SSL encryption. For more information, see Primary ApsaraDB RDS for PostgreSQL instance types.
Precautions
- After SSL encryption is enabled, the CPU utilization and the read and write latencies increase.
- After SSL encryption is enabled, you must close the existing connection and establish a new connection to make SSL encryption take effect.
- When you configure a cloud certificate, change the endpoint that is protected by the configured cloud certificate, or disable SSL encryption, the RDS instance restarts. The restart process requires about 3 minutes. We recommend that you perform these operations during off-peak hours.
Step 1: Use a cloud certificate to enable SSL encryption
Step 2: Download the server CA certificate
After a cloud certificate is configured, the RDS instance provides a server CA certificate. When you connect to the RDS instance from the database client, the database client validates the RDS instance by using the server CA certificate.
Step 3: Connect to the RDS instance from the database client
In this example, pgAdmin is used to describe how to connect to the RDS instance over SSL.
- Start pgAdmin 4.
Note If you use pgAdmin that is in a later version than version 4 and you use pgAdmin for the first time, you must specify a master password to protect your saved logon credentials such as passwords.
- Right-click Servers and choose .
- On the General tab of the Create - Server dialog box, enter the name of the server on which pgAdmin
is installed.
- Click the Connection tab and enter the information that is used to connect to the RDS instance.
Parameter Description Hostname/address Enter the endpoint of the RDS instance. If you want to connect to the RDS instance over an internal network, enter the internal endpoint of the RDS instance. If you want to connect to the RDS instance over the Internet, enter the public endpoint of the RDS instance. For more information, see View and change the internal and public endpoints and port numbers of an ApsaraDB RDS for PostgreSQL instance. Port Enter the port number that is associated with the specified endpoint. Username Enter the username of the account that is used to log on to the RDS instance. For more information about how to create an account for an RDS instance, see Create a database and an account on an ApsaraDB RDS for PostgreSQL instance. Password Enter the password of the account that is used to log on to the RDS instance. - Click the SSL tab and configure the required parameters. The following table describes
the parameters.
Parameter Description SSL mode For security purposes, we recommend that you set this parameter to Require, Verify-CA, or Verify-Full. The following list provides the meanings of the different values of the SSL mode parameter:- Require: The database client encrypts the SSL connections that are used to transmit data. However, the database client does not validate the RDS instance.
- Verify-CA: The database client encrypts the SSL connections that are used to transmit data and validates the RDS instance.
- Verify-Full: The database client encrypts the SSL connections that are used to transmit data, validates the RDS instance, and checks whether the CN or Domain Name System (DNS) specified in the server CA certificate is consistent with the value of the Host name/address parameter that you set at connection establishments.
Root certificate If you set the SSL mode parameter to Verify-CA or Verify-Full, you must set the Root certificate parameter to the save path of the file that contains the server CA certificate. Note- In this example, the file that contains the server CA certificate is downloaded from the SSL tab and then is decompressed to the D:\CA\aliyunCA\ path on your computer. You can change the path based on your business requirements.
- In pgAdmin, the file that contains the server CA certificate is in the PEM format.
- Click Save.
If the information that you enter is correct, the page that is shown in the following figure appears, which indicates that the connection to the RDS instance is successful.Notice The postgres database is a default system database. Do not perform operations on this database.