This topic describes how to configure Secure Sockets Layer (SSL) encryption on your ApsaraDB RDS for SQL Server instance. You must enable SSL encryption on your RDS instance and install the SSL certificates issued by certificate authorities (CAs) on your application. SSL is used at the transport layer to encrypt network connections. This allows you to enhance the security and integrity of the transmitted data. However, SSL increases the response time.
- An SSL certificate remains valid for one year. Before the used SSL certificate expires, you must update its validity period. In addition, you must download the required SSL certificate file and configure the SSL certificate again. Otherwise, clients cannot connect to your RDS instance over an encrypted connection.
- SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only when you want to encrypt the connections with the public endpoint of your RDS instance. In most cases, connections with the internal endpoint of your RDS instance are secure and do not require SSL encryption.
- SSL encryption cannot be disabled after it is enabled. Proceed with caution.
- SSL encryption is not supported for the connections with the read/write splitting endpoint of your RDS instance.
Enable SSL encryption
- Visit the RDS instance list, select a region above, and click the target instance ID.
- In the left-side navigation pane, click Data Security.
- Click the SSL Encryption tab.
- In the SSL Settings section, turn on SSL Encryption.
- In the dialog box that appears, select the endpoint that you want to protect, and
click OK. Note You can encrypt the connection to the internal or public endpoint based on your business requirements. Only one connection can be encrypted.
- Click Download CA Certificate to download the SSL certificate files as a compressed package.
The compressed package contains the following files:
- .p7b file: the SSL certificate file that is used for a Windows operating system.
- .PEM file: the SSL certificate file that is used for an operating system or application that is not Windows-based.
- .JKS file: the SSL certificate file that is stored in the Java-supported truststore.
You can use this file to import the SSL certificate files from a CA certificate chain
into Java-based applications. The default password is apsaradb.
Note When you use the .JKS file in JDK 7 or JDK 8, open the
jre/lib/security/java.securityfile on the host where your application resides. Then, modify the following two default JDK security configuration items:
jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024If you do not modify these configuration items, the following error is reported (in most cases, other similar errors are also caused by invalid Java security configurations):
javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
Configure an SSL certificate
Before your application or client can connect to your RDS instance, you must configure an SSL certificate on your application or client after you enable SSL encryption. In this section, MySQL Workbench is used as an example. If you use other applications or clients, see the related instructions.
- Start MySQL Workbench.
- Choose .
- Enable Use SSL and import the required SSL certificate file.
Update the validity period of an SSL certificate
- The Update Validity operation causes your RDS instance to restart. Proceed with caution.
- After you perform the Update Validity operation, you must download the SSL certificate file and configure the SSL certificate again.