This topic describes how to make data transmission for an ApsaraDB RDS for MySQL instance more secure by configuring SSL encryption. You must enable SSL encryption and install SSL certificates that are issued by certificate authorities (CAs) in the required applications. SSL encrypts the network connections at the transport layer between your RDS instance and your application. This enhances the security and integrity of data in transit but increases the response time.

Prerequisites

Your RDS instance runs one of the following MySQL versions and RDS editions:

  • MySQL 8.0 on RDS Enterprise Edition
  • MySQL 8.0 on RDS High-availability Edition
  • MySQL 5.7 on RDS Enterprise Edition
  • MySQL 5.7 on RDS High-availability Edition
  • MySQL 5.6
Note SSL encryption cannot be enabled for some read-only RDS instances that are created before September 2021. In this case, you need to submit a ticket.

Background information

SSL is developed by Netscape to allow encrypted communication between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgraded SSL 3.0 to Transport Layer Security (TLS). The term "SSL encryption" is still used in the industry. In this topic, SSL encryption refers to TLS encryption.
Note ApsaraDB RDS supports TLS 1.0, TLS 1.1, and TLS 1.2.

For more information about how to configure SSL encryption for an RDS instance that runs a different database engine, see the following topics:

Precautions

  • The validity period of an SSL certificate is one year. Before a used SSL certificate expires, you must update the validity period of the SSL certificate. In addition, you must download the SSL certificate file and configure the SSL certificate again. If you do not perform these operations, your client cannot connect to your RDS instance over an encrypted connection. For more information, see Update the validity period of an SSL certificate.
  • SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only when you need to encrypt the connections to the public endpoint of your RDS instance. In most cases, connections that are established to the internal endpoint of your RDS instance are secure and do not require SSL encryption.
  • SSL encryption is not supported for the connections to the read/write splitting endpoint of your RDS instance.
  • If you disable SSL encryption, your application can connect to your RDS instance only over a non-SSL connection.
  • If you disable SSL encryption, the SSL certificate that is used becomes invalid. If you want to enable SSL encryption again, you must download the SSL certificate file and configure the SSL certificate again. Otherwise, your RDS instance cannot connect to your application over an SSL connection.
  • If you disable SSL encryption, your RDS instance restarts. Proceed with caution.

Enable SSL encryption

  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. Click the SSL Encryption tab.
    Note If the SSL Encryption tab cannot be found, you must check whether the RDS instance meets all requirements that are described in Prerequisites.
  4. In the SSL Settings section, turn on SSL Encryption.
  5. In the dialog box that appears, select the endpoint that you want to protect and click OK.
    Note You can encrypt the link to the internal or public endpoint based on your business requirements. Only one link can be encrypted.
  6. Click Download CA Certificate to download the SSL certificate files as a compressed package.

    The downloaded package contains the following files:

    • P7B file: the SSL certificate file that is used for a Windows operating system
    • PEM file: the SSL certificate file that is used for an operating system or application that is not Windows-based
    • JKS file: the SSL certificate file that is stored in the Java-supported truststore. You can use this file to import the SSL certificate files from an SSL certificate chain into Java-based applications. The default password is apsaradb.
      Note When you use the JKS file in JDK 7 or JDK 8, you must open the jre/lib/security/Java.security file on the host on which your application resides. Then, you must modify the following default JDK security configuration items in the file:
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
      If you do not modify these configurations, the following error is returned. In most cases, similar errors are caused by invalid Java security configurations.
      Javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure an SSL certificate

After SSL encryption is enabled, you must configure an SSL certificate on your application or client. If you do not configure an SSL certificate, your application or client cannot connect to your RDS instance. In this topic, MySQL Workbench and Navicat are used as examples. If you want to use other applications or clients, see the related instructions.

Perform the following steps to configure an SSL certificate on MySQL Workbench:

  1. Start MySQL Workbench.
  2. Choose Database > Manage Connections.
  3. Configure the Use SSL parameter and import the SSL certificate file.

Perform the following steps to configure an SSL certificate on Navicat:

  1. Start Navicat.
  2. Right-click the database that you want to connect. Then, select Edit Connection.
  3. Click the SSL tab and select the path of the PEM certificate file, as shown in the following figure.
  4. Click OK.
    Note If the "connection is being used" error is reported, the previous session remains connected. In this case, you must restart Navicat.
  5. Double-click your database to check whether Navicat can connect to the database.

Update the validity period of an SSL certificate

Note
  • The Update Validity operation causes your RDS instance to restart. Proceed with caution.
  • After you perform the Update Validity operation, you must download the SSL certificate file and configure the SSL certificate again.
  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. On the page that appears, click the SSL Encryption tab. Then, click Update Validity. Update the validity period
    Notice The Update Validity operation causes your RDS instance to restart. We recommend that you update the validity period during off-peak hours.

Disable SSL encryption

Note
  • When you disable SSL encryption, your RDS instance restarts. In this case, ApsaraDB RDS triggers a primary/secondary switchover to reduce the impacts on your workloads. However, we still recommend that you disable SSL encryption during off-peak hours.
  • After you disable SSL encryption, access performance increases, but security decreases. We recommend that you disable SSL encryption only in secure environments.
  • If you disable SSL encryption, your application can connect to your RDS instance only over a non-SSL connection.
  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. Click the SSL Encryption tab.
  4. Turn off SSL Encryption. In the message that appears, click OK.

Appendix: Sample code for connections over SSL

  • Sample code in Java format:
    <dependency>
           <groupId>mysql</groupId>
            <artifactId>mysql-connector-java</artifactId>
           <version>8.0.11</version>
    </dependency>
    
    ---------------------------------------------------------demo-------------------------------------------------------------
    package com.aliyun.sample;
    
    import com.mysql.cj.jdbc.MysqlDataSource;
    import java.sql.Connection;
    import java.sql.SQLException;
    
    public class Sample {
    
        public static void main(String[] args) {
    
            Connection conn = null;
            MysqlDataSource mysqlDS=null;
    
            try{
                mysqlDS = new MysqlDataSource();
                // set useSSL=true and provide truststore for server certificate verification.
                mysqlDS.setUseSSL(true);
                mysqlDS.setClientCertificateKeyStoreType("JKS");
                //Path to ApsaraDB-CA-Chain.jks file:/D:\ApsaraDB-CA-Chain\ApsaraDB-CA-Chain.jks
                mysqlDS.setClientCertificateKeyStoreUrl("file:/D:\\xxxx\\ApsaraDB-CA-Chain.jks");
                //Specify the password that is used to establish a connection. In Java, the default password is apsaradb.
                mysqlDS.setClientCertificateKeyStorePassword("apsaradb");
                mysqlDS.setTrustCertificateKeyStoreType("JKS");
                //Path to ApsaraDB-CA-Chain.jks file:/D:\ApsaraDB-CA-Chain\ApsaraDB-CA-Chain.jks
                mysqlDS.setTrustCertificateKeyStoreUrl("file:/D:\\ApsaraDB-CA-Chain\\ApsaraDB-CA-Chain.jks");
                //Specify the password that is used to establish a connection. In Java, the default password is apsaradb.
                mysqlDS.setTrustCertificateKeyStorePassword("apsaradb");
                //Specify the endpoint that is used to connect to the specified database in your RDS instance.
                mysqlDS.setServerName("rm-xxxxxx.mysql.rds.aliyuncs.com");
                //Specify the port number that is used to connect to the specified database in your RDS instance.
                mysqlDS.setPort(3306);
                //Specify the username of the account that is used to connect to the specified database in your RDS instance.
                mysqlDS.setUser("xxxxxx");
                //Specify the password of the preceding account.
                mysqlDS.setPassword("xxxxxx");
                //Specify the name of the database that you want to connect on your RDS instance.
                mysqlDS.setDatabaseName("xxxxxx");
    
                conn = mysqlDS.getConnection();
    
            }catch(Exception e){
                e.printStackTrace();
            } finally {
                try {
                    if (conn != null)
                        conn.close();
                } catch (SQLException e) {
                    e.printStackTrace();
                }
            }
        }
    
    }
  • Sample code in Python format:
    # Run the pip install pymysql command to install pymysql.
    
    
    import pymysql
    
    try:
        conn = pymysql.connect(host='******.mysql.rds.aliyuncs.com',user='*****',passwd='******',db='*****',ssl=True,
                ssl_ca='/path/to/path/ApsaraDB-CA-Chain.pem')
        cursor = conn.cursor()
        cursor.execute('select version()')
        data = cursor.fetchone()
        print('Database version:', data[0])
        cursor.close()
    except pymysql.Error as e:
        print(e)

FAQ

If I do not update the validity period of an expired SSL certificate, does my RDS instance malfunction or data security deteriorate?

If you do not update an expired SSL certificate, your RDS instance still runs as expected and no security risks occur. However, your application cannot establish encrypted connections to your RDS instance.