To improve security of data transmissions between client applications and Hologres, you can enable Secure Socket Layer (SSL)-encrypted transmission. SSL encrypts network connections between Hologres instances and clients by using digital certificates and encryption algorithms such as Transport Layer Security (TLS). This ensures the security and integrity of transmitted data.
Scenarios
SSL-encrypted transmission is suitable for the following scenarios:
Remote access to databases: When you want to remotely access a database from a client, you can enable SSL-encrypted transmission to improve security during data transmissions.
Security compliance: If encryption is required for data transmissions based on industry standards and regulations, you can enable SSL-encrypted transmission to meet the security requirements.
SSL encrypts network connections at the transport layer. This improves the security and integrity of transmitted data, but increases the response time of network connections.
Prerequisites
A Hologres instance is purchased. For more information, see Purchase a Hologres instance.
A PostgreSQL client or Java Database Connectivity (JDBC) driver is downloaded and installed. For more information, see Use the PostgreSQL client to connect to Hologres or JDBC.
Usage notes
Hologres V2.1 and later support SSL-encrypted transmission. In Hologres V2.1 and later, you can use Certificate Authority (CA) certificates with SSL-encrypted transmission and enable SSL-encrypted transmission in the Hologres console. If the version of your Hologres instance is earlier than V2.1, you can manually upgrade your Hologres instance in the Hologres console or join the Hologres DingTalk group to contact Hologres technical support. For more information about how to manually upgrade your Hologres instance in the Hologres console, see Manual upgrade (beta) in the "Instance upgrades" topic. For more information about how to obtain technical support, see Obtain online support for Hologres.
Each time you enable or disable SSL-encrypted transmission for an instance, the instance is restarted. Proceed with caution. By default, SSL-encrypted transmission is disabled.
After SSL-encrypted transmission is enabled for a Hologres instance, you are allowed to connect to the Hologres instance over SSL connections. In this case, when you connect to the Hologres instance by using a client, you must explicitly specify whether to encrypt the connection to Hologres.
After SSL-encrypted transmission is disabled for a Hologres instance, you can connect to the Hologres instance only over non-SSL connections.
The following table describes the SSL-encrypted transmission modes that are supported by Hologres.
SSL-encrypted transmission mode
Supported version
Require: The client uses SSL to encrypt only the connections that are used to transmit data.
V1.1 and later
Verify-CA: The client uses SSL to encrypt the connections that are used to transmit data and uses CA certificates to validate the Hologres server.
V2.1 and later
Verify-Full: The client uses SSL to encrypt the connections that are used to transmit data, uses CA certificates to validate the Hologres server, and checks whether the CN or Domain Name System (DNS) specified in the CA certificates is consistent with the Hologres endpoint that is specified during connection establishments.
V2.1 and later
The validity period of an SSL certificate is one year. You need to manually renew the SSL certificate after it expires. Otherwise, SSL-encrypted transmission cannot be used after the SSL certificate expires.
After SSL-encrypted transmission is enabled, the CPU load increases and the read/write latency increases.
After you enable SSL-encrypted transmission, you must close and reestablish existing connections to make the encryption take effect.
When you enable or disable SSL-encrypted transmission or renew the SSL certificate, your Hologres instance will be restarted. The restart takes approximately 3 minutes. Perform the operations during off-peak hours.
Step 1: Enable SSL-encrypted transmission for a Hologres instance
Log on to the Hologres console. In the upper-left corner, select a region.
In the left-side navigation pane, click Instances. On the page that appears, click the ID of the desired instance.
In the left-side navigation pane of the Instance Details page, click Data Security.
On the SSL tab, turn on the SSL Encryption switch.
In the Enable SSL Encryption message, click Enable SSL encryption.
Step 2: Download the CA certificate
Hologres provides CA certificates. When you remotely connect to a Hologres instance from your client, you can use the CA certificate of the instance to validate the Hologres instance.
Log on to the Hologres console. In the upper-left corner, select a region.
In the left-side navigation pane, click Instances. On the page that appears, click the ID of the desired instance.
In the left-side navigation pane of the Instance Details page, click Data Security.
On the SSL tab, click Download Certificate.
Step 3: Connect to the Hologres instance
You can use a PostgreSQL client or JDBC driver to connect to a Hologres instance. You can configure a parameter to enable SSL-encrypted transmission for the connection.
Use the PostgreSQL CLI to connect to the Hologres instance
Command
PG_USER=<AccessKey ID> PG_PASSWORD=<AccessKey Secret> PG_SSLMODE=<SSL Mode> PG_SSLROOTCERT=<certificate folder> PGSSLMODE=$PG_SSLMODE PGSSLROOTCERT=$PG_SSLROOTCERT PGUSER=$PG_USER PGPASSWORD=$PG_PASSWORD psql -p <Port> -h <Endpoint> -d <Database>Parameters
Parameter
Description
AccessKey ID
The AccessKey ID of the Alibaba Cloud account used to access the Hologres database.
You can obtain the AccessKey ID from the Security Management page.
We recommend that you configure environment variables and obtain the AccessKey ID and AccessKey secret from the environment variables. This helps reduce information leak risks.
AccessKey Secret
The AccessKey secret of the Alibaba Cloud account used to access the Hologres database.
You can obtain the AccessKey secret from the Security Management page.
We recommend that you configure environment variables and obtain the AccessKey ID and AccessKey secret from the environment variables. This helps reduce information leak risks.
SSL Mode
The encryption mode in which the PostgreSQL client connects to the Hologres instance. Valid values:
require: The client uses SSL to encrypt the connections that are used to transmit data.
verify-ca: The client uses SSL to encrypt the connections that are used to transmit data and validates the Hologres instance.
verify-full: The client uses SSL to encrypt the connections that are used to transmit data, validates the Hologres instance, and checks whether the CN or DNS specified in the CA certificate is consistent with the Hologres endpoint that is specified during the connection establishment.
disable: The client does not use SSL for encrypted transmission.
certificate folder
The storage path of the CA certificate.
If you set
SSL Modeto verify-ca or verify-full, you must configure this parameter.Port
The public port number of the Hologres instance.
Example:
80.Endpoint
The public endpoint of the Hologres instance.
Example:
xxx-cn-hangzhou.hologres.aliyuncs.com.Database
The name of the Hologres database to which you want to connect.
After you purchase a Hologres instance, a database named postgres is automatically created.
You can connect to the postgres database. However, limited resources are allocated to this database. We recommend that you go to the Hologres console and create a database to ensure sufficient resources for your business. For more information, see Create a database.
Example:
mydb.Verification
If you set the PGSSLMODE parameter to
requireand the following message appears when you connect to Hologres, the connection is encrypted by using SSL.
Use a JDBC driver to connect to the Hologres instance
If you use a JDBC driver to connect to the Hologres instance, you can use the ssl and sslmode parameters to specify whether to enable SSL-encrypted transmission. The connection results in Hologres vary based on the value of each parameter. The following table describes the mappings between values and results.
SSL-encrypted transmission enabled for the Hologres instance | ssl | sslmode | Result |
Yes | true |
| You can connect the client to the Hologres instance and perform operations. Data is encrypted when it is transmitted between the client and the Hologres instance. |
Yes | false |
| You can connect the client to the Hologres instance and perform operations. Data is not encrypted when it is transmitted between the client and the Hologres instance. |
No | true |
| An error message shown in the following figure is reported.
|
No | false |
| You can connect the client to the Hologres instance and perform operations. Data is not encrypted when it is transmitted between the client and the Hologres instance. |
Sample code
// Specify the endpoint of the Hologres instance.
String hostname = "hgxxxxxxx-cn-hangzhou-vpc.hologres.aliyuncs.com:80";
// Specify the port number of the Hologres instance.
String port = "80";
// Specify the name of the database to which you want to connect.
String dbname = "postgres";
String jdbcUrl = "jdbc:postgresql://" + hostname + ":" + port + "/" + dbname+"?binaryTransfer=true";
Properties properties = new Properties();
// Specify the AccessKey ID that is used to connect to the database. We recommend that you configure environment variables and obtain the AccessKey ID from the environment variables.
properties.setProperty("user", "accessid");
// Specify the AccessKey secret that is used to connect to the database. We recommend that you configure environment variables and obtain the AccessKey secret from the environment variables.
properties.setProperty("password", "accesskey");
// Use SSL for encrypted transmission.
properties.setProperty("ssl", "true");
// Specify the public key of the CA.
properties.setProperty("sslrootcert", path + "/" + "hologres_certificate.crt");
// Specify the SSL connection mode. Valid values: require, verify-ca, and verify-full.
properties.setProperty("sslmode", "verify-full");
try {
Class.forName("org.postgresql.Driver");
Connection connection = DriverManager.getConnection(jdbcUrl, properties);
// In this example, the database named postgres contains a table named example, and data is queried from the table.
PreparedStatement preparedStatement = connection.prepareStatement("select * from " +
"example");
ResultSet resultSet = preparedStatement.executeQuery();
while (resultSet.next()) {
ResultSetMetaData rsmd = resultSet.getMetaData();
int columnCount = rsmd.getColumnCount();
Map map = new HashMap();
for (int i = 0; i < columnCount; i++) {
map.put(rsmd.getColumnName(i + 1).toLowerCase(), resultSet.getObject(i + 1));
}
System.out.println(map);
}
} catch (Exception exception) {
exception.printStackTrace();
}