Configure SSL encryption in transit in Hologres - Hologres

You can enable Secure Sockets Layer (SSL) encryption in transit to improve the security of the data link between your application and Hologres. SSL establishes an encrypted connection between a Hologres instance and a client using digital certificates and encryption algorithms, such as Transport Layer Security (TLS). This protects the confidentiality and integrity of data during transmission.

Scenarios

SSL encryption in transit is suitable for the following scenarios:

Remote database access: When a client needs to access a database from a remote location, SSL encryption in transit can improve security during data transmission.
Security compliance: Many industry standards and regulations require encryption for data in transit. Using SSL encryption helps your organization meet these security compliance requirements.

SSL encrypts network connections at the transport layer. This improves the security and integrity of communication data, but it also increases the network connection response time.

Prerequisites

You have created a Hologres instance. For more information, see Purchase a Hologres instance.
You have downloaded and installed a PSQL client or Java Database Connectivity (JDBC). For more information, see PSQL client or JDBC.

Usage notes

Hologres V1.1 and later support encryption in transit. Hologres V1.2 and later support TLS. Hologres V2.1 and later support encryption in transit, encryption in transit that uses Certificate Authority (CA) certificates, and enabling the feature in the management console.
Note
If your instance is a version earlier than V1.1, you can refer to Common upgrade preparation failure errors or join the Hologres DingTalk group to provide feedback. For more information, see How do I get more online support?.
Enabling or disabling SSL encryption in transit restarts the instance. Proceed with caution. SSL encryption in transit is disabled by default.
- After you enable SSL encryption in transit for a Hologres instance, clients can connect to the instance over SSL. When a client connects to the Hologres instance, you must explicitly specify whether to encrypt the connection.
- After you disable SSL encryption in transit for a Hologres instance, you can connect to the instance only over non-SSL connections.

Hologres supports the following modes for SSL encryption in transit:

SSL mode	Minimum supported version
Require: Encrypts only the data link.	V1.1
Verify-CA: Encrypts the data link and uses a CA certificate to authenticate the Hologres server.	V2.1
Verify-Full: Encrypts the data link, uses a CA certificate to authenticate the Hologres server, and verifies that the Common Name (CN) or Domain Name System (DNS) in the certificate matches the Hologres endpoint that is configured for the connection.	V2.1

The validity period of an SSL certificate is one year. You must manually renew the certificate after it expires. Otherwise, you cannot use SSL encryption in transit to connect to the instance after the certificate expires.
Enabling SSL encryption in transit increases CPU utilization and read/write latency.
After you enable SSL encryption in transit, you must disconnect and reconnect existing connections for the encryption to take effect.
Enabling or disabling SSL encryption in transit and renewing an SSL certificate restarts your Hologres instance. The restart takes about 3 minutes. Perform these operations during off-peak hours.

Step 1: Enable encryption in transit for a Hologres instance

Log on to the Hologres Management Console and select a region in the upper-left corner.
In the navigation pane on the left, click Instance List and then click the ID of the target instance.
On the instance details page, click Data Security.
On the SSL tab, turn on the SSL Encryption switch.
In the Enable SSL Link Encryption dialog box, click Enable SSL.

Step 2: Download the CA certificate

Hologres provides an instance CA certificate for you to download. When you remotely connect to a Hologres instance from a client, you can use the instance CA certificate to authenticate the instance.

Log on to the Hologres Management Console and select a region in the upper-left corner.
In the navigation pane on the left, click Instance List and then click the ID of the target instance.
On the instance details page, click Data Security.
On the SSL tab, click Download Certificate.

Step 3: Connect to Hologres

You can connect to Hologres using a PSQL client or JDBC. During the connection process, you can configure parameters to specify whether to enable SSL encryption in transit.

Connect to Hologres using the PSQL command line

Connection statement

PG_USER=<AccessKey ID> 
PG_PASSWORD=<AccessKey Secret> 
PG_SSLMODE=<SSL Mode> 
PG_SSLROOTCERT=<certificate folder> 
PGSSLMODE=$PG_SSLMODE PGSSLROOTCERT=$PG_SSLROOTCERT PGUSER=$PG_USER PGPASSWORD=$PG_PASSWORD psql -p <Port> -h <Endpoint> -d <Database>

Parameter descriptions

Parameter	Description
AccessKey ID	The AccessKey ID of your Alibaba Cloud account. You can obtain the AccessKey ID from the AccessKey Management page. We recommend that you use environment variables to call the username and password to reduce the risk of credential leaks.
AccessKey Secret	The AccessKey secret of your Alibaba Cloud account. You can obtain the AccessKey secret from the AccessKey Management page. We recommend that you use environment variables to call the username and password to reduce the risk of credential leaks.
SSL Mode	The encryption mode for the PSQL connection to Hologres. The following values are supported: require: Uses encryption in transit and encrypts only the data link. verify-ca: Encrypts the data link and authenticates the Hologres instance. verify-full: Encrypts the data link, authenticates the Hologres instance, and verifies that the CN or DNS in the certificate matches the database endpoint that is configured for the connection. disable: Does not use encryption in transit.
certificate folder	The storage path of the CA certificate. This parameter is required if the `SSL Mode` parameter is set to verify-ca or verify-full.
Port	The public port of the Hologres instance. Example: `80`.
Endpoint	The public endpoint of the Hologres instance. Example: `xxx-cn-hangzhou.hologres.aliyuncs.com`.
Database	The name of the Hologres database. After you create a Hologres instance, the system automatically creates the postgres database. You can use the postgres database to connect to Hologres. However, this database is allocated few resources. For business development, we recommend that you create a new database. For more information, see Create a database. Example: `mydb`.

Connection verification
If you set the PGSSLMODE parameter to require, the following message appears when you connect to Hologres. This indicates that the connection is encrypted using SSL.

Connect to Hologres using JDBC

When you use JDBC to connect to Hologres, you can use the ssl and sslmode connection parameters to control whether to use SSL encryption in transit. The results in Hologres vary based on the parameter values, as shown in the following table.

Is encryption in transit enabled for the Hologres instance?	ssl configuration	sslmode configuration	Result
Yes	true	require verify-ca verify-full	You can connect to the server and perform operations. Data is encrypted during transmission.
Yes	false	require verify-ca verify-full	You can connect to the server and perform operations. Data is not encrypted during transmission.
No	true	require verify-ca verify-full	The following error message is returned:
No	false	require verify-ca verify-full	You can connect to the server and perform operations. Data is not encrypted during transmission.

The following code provides an example.

 // Set the endpoint of the Hologres instance.
 String hostname = "hgxxxxxxx-cn-hangzhou-vpc.hologres.aliyuncs.com:80";
 // Set the port of the Hologres instance.
 String port = "80";
 // Set the name of the database to connect to.
 String dbname = "postgres";

 String jdbcUrl = "jdbc:postgresql://" + hostname + ":" + port + "/" + dbname+"?binaryTransfer=true";

 Properties properties = new Properties();
 // Set the username to connect to the database. We recommend that you use an environment variable.
 properties.setProperty("user", "accessid");
 // Set the password to connect to the database. We recommend that you use an environment variable.
 properties.setProperty("password", "accesskey");

  // Configure SSL access.
  properties.setProperty("ssl", "true");

  // Set the public key name of the certificate authority.
  properties.setProperty("sslrootcert", path + "/" + "hologres_certificate.crt");

  // Configure the SSL mode. Valid values: require, verify-ca, and verify-full.
  properties.setProperty("sslmode", "verify-full");

  try {
      Class.forName("org.postgresql.Driver");
      Connection connection = DriverManager.getConnection(jdbcUrl, properties);
      // This example assumes that a table named 'example' exists in the 'postgres' database. The following code queries data from the 'example' table.
      PreparedStatement preparedStatement = connection.prepareStatement("select * from " +
              "example");
      ResultSet resultSet = preparedStatement.executeQuery();
      while (resultSet.next()) {
          ResultSetMetaData rsmd = resultSet.getMetaData();
          int columnCount = rsmd.getColumnCount();
          Map map = new HashMap();
          for (int i = 0; i < columnCount; i++) {
              map.put(rsmd.getColumnName(i + 1).toLowerCase(), resultSet.getObject(i + 1));
          }
          System.out.println(map);
      }
  } catch (Exception exception) {
      exception.printStackTrace();
  }