PolarDB:Configure SSL encryption

Background information

SSL is developed by Netscape to support encrypted communication between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgraded SSL 3.0 to Transport Layer Security (TLS). However, the term "SSL encryption" is still used in the industry. In this topic, SSL encryption refers to TLS encryption.

Usage notes

• The validity period of an SSL certificate is one year. Before an SSL certificate expires, you must renew the SSL certificate. You must also download the required SSL certificate file and configure the SSL certificate again after you renew the SSL certificate. Otherwise, clients that are connected to your cluster over encrypted connections are disconnected. For more information about how to renew an SSL certificate, see Renew an SSL certificate.

• SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only if you want to encrypt the connections that are established to the public endpoint of your cluster. In most cases, connections that are established to the internal endpoint of your cluster are secure and do not require SSL encryption.

• After you change the endpoint for which SSL encryption is enabled, the SSL certificate is automatically renewed and the cluster is restarted. Proceed with caution.

• After you renew an SSL certificate, the cluster is automatically restarted. Proceed with caution.

• To enable SSL encryption, the endpoint of the PolarDB cluster must be less than 64 characters in length. For more information about how to modify an endpoint, see Configure PolarProxy.

Enable SSL encryption and download an SSL certificate

1. Log on to the PolarDB console.

2. In the top navigation bar, select the region in which the cluster that you want to manage is deployed.

3. Find the cluster and click its ID.

4. In the left-side navigation pane, choose Settings and Management > Security Management.

5. On the SSL Settings tab, turn on SSL to enable SSL encryption.

   

   Note

   You can enable SSL encryption for the primary endpoints, cluster endpoints, and custom endpoints of PolarDB for MySQL 8.0, 5.7, and 5.6 clusters.

6. In the Configure SSL dialog box, select the endpoint for which you want to enable SSL encryption and click OK.

   Note

   You can select a public endpoint or an internal endpoint as needed. However, you can select only one endpoint.

   

7. After the state of SSL encryption changes to Enabled, click Download Certificate.

   

   The file that you downloaded is a package that contains the following files:

   • A P7B file. This file is used to import the CA certificate to a Windows system.

   • A PEM file. This file is used to import the CA certificate to an operating system other than Windows or an application that is not run on Windows.

   • A JKS file. This file is a truststore for Java. The password is apsaradb. The file is used to import the CA certificate chain to Java programs.

     Note

     To use a JKS certificate file in Java, you must modify the default JDK security configuration in JDK 7 and JDK 8. This can be done by updating the following configurations in the jre/lib/security/java.security file of the server connecting to the PolarDB cluster:

     jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
     jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

     If you do not modify these configurations, the following error is returned. In most cases, other similar errors are also caused by invalid Java security configurations:

     javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

   If you want to change the endpoint for which SSL encryption is enabled, click Configure SSL.

   Important

   After you change the endpoint for which SSL encryption is enabled, the SSL certificate is automatically renewed and the cluster is restarted. Proceed with caution.

Configure an SSL certificate

After you enable SSL encryption, you must configure an SSL certificate. The SSL certificate is required for your application or client to connect to your PolarDB cluster. In this section, MySQL Workbench and Navicat are used as examples to describe how to configure an SSL certificate. If you want to use other applications or clients, see the related instructions.

To configure an SSL certificate on MySQL Workbench, perform the following steps:

1. Start MySQL Workbench.

2. Choose Database > Manage Connections.

3. Enable Use SSL and import the SSL certificate file.

To configure an SSL certificate on Navicat, perform the following steps:

1. Start Navicat.

2. Right-click the database and select Edit Connection.

   

3. Click the SSL tab and select the path of the PEM certificate file, as shown in the following figure.

   

4. Click OK.

   Note

   If you do not close the existing connection, you receive the Connection with same connection name already exists in the project. error. In this case, you must close Navicat and then open it again.

5. Double-click your database to check whether Navicat can connect to the database.

   

Renew an SSL certificate

1. Log on to the PolarDB console.

2. In the top navigation bar, select the region in which the cluster that you want to manage is deployed.

3. Find the cluster and click its ID.

4. In the left-side navigation pane, choose Settings and Management > Security Management.

5. On the SSL Settings tab, click Update Validity Period.

   

6. In the message that appears, click OK.

7. After the SSL certificate is renewed, download and configure the SSL certificate again.

   Note

   • For more information about how to download an SSL certificate, see Step 7 in Enable SSL encryption and download an SSL certificate.

   • For more information about how to configure an SSL certificate, see Configure an SSL certificate.

Enable automatic certificate rotation

1. On the SSL Settings tab, click Advanced Settings.

2. In the Advanced Settings dialog box, select On for Automatic Certificate Rotation and click Confirm.

Disable SSL encryption

1. Log on to the PolarDB console.

2. In the top navigation bar, select the region in which the cluster that you want to manage is deployed.

3. Find the cluster and click its ID.

4. In the left-side navigation pane, choose Settings and Management > Security Management.

5. On the SSL Settings tab, turn off SSL to disable SSL encryption.

6. In the message that appears, click OK.

View SSL encryption suites

SSL protocol has many versions. PolarDB supports only TLS V1.2 or later. During SSL handshake, the client exchanges negotiation information, such as TLS version, encryption suites, and session key, with your PolarDB cluster. For more information about all supported encryption suites, visit the OpenSSL official website.

After an SSL connection is established, you can execute the following statement to view the SSL encryption suite used for the connection:

SHOW STATUS LIKE 'ssl_cipher';
+---------------+-------------------+
| Variable_name | Value             |
+---------------+-------------------+
| Ssl_cipher    | AES128-GCM-SHA256 |
+---------------+-------------------+

If the connection is not encrypted, the statement returns an empty variable.

Related API operations