PolarDB:Configure a custom certificate

Prerequisites

• The cluster runs PolarDB for PostgreSQL (Compatible with Oracle) 2.0 or later whose revision version is 2.0.14.21.0 or later. You can configure a custom certificate or a client CA certificate on the primary endpoint only when the cluster runs one of these versions.

• The PolarProxy version of the cluster is of 2.3.51 or later. You can configure a custom certificate or a client CA certificate on the default cluster endpoint or a custom cluster endpoint only when the PolarProxy runs one of these versions.

• OpenSSL is installed.

  Note

  Linux operating systems are provided with OpenSSL. If you use a Linux operating system, you do not need to install OpenSSL.

  If you use a Windows operating system, you must download and install the OpenSSL software package.

Usage notes

• SSL causes increased CPU utilization and higher read/write latency.

• After you enable SSL, you must close and reestablish the existing connections for SSL to take effect.

• When you configure a custom certificate, modify the content of the configured custom certificate, or disable SSL, a transient connection occurs. We recommend that you perform the operations during off-peak hours.

Step 1: Create a custom certificate

In this example, a Community Enterprise Operating System (CentOS) is used. If you use a Windows operating system, you can configure the openssl command in the same manner that you configure the command in CentOS. You must manually copy and edit the required files instead of running the cp and vim commands.

1. Create a self-signed certificate (ca.crt) and a private key for the self-signed certificate (ca.key).

   openssl req -new -x509 -days 3650 -nodes -out ca.crt -keyout ca.key -subj "/CN=root-ca"

2. Create a server certificate signing request file (server.csr) and a private key for the server certificate signing request file (server.key). A custom certificate can protect the primary endpoint or one or more cluster endpoints. You can use one of the following methods to generate a server certificate signing request file:

   1. If you want to protect a single endpoint, run the following command:

      openssl req -new -nodes -text -out server.csr -keyout server.key -subj "/CN=pe-xxx.rwlb.rds.aliyuncs.com"

      Note

      In the command, pgm-bpxxxxx.pg.rds.aliyuncs.com is used only as an example. Replace it with the actual endpoint that you want to protect.

   2. If you want to protect multiple endpoints, run the following commands:

      1. Copy the openssl.cnf file for temporary use.

         cp /etc/pki/tls/openssl.cnf  /tmp/openssl.cnf

         Note

         In a Windows operating system, the openssl.cnf file is stored in the OpenSSL installation directory \bin\cnf. You can copy the openssl.cnf file to another directory on your computer.

      2. Run the following command to open the openssl.cnf file:

         vim /tmp/openssl.cnf

      3. Press the i key to enter the edit mode. Then, add the following content to the openssl.cnf file:

         # Add the following content at the end of the [ req ] element.
         req_extensions = v3_req
         
         # Add the [ v3_req ] element.
         [ v3_req ]
         basicConstraints = CA:FALSE
         keyUsage = nonRepudiation, digitalSignature, keyEncipherment
         subjectAltName = @alt_names
         
         # Add the [ alt_names ] element. Enter the endpoint that you want to protect following each Domain Name System (DNS) record.
         [ alt_names ]
         DNS.1 = pc-bpxxxxx.pg.rds.aliyuncs.com
         DNS.2 = pc-bpxxxxx.pg.rds.aliyuncs.com

      4. Press the Esc key to exit the edit mode. Then, enter :wq to save the openssl.cnf file and exit.

      5. Create a server certificate signing request file (server.csr) and a private key for the server certificate signing request file (server.key).

         openssl req -new -nodes -text -out server.csr -keyout server.key -config /tmp/openssl.cnf

         After the server certificate requesting file is created, you are prompted to configure parameters based on your business requirements. The following table describes the parameters.

         Parameter	Description	Example
         Country Name	The code for the country in which the cluster resides.	CN
         State or Province Name	The province in which the cluster resides.	ZheJiang
         Locality Name	The city in which the cluster resides.	HangZhou
         Organization Name	The name of the enterprise that purchases the cluster.	Alibaba
         Organizational Unit Name	The name of the department that uses the cluster.	Aliyun
         Common Name	The domain name from which the request for an SSL certificate originates. The domain name is specified in the openssl.cnf file. You do not need to configure this parameter.	-
         Email Address	You do not need to configure this parameter.	-
         A challenge password	You do not need to configure this parameter.	-
         An optional company name	You do not need to configure this parameter.	-

3. Create a server certificate (server.crt).

   • If you want to protect a single endpoint, run the following command:

     openssl x509 -req -in server.csr -text -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial  -out server.crt

   • If you want to protect multiple endpoints, run the following commands:

     openssl x509 -req -in server.csr -text -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial  -out server.crt -extensions v3_req -extfile /tmp/openssl.cnf

After you complete the preceding configurations, run the ls command to view the generated files:

# ls
ca.crt  ca.key  ca.srl  server.crt  server.csr  server.key

Four files are generated:

• server.crt: the server certificate.

• server.key: the private key for the server certificate.

• ca.crt: the self-signed certificate.

• ca.key: the private key for the self-signed certificate.

Step 2: Use the created custom certificate to enable SSL

1. Log on to the PolarDB console.

2. In the upper-left corner of the Clusters page, select the region in which the cluster that you want to manage is deployed.

3. Find the cluster and click the cluster ID.

4. In the left-side navigation pane, choose Settings and Management > Security.

5. On the SSL Settings tab, select the primary or cluster endpoint that you want the custom certificate to protect, and turn on SSL Status or click Configure Database Certificate to enable SSL.

6. In the Configure Database Certificate dialog box, select Custom Certificate, configure the server certificate and private key parameters, and then click OK.

   

   The following table describes the parameters.

   Parameter	Description
   Server Certificate	Enter the content of the server certificate. For information about how to obtain the server certificate, see Step 1: Create a client certificate. Copy all content from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- to this field.
   Private Key of Server Certificate	Enter the content of the private key for the server certificate. For information about how to obtain the private key for the server certificate, see Step 1: Create a client certificate. Copy all content from -----BEGIN PRIVATE KEY----- to -----END PRIVATE KEY----- to this field.

If you specify multiple endpoints to protect when you create the certificate, you can find multiple records in the SSL-protected Endpoint parameter.

Step 3: Connect to the cluster from a client

You can connect to a PolarDB for PostgreSQL (Compatible with Oracle) over SSL. For more information, see Connect to a PolarDB for PostgreSQL (Compatible with Oracle) over SSL.

Step 4: (Optional) Change the custom certificate

If you want to change the custom certificate, go to the SSL Settings page. Find the primary or cluster endpoint, click Configure Database Certificate. In the dialog box that appears, enter the paths of the new certificate and private key for the new certificate, and then click OK.

Step 5: (Optional) Disable SSL

To disable SSL, go to the SSL Settings page. Find the primary or cluster endpoint and turn off SSL Status. In the Disable SSL message, click OK.