This topic describes how to connect to an ApsaraDB RDS for PostgreSQL instance from a database client over SSL. After you configure SSL encryption for an RDS instance, you can connect to the RDS instance from a database client by using pgAdmin, PostgreSQL CLI, or Java Database Connectivity (JDBC).
Prerequisites
- SSL encryption is enabled for the RDS instance. For more information about how to enable SSL encryption, see Configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance or Configure a custom certificate on an ApsaraDB RDS for PostgreSQL instance.
- The following files are obtained:
- The client.crt file that contains the client certificate and the client.key file that contains the private key of the client certificate: If you have configured a client certification authority (CA) certificate in the ApsaraDB RDS console, you must obtain these files. Otherwise, these files are optional. For more information, see Configure a client CA certificate on an ApsaraDB RDS for PostgreSQL instance.
- The file that contains the server CA certificate: For more information about how to obtain this file, see Configure SSL encryption for an ApsaraDB RDS for PostgreSQL instance or Configure a custom certificate on an ApsaraDB RDS for PostgreSQL instance.
Use pgAdmin to connect to an RDS instance over SSL
- Start the pgAdmin 4 client.
Note If the pgAdmin client runs a later version and you log on the pgAdmin client for the first time, you must specify a master password that is used to protect the saved passwords and other credentials.
- Right-click Servers and choose .
- On the General tab of the Create - Server dialog box, enter the name of the server where the pgAdmin
client runs.
- Click the Connection tab and enter the information that is used to connect to the RDS instance.
Parameter Description Hostname/address Enter the endpoint of the RDS instance. If you want to connect to the RDS instance over an internal network, enter the internal endpoint of the RDS instance. If you want to connect to the RDS instance over the Internet, enter the public endpoint of the RDS instance. For more information, see View and change the internal and public endpoints and port numbers of an ApsaraDB RDS for PostgreSQL instance. Port Enter the port number that is associated with the endpoint. Username Enter the username of the account that you use to log on to the RDS instance. Password Enter the password of the account that you use to log on to the RDS instance. - Click the SSL tab and configure the required parameters. The following table describes
the parameters.
Parameter Description SSL mode If SSL encryption is enabled for the RDS instance, the RDS instance allows SSL connections from the database client. You must set the SSL mode parameter based on the following scenarios:- No access control lists (ACLs) are configured for the RDS instance. For more information,
see Configure a client CA certificate on an ApsaraDB RDS for PostgreSQL instance.
- If you want to connect to the RDS instance from the database client by using SSL connections, set the SSL mode parameter to Require, Verify-CA, or Verify-Full.
- If you do not want to connect to the RDS instance from the database client by using SSL connections, set the SSL mode parameter to Disable.
- ACLs are configured for the RDS instance. In this case, you can connect to the RDS instance from the database client only by using SSL connections. For more information, see Configure a client CA certificate on an ApsaraDB RDS for PostgreSQL instance. Set the SSL mode parameter to Require, Verify-CA, or Verify-Full.
The following list provides the meanings of the different values of the SSL mode parameter:- Require: The database client encrypts the SSL connections that are used to transmit data. However, the database client does not validate the RDS instance.
- Verify-CA: The database client encrypts the SSL connections that are used to transmit data and validates the RDS instance.
- Verify-Full: The database client encrypts the SSL connections that are used to transmit data, validates the RDS instance, and verifies that the CN or Domain Name System (DNS) specified in the server certificate is consistent with the endpoint that is configured at connection establishments.
Client certificate You must set this parameter if you have configured a client certificate. This parameter specifies the save path of the file that contains the client certificate. The client certificate is contained in the client.crt file. For more information, see Configure a client CA certificate on an ApsaraDB RDS for PostgreSQL instance. Client certificate key You must set this parameter if you have configured a client certificate. This parameter specifies the save path of the file that contains the private key of the client certificate. The private key is contained in the client.key file. For more information, see Configure a client CA certificate on an ApsaraDB RDS for PostgreSQL instance. Root certificate You must set this parameter if you set the SSL mode parameter to Verify-CA or Verify-Full. This parameter specifies the save path of the file that contains the server CA certificate. Note In this example, the file that contains the server CA certificate is stored in the C:\CA\ path. You can download and decompress the file to a folder on your computer. - No access control lists (ACLs) are configured for the RDS instance. For more information,
see Configure a client CA certificate on an ApsaraDB RDS for PostgreSQL instance.
- Click Save.
- If the information that you entered is correct, the following page appears, which
indicates that the connection to RDS instance is successful.
Note The postgres database is the default system database of the RDS instance. Do not perform operations on this database.
Use PostgreSQL CLI to connect to an RDS instance over SSL
Note This method uses the PostgreSQL CLI of PostgreSQL to connect to an RDS instance over
SSL. Make sure that PostgreSQL is installed on your computer. For more information,
see PostgreSQL documentation.