Configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance - ApsaraDB RDS

This topic describes how to configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance. SSL encryption is used to encrypt the connections from a database client to an RDS instance. This helps you protect the data that is transmitted over the connections.

Background information

SSL is a protocol that is developed to ensure secure communication and protect data. From SSL 3.0 onwards, SSL is renamed as TLS. In this topic, cloud certificates are used to describe how to configure SSL encryption.

Note ApsaraDB RDS for PostgreSQL supports TLS 1.0, TLS 1.1, and TLS 1.2.

The following table provides a comparison of the SSL encryption configurations and benefits among various certificates.


Item	Use a cloud certificate to enable SSL encryption	Configure a custom certificate on an ApsaraDB RDS for PostgreSQL instance	Configure a client CA certificate on an ApsaraDB RDS for PostgreSQL instance
Method to obtain	Issued by Alibaba Cloud.	Issued by a certification authority (CA) or from a self-signed certificate.	Issued from a self-signed certificate.
Validity period	365 days.	Customized.	Customized.
Number of protected endpoints	1	1 or more.	Varies based on the cloud certificate or custom certificate that is used. The number of protected endpoints does not vary based on the CA certificate that is used.
Purpose	Used to enable SSL encryption and used by the database client to validate the RDS instance.	Used to enable SSL encryption and used by the database client to validate the RDS instance.	Used by the RDS instance to validate the database client.

Note

To enable SSL encryption, you must configure a cloud certificate or a custom certificate.
You can choose not to configure a client CA certificate, which is used by the RDS instance to validate the database client.

Prerequisites

The RDS instance runs PostgreSQL 10 or later with standard SSDs or enhanced SSDs (ESSDs).
The pgAdmin 4 client is downloaded. For more information, see pgAdmin 4.

Usage notes

After SSL encryption is enabled, the CPU utilization and the read and write latencies increase.
After SSL encryption is enabled, you must close the existing connection and establish a new connection to make SSL encryption take effect.
When you configure a cloud certificate, change the endpoint that is protected by the configured cloud certificate, or disable SSL encryption, the RDS instance restarts. The restart process requires about 3 minutes. We recommend that you perform these operations during off-peak hours.

Step 1: Use a cloud certificate to enable SSL encryption

Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
In the left-side navigation pane of the page that appears, click Data Security. On the page that appears, click the SSL Encryption tab.
Note If the SSL Encryption tab cannot be found, you must check whether the RDS instance meets the requirements that are described in Prerequisites.
On the tab that appears, select Cloud Certificate for Select Certificate Source and click Configuration to the right of Configure Database Certificate (to Prevent Database Disguise). In the dialog box that appears, select the endpoint that you want to protect.
Note
- If you have not applied for a public endpoint, the Select Protected Endpoint dialog box displays only the internal endpoint of the RDS instance. If you have applied for a public endpoint, this dialog box displays both the internal endpoint and public endpoint of the RDS instance. However, each cloud certificate can protect only one endpoint. The internal endpoint is more secure than the public endpoint. Therefore, we recommend that you protect the public endpoint. For more information about how to view the internal endpoint and the public endpoint, see View and change the internal and public endpoints and port numbers of an ApsaraDB RDS for PostgreSQL instance.
- For more information about how to protect the internal endpoint and the public endpoint at the same time, see Configure a custom certificate on an ApsaraDB RDS for PostgreSQL instance.
- After a cloud certificate is configured, the status of the RDS instance changes from Running to Modifying SSL. After about 3 minutes, the status changes back to Running.

Step 2: Download the server CA certificate

After a cloud certificate is configured, the RDS instance provides a server CA certificate. When you connect to the RDS instance from the database client, the database client validates the RDS instance by using the server CA certificate.

Click Cloud Certificate. Then, click Download CA Certificate.
Decompress the file that you downloaded.
The downloaded file is a package that contains the following files:
- P7B file: contains the server CA certificate that can be imported into a Windows operating system.
- PEM file: contains the server CA certificate that can be imported into an operating system rather than Windows or an application that is not Windows-based.
- JKS file: contains the server CA certificate that is stored in a Java-supported truststore. You can use the file to import the CA certificate chain into a Java-based application. The default password is apsaradb.

Step 3: Connect to the RDS instance from the database client

In this example, pgAdmin is used to describe how to connect to the RDS instance over SSL connections.

You can connect to the RDS instance from the database client over SSL by using one of the following methods:

Note Before you connect to the RDS instance, you must make sure that you have configured IP address whitelists and created accounts on the instance. For more information, see Configure an IP address whitelist for an ApsaraDB RDS for PostgreSQL instance and Create a database and an account on an ApsaraDB RDS for PostgreSQL instance.

Start pgAdmin 4.
Note If this is the first time you log on to pgAdmin of a later version, you must specify a master password that is used to protect saved passwords and other credentials.
Right-click Servers and choose Register > Server.
On the General tab of the Create - Server dialog box, enter the name of the server on which pgAdmin is installed.

Click the Connection tab and enter the information that is used to connect to the RDS instance. Connection Information


Parameter	Description
Host name/address	Enter the endpoint and port of the RDS instance. If you want to connect to the RDS instance over an internal network, enter the internal endpoint and internal port of the RDS instance. If you want to connect to the RDS instance over the Internet, enter the public endpoint and public port of the RDS instance. You can view the preceding information on the Database Connection page of the RDS instance. For more information, see View and change the endpoints and port numbers of an ApsaraDB RDS for PostgreSQL instance.
Port
Username	Enter the username and password that are used to log on to the RDS instance. For more information about how to create an account for an RDS instance, see Create a database and an account on an ApsaraDB RDS for PostgreSQL instance.
Password

Click the SSL tab and configure the required parameters. The following table describes the parameters. SSLconfigure


Parameter	Description
SSL mode	For security purposes, we recommend that you set this parameter to Require, Verify-CA, or Verify-Full. The following list provides the meanings of the different values of the SSL mode parameter: Require: The database client encrypts the SSL connections that are used to transmit data. However, the database client does not validate the RDS instance. Verify-CA: The database client encrypts the SSL connections that are used to transmit data and validates the RDS instance. Verify-Full: The database client encrypts the SSL connections that are used to transmit data, validates the RDS instance, and checks whether the CN or Domain Name System (DNS) specified in the server CA certificate is consistent with the value of the Host name/address parameter that you set at connection establishments.
Root certificate	You must set this parameter if you set the SSL mode parameter to Verify-CA or Verify-Full. This parameter specifies the save path of the file that contains the server CA certificate. Note In this example, the file that contains the server CA certificate is downloaded from the SSL tab and then is decompressed to the D:\CA\aliyunCA\ path on your computer. You can change the path based on your business requirements. In pgAdmin, the file that contains the server CA certificate is in the PEM format.

Click Save.
If the information that you enter is correct, a page that is similar to the following figure appears, which indicates that the connection to the RDS instance is successful.
Important The postgres database is the default system database. Do not perform operations on the postgres database.