This topic describes how to enable SSL encryption for an ApsaraDB for MongoDB instance to enhance link security. After you enable SSL encryption, you must install SSL certificates that are issued by certificate authorities (CAs) on your application. SSL encryption can encrypt connections at the transport layer to increase data security and ensure data integrity.
Prerequisites
- The major version of the instance is Redis 2.8. The instance is a standard master-replica instance or a cluster master-replica instance. For more information, see Standard master-replica instances or Cluster master-replica instances.
- The major version of the instance is Redis 4.0 or 5.0. The instance is a cluster master-replica instance. For more information, see Cluster master-replica instances.
Precautions
- An SSL certificate remains valid for one year. Before the used SSL certificate expires, you must update its validity period. In addition, you must download the required SSL certificate file and configure the certificate again. Otherwise, clients cannot connect to your instance over an encrypted connection.
- SSL encryption may increase the network latency of instances. We recommend that you enable this feature only when encryption needs arise. For example, you can enable SSL encryption if you connect to an ApsaraDB for Redis instance over the Internet.
- The instance restarts after you enable SSL encryption or update the certificate validity period. The instance may experience a transient connection of a few seconds. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.
- After you enable SSL encryption for an instance, both SSL and non-SSL connections are supported.
Procedure
FAQ
- Q: What do I do if the error message "version not supported" appears?
A: You must update your instance to the latest minor version. For more information, see Update the minor version.
- Q: What files are included in the downloaded CA certificate?
A: The downloaded CA certificate is a compressed package that consists of the following files:
- ApsaraDB-CA-Chain.p7b: imports the CA certificate into the Windows operating system.
- ApsaraDB-CA-Chain.pem: imports the CA certificate into other operating systems such as Linux or applications.
- ApsaraDB-CA-Chain.jks: stores truststore certificates in Java and imports the CA certificate chain into Java applications.
SSL connection methods
Related API operations
Operation | Description |
---|---|
ModifyInstanceSSL | Modifies SSL encryption configurations for an ApsaraDB for Redis instance. |