This topic describes how to make data transmission for an ApsaraDB RDS for MySQL instance more secure by configuring SSL encryption. You must enable SSL encryption and install SSL certificates that are issued by certificate authorities (CAs) in the required applications. SSL encrypts the network connections at the transport layer between your RDS instance and your application. This enhances the security and integrity of data in transit but increases the response time.

Prerequisites

  • The RDS instance runs MySQL 8.0, MySQL 5.7, or MySQL 5.6 on RDS High-availability Edition.
  • The RDS instance runs MySQL 8.0 or MySQL 5.7 on RDS Cluster Edition.
  • The RDS instance runs MySQL 8.0, MySQL 5.7, or MySQL 5.6 on RDS Enterprise Edition.
Note
  • You can go to the Basic Information page of the RDS instance to view the preceding information.
  • This feature is not supported for RDS instances that run RDS Basic Edition.

Background information

SSL is developed by Netscape to allow encrypted communication between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgraded SSL 3.0 to Transport Layer Security (TLS). The term "SSL encryption" is still used in the industry. In this topic, SSL encryption refers to TLS encryption.
Note ApsaraDB RDS supports TLS 1.0, TLS 1.1, and TLS 1.2.

For more information about how to configure SSL encryption for an RDS instance that runs a different database engine, see the following topics:

Usage notes

  • An SSL certificate remains valid for one year. If an SSL certificate is about to expire, Alibaba Cloud notifies you by email and internal message and automatically renews the SSL certificate within a specific period of time. You can view internal messages on the Event Center page. The renewal of an SSL certificate causes transient connections on your RDS instance. You can customize the time to renew the SSL certificate in the Schedule Event dialog box. For more information, see Manage scheduled events.
    Note SSL certificates are signed by using the private key of a root certificate. The automatic renewal of an SSL certificate is to sign the SSL certificate by using the private key of the root certificate. After the SSL certificate is automatically renewed, the client that connects to your database over encrypted connections can connect to the database without the need to download the SSL certificate file or configure the SSL certificate again.
  • SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only when you need to encrypt the connections to the public endpoint of your RDS instance. In most cases, connections that are established to the internal endpoint of your RDS instance are secure and do not require SSL encryption.
  • SSL encryption is not supported for the connections to the read/write splitting endpoint of your RDS instance.
  • If you disable SSL encryption, your application can connect to your RDS instance only over a non-SSL connection.
  • When you enable SSL encryption, disable SSL encryption, or update the validity period of the SSL certificates, the RDS instance is restarted, and a transient connection that lasts 30 seconds may occur. We recommend that you perform the operations during off-peak hours. Alternatively, make sure that you modify the code of your application for the application to automatically reconnect to the RDS instance.

Enable SSL encryption

  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. Click the SSL Encryption tab.
    Note If the SSL Encryption tab cannot be found, you must check whether the RDS instance meets all requirements that are described in the "Prerequisites" section of this topic.
  4. In the SSL Settings section, turn on SSL Encryption.
  5. In the dialog box that appears, select the endpoint that you want to protect and click OK.
    Note You can encrypt the link to the internal or public endpoint based on your business requirements. You can encrypt only one link.
  6. Click Download CA Certificate to download the SSL certificate files as a compressed package.

    The downloaded package contains the following files:

    • P7B file: the SSL certificate file that is used for a Windows operating system
    • PEM file: the SSL certificate file that is used for an operating system other than Windows or an application that is not run on Windows
    • JKS file: the SSL certificate file that is stored in the Java-supported truststore. You can use this file to import the SSL certificate files from an SSL certificate chain into Java-based applications. The default password is apsaradb.
      Important When you use the JKS file in JDK 7 or JDK 8, make sure that the following JDK security configurations are applied in the jre/lib/security/Java.security file on the host on which your application resides:
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
      If you do not modify these configurations, the following error is returned. In most cases, similar errors are caused by invalid Java security configurations.
      Javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure an SSL certificate

After SSL encryption is enabled, you must configure an SSL certificate on your application or client. If you do not configure an SSL certificate, your application or client cannot connect to your RDS instance. In this topic, MySQL Workbench and Navicat are used as examples. If you want to use other applications or clients, see the related instructions.

Perform the following steps to configure an SSL certificate on MySQL Workbench:

  1. Start MySQL Workbench.
  2. Choose Database > Manage Connections.
  3. Configure the Use SSL parameter and import the SSL certificate file.

Perform the following steps to configure an SSL certificate on Navicat:

  1. Start Navicat.
  2. Right-click the database that you want to connect. Then, select Edit Connection.
  3. Click the SSL tab and select the path of the PEM certificate file, as shown in the following figure.
  4. Click OK.
    Note If the "connection is being used" error is reported, the previous session remains connected. In this case, you must restart Navicat.
  5. Double-click your database and check whether Navicat can connect to the database.

Update the validity period of an SSL certificate

Note
  • The Update Validity operation causes your RDS instance to restart. Proceed with caution.
  • After you perform the Update Validity operation, you must download the SSL certificate file and configure the SSL certificate again.
  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. On the page that appears, click the SSL Encryption tab. Then, click Update Validity.
    Important The Update Validity operation causes your RDS instance to restart. We recommend that you update the validity period during off-peak hours.

Disable SSL encryption

Note
  • When you disable SSL encryption, your RDS instance restarts. In this case, ApsaraDB RDS triggers a primary/secondary switchover to reduce the impacts on your workloads. We still recommend that you disable SSL encryption during off-peak hours.
  • After you disable SSL encryption, access performance increases, but security decreases. We recommend that you disable SSL encryption only in secure environments.
  • If you disable SSL encryption, your application can connect to your RDS instance only over a non-SSL connection.
  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. Click the SSL Encryption tab.
  4. Turn off SSL Encryption. In the message that appears, click OK.

Appendix: Sample code for connections over SSL

  • Sample code in Java:
    <dependency>
           <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
           <version>8.0.11</version>
    </dependency>
    
    ---------------------------------------------------------demo-------------------------------------------------------------
    package com.aliyun.sample;
    
    import com.mysql.cj.jdbc.MysqlDataSource;
    import java.sql.Connection;
    import java.sql.SQLException;
    
    public class Sample {
    
        public static void main(String[] args) {
    
            Connection conn = null;
            MysqlDataSource mysqlDS=null;
    
            try{
                mysqlDS = new MysqlDataSource();
                // set useSSL=true and provide truststore for server certificate verification.
                mysqlDS.setUseSSL(true);
                mysqlDS.setClientCertificateKeyStoreType("JKS");
                // Path of the ApsaraDB-CA-Chain.jks file:/D:\ApsaraDB-CA-Chain\ApsaraDB-CA-Chain.jks.
                mysqlDS.setClientCertificateKeyStoreUrl("file:/D:\\xxxx\\ApsaraDB-CA-Chain.jks");
                // Specify the password that is used to establish a connection. In Java, the default password is apsaradb.
                mysqlDS.setClientCertificateKeyStorePassword("apsaradb");
                mysqlDS.setTrustCertificateKeyStoreType("JKS");
                // Path of the ApsaraDB-CA-Chain.jks file:/D:\ApsaraDB-CA-Chain\ApsaraDB-CA-Chain.jks.
                mysqlDS.setTrustCertificateKeyStoreUrl("file:/D:\\ApsaraDB-CA-Chain\\ApsaraDB-CA-Chain.jks");
                // Specify the password that is used to establish a connection. In Java, the default password is apsaradb.
                mysqlDS.setTrustCertificateKeyStorePassword("apsaradb");
                // Specify the endpoint that is used to connect to the specified database in your RDS instance.
                mysqlDS.setServerName("rm-xxxxxx.mysql.rds.aliyuncs.com");
                // Specify the port number that is used to connect to the specified database in your RDS instance.
                mysqlDS.setPort(3306);
                // Specify the username of the account that is used to connect to the specified database in your RDS instance.
                mysqlDS.setUser("xxxxxx");
                // Specify the password of the account that is used to connect to the specified database in your RDS instance.
                mysqlDS.setPassword("xxxxxx");
                // Specify the name of the database that you want to connect on your RDS instance.
                mysqlDS.setDatabaseName("xxxxxx");
    
                conn = mysqlDS.getConnection();
    
            }catch(Exception e){
                e.printStackTrace();
            } finally {
                try {
                    if (conn != null)
                        conn.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }
        }
    
    }
  • Sample code in Python:
    # Run the pip install pymysql command to install pymysql.
    
    
    import pymysql
    
    try:
        conn = pymysql.connect(host='******.mysql.rds.aliyuncs.com',user='*****',passwd='******',db='*****',ssl=True,
                ssl_ca='/path/to/path/ApsaraDB-CA-Chain.pem')
        cursor = conn.cursor()
        cursor.execute('select version()')
        data = cursor.fetchone()
        print('Database version:', data[0])
        cursor.close()
    except pymysql.Error as e:
        print(e)

FAQ

  • What will happen if I do not renew an expired SSL certificate? Does my RDS instance malfunction or data security deteriorate?

    If you do not renew the SSL certificate after it expires, your RDS instance can still run as normal and data security is not compromised. However, applications that connect to your RDS instance over encrypted connections are disconnected.

  • What do I do if the Javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints error message is displayed when I use the JKS file in Java?

    If you do not modify the JDK security configuration items in JDK 7 or JDK 8, this error is reported, or other similar errors are reported.

    To resolve this issue, you must use the following JDK security configurations in the jre/lib/security/Java.security file on the host on which your application is deployed:
    jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
    jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024