This topic describes how to make data transmission more security by configuring SSL encryption. You must enable SSL encryption and install SSL certificates that are issued by certificate authorities (CAs) in the required applications. SSL is used to encrypt connections at the transport layer and enhance the security and integrity of the transmitted data. However, SSL encryption increases the round-trip time.

Background information

SSL is developed by Netscape to allow encrypted communication between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgraded SSL 3.0 to TLS. The term "SSL encryption" is still used in the industry. In this topic, SSL encryption refers to TLS encryption.

Precautions

  • The validity period of an SSL certificate is one year. You must renew an SSL certificate before the SSL certificate expires. In addition, you must download the required SSL certificate file and configure the SSL certificate again after you renew the SSL certificate. Otherwise, clients that are connected to your PolarDB cluster through encrypted connections are disconnected. For more information about how to renew an SSL certificate, see Renew an SSL certificate.
  • SSL encryption may cause a sharp increase in CPU utilization. We recommend that you enable SSL encryption only if you want to encrypt the connections that are established to the public endpoint of your instance. In most cases, connections that are established to the internal endpoint of your instance are secure and do not require SSL encryption.
  • After you change the endpoint for which SSL encryption is enabled, the SSL certificate is automatically renewed and the cluster is restarted. Proceed with caution.
  • After you renew an SSL certificate, the cluster is automatically restarted. Proceed with caution.
  • To enable SSL encryption, the endpoint of the PolarDB cluster must be less than 64 characters in length. For more information about how to modify an endpoint, see Configure the PolarDB proxy.

Enable SSL encryption and download an SSL certificate

  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster that you want to manage is deployed.
  3. Find the cluster that you want to manage and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, turn on SSL to enable SSL encryption.
    Enable SSL encryption
    Note
    • You can enable SSL encryption only for the primary endpoints of PolarDB for MySQL 5.6 and PolarDB for MySQL 5.7 clusters.
    • You can enable SSL encryption for the primary endpoints, cluster endpoints, and custom endpoints of PolarDB for MySQL 8.0 clusters.
  6. In the Configure SSL dialog box, select the endpoint for which you want to enable SSL encryption and click OK.
    Note You can select a public endpoint or an internal endpoint as needed. However, you can select only one endpoint.
    Enable SSL encryption
  7. After the status of SSL encryption changes to Enabled, click Download Certificate.
    Download a certificate

    The downloaded package contains the following files:

    • A P7B file. This file is used to import the CA certificate to a Windows system.
    • A PEM file. This file is used to import the CA certificate to other operating systems or applications.
    • A JKS file. This file is a truststore for Java. The password is apsaradb. The file is used to import the CA certificate chain to Java programs.
      Note When the JKS file is used in Java, you must modify the default JDK security configuration in JDK 7 and JDK 8. Open the jre/lib/security/java.security file on the server that is connected to the PolarDB cluster and modify the following configurations:
      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

      If you do not modify these configurations, the following error is returned. In most cases, similar errors are caused by invalid Java security configurations.

      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
    If you want to change the endpoint for which SSL encryption is enabled, click Configure SSL. Configure SSL encryption
    Notice After you change the endpoint for which SSL encryption is enabled, the SSL certificate is automatically renewed and the PolarDB cluster is restarted. Proceed with caution.

Configure an SSL certificate

After you enable SSL encryption, you must configure an SSL certificate. The SSL certificate is required for your application or client to connect to your PolarDB cluster. In this section, MySQL Workbench and Navicat are used as examples to describe how to configure an SSL certificate. If you want to use other applications or clients, see the related instructions.

Perform the following steps to configure an SSL certificate on MySQL Workbench:

  1. Start MySQL Workbench.
  2. Choose Database > Manage Connections.
  3. Enable Use SSL and import the SSL certificate file, as shown in the following figure.
    1

Perform the following steps to configure an SSL certificate on Navicat:

  1. Start Navicat.
  2. Right-click the database and click Edit Connection.
    2
  3. Click the SSL tab and select the path of the PEM certificate file, as shown in the following figure.
    3
  4. Click OK.
    Note If the system displays the Connection with same connection name already exists in the project. error, this indicates that you did not close the exiting connection. Close Navicat and open it again.
  5. Double-click your database to check whether Navicat can connect to the database.
    4

Renew an SSL certificate

This section describes how to renew an SSL certificate. After you change the endpoint for which SSL encryption is enabled or when the expiration date of the SSL certificate is close, you must renew the SSL certificate.
Note After you renew an SSL certificate, the cluster is automatically restarted. Proceed with caution.
  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster that you want to manage is deployed.
  3. Find the cluster that you want to manage and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, click Update Validity Period.
    Renew an SSL certificate
  6. In the message that appears, click OK.
  7. After the SSL certificate is renewed, download and configure the SSL certificate again.
    Note

Enable automatic certificate rotation

After you enable automatic certificate rotation, PolarDB automatically renews an SSL certificate within 10 days before the SSL certificate expires. The certificate is renewed at a point in time within the maintenance window of the cluster.
Note If you enable automatic certificate rotation, your cluster is automatically restarted after the SSL certificate is renewed. Proceed with caution.
  1. On the SSL Settings tab, click Advanced Settings. Automatic certificate rotation
  2. In the Advanced Settings dialog box, select On for Automatic Certificate Rotation and click Confirm. Automatic certificate rotation

Disable SSL encryption

Note
  • After you disable SSL encryption, the cluster is restarted. We recommend that you perform this operation during off-peak hours.
  • After SSL encryption is disabled, the performance of your cluster is improved but data security is compromised. We recommend that you disable SSL encryption only in secure environments.
  1. Log on to the PolarDB console.
  2. In the upper-left corner of the console, select the region where the cluster that you want to manage is deployed.
  3. Find the cluster that you want to manage and click the cluster ID.
  4. In the left-side navigation pane, choose Settings and Management > Security Management.
  5. On the SSL Settings tab, turn off SSL to disable SSL encryption.
  6. In the message that appears, click OK.

Related API operations

API Description
DescribeDBClusterSSL Queries the SSL encryption settings of a specified PolarDB cluster.
ModifyDBClusterSSL Enables SSL encryption, disables SSL encryption, or renews the SSL certificate for a specified PolarDB cluster.