Configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance - RDS PostgreSQL Database| Alibaba Cloud Documentation Center

Background information

SSL is a protocol that is developed to ensure secure communication and protect data. From SSL 3.0 onwards, SSL is renamed as TLS. In this topic, cloud certificates are used to describe how to configure SSL encryption.

Note ApsaraDB RDS for PostgreSQL supports TLS 1.0, TLS 1.1, and TLS 1.2.

The following table provides a comparison of the SSL encryption configurations and benefits among various certificates.


Item	Use a cloud certificate to enable SSL encryption	Configure a custom certificate on an ApsaraDB RDS for PostgreSQL instance	Configure a client CA certificate on an ApsaraDB RDS for PostgreSQL instance
How to obtain	Issued by Alibaba Cloud.	Issued by a certification authority (CA) or from a self-signed certificate.	Issued from a self-signed certificate.
Validity period	365 days.	Customized.	Customized.
Number of protected endpoints	1.	1 or more.	Varies based on the cloud or custom certificate that is used. The number of protected endpoints does not vary based on the CA certificate that is used.
Purpose	Used to enable SSL encryption and used by the database client to validate the RDS instance.	Used to enable SSL encryption and used by the database client to validate the RDS instance.	Used by the RDS instance to validate the database client.

Note

To enable SSL encryption, you must configure a cloud certificate or a custom certificate.
You can choose not to configure a client CA certificate, which is used by the RDS instance to validate the database client.

Prerequisites

The RDS instance runs PostgreSQL 10 or later with standard SSDs or enhanced SSDs (ESSDs).
The pgAdmin 4 client is downloaded. For more information, see pgAdmin 4.
The RDS instance does not use a new general-purpose instance type.

Note The new general-purpose instance types provide better scalability and performance and reduce the time to create an RDS instance or change the specifications of an RDS instance. The new general-purpose instance types do not support SSL encryption. For more information, see Primary ApsaraDB RDS for PostgreSQL instance types.

Precautions

After SSL encryption is enabled, the CPU utilization and the read and write latencies increase.
After SSL encryption is enabled, you must close the existing connection and establish a new connection to make SSL encryption take effect.
When you configure a cloud certificate, change the endpoint that is protected by the configured cloud certificate, or disable SSL encryption, the RDS instance restarts. The restart process requires about 3 minutes. We recommend that you perform these operations during off-peak hours.

Step 1: Use a cloud certificate to enable SSL encryption

Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
Log on to the ApsaraDB RDS console. Find the RDS instance and click the ID of the instance. In the left-side navigation pane, click Data Security. On the page that appears, click the SSL Encryption tab.

Note If the SSL Encryption tab cannot be found, you must check that the RDS instance meets the requirements that are stated in Prerequisites.
On the tab that appears, select Cloud Certificate for Select Certificate Source and click Configuration to the right of Configure Database Certificate (to Prevent Database Disguise). In the dialog box that appears, select the endpoint that you want to protect.
Note
- If you have not applied for a public endpoint, the Select Protected Endpoint dialog box displays only the internal endpoint of the RDS instance. If you have applied for a public endpoint, this dialog box displays both the internal endpoint and public endpoint of the RDS instance. However, each cloud certificate can protect only one endpoint. The internal endpoint is more secure than the public endpoint. Therefore, we recommend that you protect the public endpoint. For more information about how to view the internal endpoint and the public endpoint, see View and change the internal and public endpoints and port numbers of an ApsaraDB RDS for PostgreSQL instance.
- For more information about how to protect the internal endpoint and the public endpoint at the same time, see Configure a custom certificate on an ApsaraDB RDS for PostgreSQL instance.
- After a cloud certificate is configured, the status of the RDS instance changes from Running to Modifying SSL. After about 3 minutes, the status changes back to Running.

Step 2: Download the server CA certificate

After a cloud certificate is configured, the RDS instance provides a server CA certificate. When you connect to the RDS instance from the database client, the database client validates the RDS instance by using the server CA certificate.

Click Cloud Certificate. Then, click Download CA Certificate.
Decompress the file that you downloaded.
The file that you downloaded is a package, which contains the following three files:
- P7B file: contains the server CA certificate that can be imported into a Windows operating system.
- PEM file: contains the server CA certificate that can be imported into an operating system rather than Windows or an application that is not Windows-based.
- JKS file: contains the server CA certificate that is stored in a Java-supported truststore. You can use the file to import the CA certificate chain into a Java-based application. The default password is apsaradb.

Step 3: Connect to the RDS instance from the database client

In this example, pgAdmin is used to describe how to connect to the RDS instance over SSL.

You can connect to the RDS instance from the database client over SSL by using one of the following methods:

Note Before you connect to the RDS instance, you must make sure that you have configured IP address whitelists and created accounts on the instance. For more information, see Configure an IP address whitelist for an ApsaraDB RDS for PostgreSQL instance and Create a database and an account on an ApsaraDB RDS for PostgreSQL instance.

Start pgAdmin 4.

Note If you use pgAdmin that is in a later version than version 4 and you use pgAdmin for the first time, you must specify a master password to protect your saved logon credentials such as passwords.
Right-click Servers and choose Create > Server....
On the General tab of the Create - Server dialog box, enter the name of the server on which pgAdmin is installed.

Click the Connection tab and enter the information that is used to connect to the RDS instance.


Parameter	Description
Hostname/address	Enter the endpoint of the RDS instance. If you want to connect to the RDS instance over an internal network, enter the internal endpoint of the RDS instance. If you want to connect to the RDS instance over the Internet, enter the public endpoint of the RDS instance. For more information, see View and change the internal and public endpoints and port numbers of an ApsaraDB RDS for PostgreSQL instance.
Port	Enter the port number that is associated with the specified endpoint.
Username	Enter the username of the account that is used to log on to the RDS instance. For more information about how to create an account for an RDS instance, see Create a database and an account on an ApsaraDB RDS for PostgreSQL instance.
Password	Enter the password of the account that is used to log on to the RDS instance.

Click the SSL tab and configure the required parameters. The following table describes the parameters. SSL configure


Parameter	Description
SSL mode	For security purposes, we recommend that you set this parameter to Require, Verify-CA, or Verify-Full. The following list provides the meanings of the different values of the SSL mode parameter: Require: The database client encrypts the SSL connections that are used to transmit data. However, the database client does not validate the RDS instance. Verify-CA: The database client encrypts the SSL connections that are used to transmit data and validates the RDS instance. Verify-Full: The database client encrypts the SSL connections that are used to transmit data, validates the RDS instance, and checks whether the CN or Domain Name System (DNS) specified in the server CA certificate is consistent with the value of the Host name/address parameter that you set at connection establishments.
Root certificate	If you set the SSL mode parameter to Verify-CA or Verify-Full, you must set the Root certificate parameter to the save path of the file that contains the server CA certificate. Note In this example, the file that contains the server CA certificate is downloaded from the SSL tab and then is decompressed to the D:\CA\aliyunCA\ path on your computer. You can change the path based on your business requirements. In pgAdmin, the file that contains the server CA certificate is in the PEM format.

Click Save.
If the information that you enter is correct, the page that is shown in the following figure appears, which indicates that the connection to the RDS instance is successful.

Notice The postgres database is a default system database. Do not perform operations on this database.