This topic describes how to configure SSL encryption for your ApsaraDB RDS for SQL Server instance to improve the security of data links. You must enable SSL encryption for your RDS instance and install the SSL certificates that are issued by certificate authorities (CAs) for your application. SSL encrypts the network connections that are established between your RDS instance and your application at the transport layer. This helps improves the security and integrity of data in transit but increases the response time.

Background information

SSL is developed by Netscape to support encrypted communication between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgraded SSL 3.0 to Transport Layer Security (TLS). The term SSL encryption is used in the industry. In this topic, SSL encryption refers to TLS encryption.
Note ApsaraDB RDS supports TLS 1.0, TLS 1.1, and TLS 1.2.

Usage notes

  • An SSL certificate remains valid for one year. Before the used SSL certificate expires, you must update the validity period of the SSL certificate. If you do not update the validity period of the SSL certificate, your application or client that uses encrypted network connections cannot connect to your RDS instance.
  • SSL encryption may cause a sharp increase in CPU utilization. We recommend that you enable SSL encryption only if you want to encrypt the connections that are established to the public endpoint of your RDS instance. In most cases, connections that are established to the internal endpoint of your RDS instance are secure and do not require SSL encryption.
  • SSL encryption is not supported for the connections to the read/write splitting endpoint of your RDS instance.

Enable SSL encryption

  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. On the SSL Encryption tab, turn on SSL Encryption.
  4. In the Configure SSL dialog box, select the endpoint for which you want to enable SSL encryption and click OK.
    Note You can encrypt the link to the internal endpoint or public endpoint based on your business requirements. Only one link can be encrypted.
  5. On the SSL Encryption tab, click Download CA Certificate to download the SSL certificate files.
    The downloaded file is a package that contains the following files:
    • P7B file: a CA certificate file that is used for a Windows operating system.
    • PEM file: a CA certificate file that is used for an operating system or application that is not Windows-based.
    • JKS file: an SSL certificate file that is stored in the Java-supported truststore. You can use this file to import the SSL certificate files from an SSL certificate chain into Java-based applications. The default password is apsaradb.
    Important When you use the JKS file in JDK 7 or JDK 8, you must modify the following default JDK security configuration items in the jre/lib/security/Java.security file on the host on which your application resides:
    jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
    jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
    If you do not modify these configurations, the following error is reported. In most cases, other similar errors are also caused by invalid Java security configurations:
    javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure an SSL certificate

After SSL encryption is enabled, you must configure an SSL certificate on your application or client. This topic provides an example on how to use SQL Server Management Studio to install an SSL certificate. If you want to use other applications or clients, see the related instructions.

  1. Enter certmgr.msc in the search box in the lower-left corner of the desktop and open certmgr.msc.
  2. In the certmgr dialog box, right-click Trusted Root Certification Authorities.
  3. Choose All Tasks > Import.
  4. Click Next.
  5. In the Certificate Import Wizard dialog box, click Browse to import the SSL certificate that you download, and click Next.
    Note For more information about how to download an CA certificate file, see Enable SSL encryption.
  6. Select a location to store the CA certificate file based on your business requirements and click Next.
  7. Click Finish. After the "The import was successful" message is displayed, click OK.
  8. Open SQL Server Management Studio and click the Options button in the lower-right corner of the dialog box.
  9. On the Connection Properties tab, select Encrypt connection and Trust server certificate, and click Connect.
  10. Execute the following statement. If TRUE is returned, the connection is encrypted.
    SELECT ENCRYPT_OPTION FROM SYS.DM_EXEC_CONNECTIONS WHERE SESSION_ID = @@SPID

Update the validity period of the SSL certificate

An SSL certificate remains valid for one year. Before the used SSL certificate expires, you must update the validity period of the SSL certificate. If you do not update the validity period of the SSL certificate, your application or client that uses encrypted network connections cannot connect to your RDS instance.
Important The Update Validity operation causes your RDS instance to restart. Proceed with caution when you update the validity period of an SSL certificate.
  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. On the page that appears, click the SSL Encryption tab. Click Update Validity. Update the validity period of the SSL certificate

Disable SSL encryption

Note
  • When you disable SSL encryption, your RDS instance restarts. In this case, ApsaraDB RDS triggers a primary/secondary switchover to reduce the impacts on your workloads. We still recommend that you disable SSL encryption during off-peak hours.
  • After you disable SSL encryption, access performance increases, but security decreases. We recommend that you disable SSL encryption only in secure environments.
  • If you disable SSL encryption, your application can connect to your RDS instance only over a non-SSL connection.
  1. Access RDS Instances, select a region at the top, and then click the ID of the target RDS instance.
  2. In the left-side navigation pane, click Data Security.
  3. Click the SSL Encryption tab.
  4. Turn off SSL Encryption. In the message that appears, click OK.

FAQ

What are the impacts on my business if I do not renew an expired SSL certificate? Does an error occur on my RDS instance or is data security decreased?

If you do not renew the SSL certificate after it expires, your RDS instance can continue to run as expected and data security is not compromised. Applications that are connected to your RDS instance over encrypted connections are disconnected.