All Products
Search
Document Center

Hologres:Transmission encryption

Last Updated:Feb 22, 2024

To improve security of data transmissions between client applications and Hologres, you can enable Secure Socket Layer (SSL)-encrypted transmission. SSL encrypts network connections between Hologres instances and clients by using digital certificates and encryption algorithms such as Transport Layer Security (TLS). This ensures the security and integrity of transmitted data.

Scenarios

SSL-encrypted transmission is suitable for the following scenarios:

  • Remote access to databases: When you want to remotely access a database from a client, you can enable SSL-encrypted transmission to improve security during data transmissions.

  • Security compliance: If encryption is required for data transmissions based on industry standards and regulations, you can enable SSL-encrypted transmission to meet the security requirements.

SSL encrypts network connections at the transport layer. This improves the security and integrity of transmitted data, but increases the response time of network connections.

Prerequisites

Usage notes

  • Hologres V2.1 and later support SSL-encrypted transmission. In Hologres V2.1 and later, you can use Certificate Authority (CA) certificates with SSL-encrypted transmission and enable SSL-encrypted transmission in the Hologres console. If the version of your Hologres instance is earlier than V2.1, you can manually upgrade your Hologres instance in the Hologres console or join the Hologres DingTalk group to contact Hologres technical support. For more information about how to manually upgrade your Hologres instance in the Hologres console, see Manual upgrade (beta) in the "Instance upgrades" topic. For more information about how to obtain technical support, see Obtain online support for Hologres.

  • Each time you enable or disable SSL-encrypted transmission for an instance, the instance is restarted. Proceed with caution. By default, SSL-encrypted transmission is disabled.

    • After SSL-encrypted transmission is enabled for a Hologres instance, you are allowed to connect to the Hologres instance over SSL connections. In this case, when you connect to the Hologres instance by using a client, you must explicitly specify whether to encrypt the connection to Hologres.

    • After SSL-encrypted transmission is disabled for a Hologres instance, you can connect to the Hologres instance only over non-SSL connections.

  • The following table describes the SSL-encrypted transmission modes that are supported by Hologres.

    SSL-encrypted transmission mode

    Supported version

    Require: The client uses SSL to encrypt only the connections that are used to transmit data.

    V1.1 and later

    Verify-CA: The client uses SSL to encrypt the connections that are used to transmit data and uses CA certificates to validate the Hologres server.

    V2.1 and later

    Verify-Full: The client uses SSL to encrypt the connections that are used to transmit data, uses CA certificates to validate the Hologres server, and checks whether the CN or Domain Name System (DNS) specified in the CA certificates is consistent with the Hologres endpoint that is specified during connection establishments.

    V2.1 and later

  • The validity period of an SSL certificate is one year. You need to manually renew the SSL certificate after it expires. Otherwise, SSL-encrypted transmission cannot be used after the SSL certificate expires.

  • After SSL-encrypted transmission is enabled, the CPU load increases and the read/write latency increases.

  • After you enable SSL-encrypted transmission, you must close and reestablish existing connections to make the encryption take effect.

  • When you enable or disable SSL-encrypted transmission or renew the SSL certificate, your Hologres instance will be restarted. The restart takes approximately 3 minutes. Perform the operations during off-peak hours.

Step 1: Enable SSL-encrypted transmission for a Hologres instance

  1. Log on to the Hologres console. In the upper-left corner, select a region.

  2. In the left-side navigation pane, click Instances. On the page that appears, click the ID of the desired instance.

  3. In the left-side navigation pane of the Instance Details page, click Data Security.

  4. On the SSL tab, turn on the SSL Encryption switch.

  5. In the Enable SSL Encryption message, click Enable SSL encryption.

Step 2: Download the CA certificate

Hologres provides CA certificates. When you remotely connect to a Hologres instance from your client, you can use the CA certificate of the instance to validate the Hologres instance.

  1. Log on to the Hologres console. In the upper-left corner, select a region.

  2. In the left-side navigation pane, click Instances. On the page that appears, click the ID of the desired instance.

  3. In the left-side navigation pane of the Instance Details page, click Data Security.

  4. On the SSL tab, click Download Certificate.

Step 3: Connect to the Hologres instance

You can use a PostgreSQL client or JDBC driver to connect to a Hologres instance. You can configure a parameter to enable SSL-encrypted transmission for the connection.

Use the PostgreSQL CLI to connect to the Hologres instance

  • Command

    PG_USER=<AccessKey ID> 
    PG_PASSWORD=<AccessKey Secret> 
    PG_SSLMODE=<SSL Mode> 
    PG_SSLROOTCERT=<certificate folder> 
    PGSSLMODE=$PG_SSLMODE PGSSLROOTCERT=$PG_SSLROOTCERT PGUSER=$PG_USER PGPASSWORD=$PG_PASSWORD psql -p <Port> -h <Endpoint> -d <Database>
  • Parameters

    Parameter

    Description

    AccessKey ID

    The AccessKey ID of the Alibaba Cloud account used to access the Hologres database.

    You can obtain the AccessKey ID from the Security Management page.

    We recommend that you configure environment variables and obtain the AccessKey ID and AccessKey secret from the environment variables. This helps reduce information leak risks.

    AccessKey Secret

    The AccessKey secret of the Alibaba Cloud account used to access the Hologres database.

    You can obtain the AccessKey secret from the Security Management page.

    We recommend that you configure environment variables and obtain the AccessKey ID and AccessKey secret from the environment variables. This helps reduce information leak risks.

    SSL Mode

    The encryption mode in which the PostgreSQL client connects to the Hologres instance. Valid values:

    • require: The client uses SSL to encrypt the connections that are used to transmit data.

    • verify-ca: The client uses SSL to encrypt the connections that are used to transmit data and validates the Hologres instance.

    • verify-full: The client uses SSL to encrypt the connections that are used to transmit data, validates the Hologres instance, and checks whether the CN or DNS specified in the CA certificate is consistent with the Hologres endpoint that is specified during the connection establishment.

    • disable: The client does not use SSL for encrypted transmission.

    certificate folder

    The storage path of the CA certificate.

    If you set SSL Mode to verify-ca or verify-full, you must configure this parameter.

    Port

    The public port number of the Hologres instance.

    Example: 80.

    Endpoint

    The public endpoint of the Hologres instance.

    Example: xxx-cn-hangzhou.hologres.aliyuncs.com.

    Database

    The name of the Hologres database to which you want to connect.

    After you purchase a Hologres instance, a database named postgres is automatically created.

    You can connect to the postgres database. However, limited resources are allocated to this database. We recommend that you go to the Hologres console and create a database to ensure sufficient resources for your business. For more information, see Create a database.

    Example: mydb.

  • Verification

    If you set the PGSSLMODE parameter to require and the following message appears when you connect to Hologres, the connection is encrypted by using SSL.传输加密

Use a JDBC driver to connect to the Hologres instance

If you use a JDBC driver to connect to the Hologres instance, you can use the ssl and sslmode parameters to specify whether to enable SSL-encrypted transmission. The connection results in Hologres vary based on the value of each parameter. The following table describes the mappings between values and results.

SSL-encrypted transmission enabled for the Hologres instance

ssl

sslmode

Result

Yes

true

  • require

  • verify-ca

  • verify-full

You can connect the client to the Hologres instance and perform operations. Data is encrypted when it is transmitted between the client and the Hologres instance.

Yes

false

  • require

  • verify-ca

  • verify-full

You can connect the client to the Hologres instance and perform operations. Data is not encrypted when it is transmitted between the client and the Hologres instance.

No

true

  • require

  • verify-ca

  • verify-full

An error message shown in the following figure is reported.

image.png

No

false

  • require

  • verify-ca

  • verify-full

You can connect the client to the Hologres instance and perform operations. Data is not encrypted when it is transmitted between the client and the Hologres instance.

Sample code

// Specify the endpoint of the Hologres instance.
 String hostname = "hgxxxxxxx-cn-hangzhou-vpc.hologres.aliyuncs.com:80";
 // Specify the port number of the Hologres instance.
 String port = "80";
 // Specify the name of the database to which you want to connect.
 String dbname = "postgres";

 String jdbcUrl = "jdbc:postgresql://" + hostname + ":" + port + "/" + dbname+"?binaryTransfer=true";

 Properties properties = new Properties();
 // Specify the AccessKey ID that is used to connect to the database. We recommend that you configure environment variables and obtain the AccessKey ID from the environment variables. 
 properties.setProperty("user", "accessid");
 // Specify the AccessKey secret that is used to connect to the database. We recommend that you configure environment variables and obtain the AccessKey secret from the environment variables. 
 properties.setProperty("password", "accesskey");

  // Use SSL for encrypted transmission.
  properties.setProperty("ssl", "true");

  // Specify the public key of the CA.
  properties.setProperty("sslrootcert", path + "/" + "hologres_certificate.crt");

  // Specify the SSL connection mode. Valid values: require, verify-ca, and verify-full.
  properties.setProperty("sslmode", "verify-full");

  try {
      Class.forName("org.postgresql.Driver");
      Connection connection = DriverManager.getConnection(jdbcUrl, properties);
      // In this example, the database named postgres contains a table named example, and data is queried from the table. 
      PreparedStatement preparedStatement = connection.prepareStatement("select * from " +
              "example");
      ResultSet resultSet = preparedStatement.executeQuery();
      while (resultSet.next()) {
          ResultSetMetaData rsmd = resultSet.getMetaData();
          int columnCount = rsmd.getColumnCount();
          Map map = new HashMap();
          for (int i = 0; i < columnCount; i++) {
              map.put(rsmd.getColumnName(i + 1).toLowerCase(), resultSet.getObject(i + 1));
          }
          System.out.println(map);
      }
  } catch (Exception exception) {
      exception.printStackTrace();
  }