Configure SSL encryption - PolarDB for MySQL - Alibaba Cloud Documentation Center

This topic describes how to make data transmission more secure by configuring Secure Sockets Layer (SSL) encryption. You must enable SSL encryption and install SSL certificates that are issued by certificate authorities (CAs) in the required applications. SSL is used to encrypt connections at the transport layer and enhance the security and integrity of the transmitted data. However, SSL encryption increases the round-trip time.

Background information

SSL is developed by Netscape to allow encrypted communication between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgraded SSL 3.0 to Transport Layer Security (TLS). However, the term "SSL encryption" is still used in the industry. In this topic, SSL encryption refers to TLS encryption.

Usage notes

The validity period of an SSL certificate is one year. You must renew an SSL certificate before the SSL certificate expires. In addition, you must download the required SSL certificate file and configure the SSL certificate again after you renew the SSL certificate. Otherwise, clients that are connected to your cluster over encrypted connections are disconnected. For more information about how to renew an SSL certificate, see Renew an SSL certificate.
SSL encryption may cause a sharp increase in CPU utilization. We recommend that you enable SSL encryption only if you want to encrypt the connections that are established to the public endpoint of your cluster. In most cases, connections that are established to the internal endpoint of your cluster are secure and do not require SSL encryption.
After you change the endpoint for which SSL encryption is enabled, the SSL certificate is automatically renewed and the cluster is restarted. Proceed with caution.
After you renew an SSL certificate, the cluster is automatically restarted. Proceed with caution.
To enable SSL encryption, the endpoint of the PolarDB cluster must be less than 64 characters in length. For more information about how to modify an endpoint, see Configure PolarProxy.

Enable SSL encryption and download an SSL certificate

Log on to the PolarDB console.
In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
Find the cluster and click the cluster ID.
In the left-side navigation pane, choose Settings and Management > Security Management.
On the SSL Settings tab, turn on SSL to enable SSL encryption.

Note You can enable SSL encryption for the primary endpoints, cluster endpoints, and custom endpoints of PolarDB for MySQL 8.0, 5.7, and 5.6 clusters.
In the Configure SSL dialog box, select the endpoint for which you want to enable SSL encryption and click OK.

Note You can select a public endpoint or an internal endpoint as needed. However, you can select only one endpoint.
After the state of SSL encryption changes to Enabled, click Download Certificate.
The downloaded package contains the following files:
- A P7B file. This file is used to import the CA certificate to a Windows system.
- A PEM file. This file is used to import the CA certificate to other operating systems or applications.
- A JKS file. This file is a truststore for Java. The password is apsaradb. The file is used to import the CA certificate chain to Java programs.
  Note When the JKS file is used in Java, you must modify the default JDK security configuration in JDK 7 and JDK 8. Open the jre/lib/security/java.security file on the server that is connected to the PolarDB cluster and modify the following configurations:
  jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
  If you do not apply these configurations, the following error is returned. In most cases, similar errors are caused by invalid Java security configurations.
  javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
If you want to change the endpoint for which SSL encryption is enabled, click Configure SSL.

Important After you change the endpoint for which SSL encryption is enabled, the SSL certificate is automatically renewed and the cluster is restarted. Proceed with caution.

Configure an SSL certificate

After you enable SSL encryption, you must configure an SSL certificate. The SSL certificate is required for your application or client to connect to your PolarDB cluster. In this section, MySQL Workbench and Navicat are used as examples to describe how to configure an SSL certificate. If you want to use other applications or clients, see the related instructions.

Perform the following steps to configure an SSL certificate on MySQL Workbench:

Start MySQL Workbench.
Choose Database > Manage Connections.
Enable Use SSL and import the SSL certificate file, as shown in the following figure.

Perform the following steps to configure an SSL certificate on Navicat:

Start Navicat.
Right-click the database and click Edit Connection.
Click the SSL tab and select the path of the PEM certificate file, as shown in the following figure.
Click OK.

Note If the system displays the Connection with same connection name already exists in the project. error, this indicates that you did not close the exiting connection. Close Navicat and open it again.
Double-click your database to check whether Navicat can connect to the database.

Renew an SSL certificate

This section describes how to renew an SSL certificate. After you change the endpoint for which SSL encryption is enabled or when the SSL certificates is about to expire, you must renew the SSL certificate.

Note After you renew an SSL certificate, the cluster is automatically restarted. Proceed with caution.

Log on to the PolarDB console.
In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
Find the cluster and click the cluster ID.
In the left-side navigation pane, choose Settings and Management > Security Management.
On the SSL Settings tab, click Update Validity Period.
In the message that appears, click OK.
After the SSL certificate is renewed, download and configure the SSL certificate again.
Note
- For more information about how to download an SSL certificate, see Step 7 in the Enable SSL encryption and download an SSL certificate section of this topic.
- For more information about how to configure an SSL certificate, see the Configure an SSL certificate section of this topic.

Enable automatic certificate rotation

After automatic certificate rotation is enabled, PolarDB automatically updates an SSL certificate during the maintenance window of the cluster within 10 days before the expiration date of the certificate.

Note If you enable automatic certificate rotation, your cluster is automatically restarted after the SSL certificate is renewed. Proceed with caution.

On the SSL Settings tab, click Advanced Settings.
In the Advanced Settings dialog box, select On for Automatic Certificate Rotation and click Confirm.

Disable SSL encryption

Note

After you disable SSL encryption, the cluster is restarted. We recommend that you perform this operation during off-peak hours.
After SSL encryption is disabled, the performance of your cluster is improved but data security is compromised. We recommend that you disable SSL encryption only in secure environments.

Log on to the PolarDB console.
In the upper-left corner of the console, select the region in which the cluster that you want to manage is deployed.
Find the cluster and click the cluster ID.
In the left-side navigation pane, choose Settings and Management > Security Management.
On the SSL Settings tab, turn off SSL to disable SSL encryption.
In the message that appears, click OK.

Related API operations


Operation	Description
DescribeDBClusterSSL	Queries the SSL encryption settings of a specified PolarDB cluster.
ModifyDBClusterSSL	Enables SSL encryption, disables SSL encryption, or renews the SSL certificate for a specified PolarDB cluster.