All Products
Search
Document Center

ApsaraDB RDS:Configure SSL encryption

Last Updated:Sep 15, 2023

This topic describes how to configure SSL encryption for your ApsaraDB RDS for SQL Server instance to improve the security of connections. You must enable SSL encryption for your RDS instance and install the SSL certificates that are issued by certificate authorities (CAs) for your application. SSL encrypts the network connections that are established between your RDS instance and your application at the transport layer. This helps improves the security and integrity of data in transit but increases the response time.

Background information

SSL is developed by Netscape to allow encrypted communication between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgraded SSL 3.0 to TLS. The term SSL encryption is used in the industry. In this topic, SSL encryption refers to TLS encryption.

Note

ApsaraDB RDS supports TLS 1.0, TLS 1.1, and TLS 1.2.

Usage notes

  • An SSL certificate remains valid for one year. Before the used SSL certificate expires, you must update the validity period of the SSL certificate. If you do not update the validity period of the SSL certificate, your application or client that uses encrypted network connections cannot connect to your RDS instance. For more information about how to update the validity period of an SSL certificate, see Configure SSL encryption for an ApsaraDB RDS for SQL Server instance.

  • When you enable SSL encryption or update the SSL certificate for your RDS instance, the RDS instance restarts. The RDS instance is unavailable for a few minutes during the restart.

  • SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only when you need to encrypt the connections to the public endpoint of your RDS instance. In most cases, connections that are established to the internal endpoint of your RDS instance are secure and do not require SSL encryption.

  • SSL encryption is not supported for the connections to the read/write splitting endpoint of your RDS instance. For more information about the feature, see Enable the read-only routing endpoint to implement read/write splitting.

Enable SSL encryption

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Data Security.

  3. On the SSL tab, turn on Disabled.

  4. In the Configure SSL dialog box, select the endpoint for which you want to enable SSL encryption and click OK.

    Note
    • After SSL encryption is enabled, connections that are established to the RDS instance can be encrypted. You can connect your database client to your RDS instance over an SSL connection or non-SSL connection.

    • You can encrypt connections that are established to the internal or public endpoint of your RDS instance based on your business requirements. You cannot encrypt both types of connections.

  5. On the SSL tab, click Download CA Certificate to download the SSL certificate.

    The file that you downloaded is a package, which contains the following three files:

    • P7B file: a CA certificate file that is used for a Windows operating system.

    • PEM file: a CA certificate file that is used for an operating system or application that is not Windows-based.

    • JKS file: an SSL certificate file that is stored in the Java-supported truststore. You can use this file to import the SSL certificate files from an SSL certificate chain into Java-based applications. The default password is apsaradb.

    Important

    When you use the JKS file in JDK 7 or JDK 8, you must modify the following default JDK security configuration items in the jre/lib/security/Java.security file on the host on which your application resides:

    jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
    jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

    If you do not modify these configurations, the following error is reported. In most cases, other similar errors are also caused by invalid Java security configurations:

    javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Configure an SSL certificate

After you enable SSL encryption, you must configure an SSL certificate on your application or client. This topic provides an example on how to use SQL Server Management Studio (SSMS) to install an SSL certificate. If you want to use other applications or clients, see the related instructions.

  1. Enter certmgr.msc in the search box in the lower-left corner of the desktop and open certmgr.msc.

  2. In the certmgr dialog box, right-click Trusted Root Certification Authorities.

  3. Choose All Tasks > Import.

  4. Click Next.

  5. In the Certificate Import Wizard dialog box, click Browse to import the SSL certificate that you download, and click Next. For more information about how to download an SSL certificate, see Configure SSL encryption for an ApsaraDB RDS for SQL Server instance.

  6. Select a directory to store the SSL certificate based on your business requirements and click Next.

  7. Click Finish and wait until the certificate is imported.

  8. Open SSMS and click Options in the lower-right corner of the dialog box.

    image.png
  9. On the Connection Properties tab, select Encrypt connection and Trust server certificate, and click Connect.

    image.png
  10. Execute the following statement. If TRUE is returned, the connection is encrypted.

    SELECT ENCRYPT_OPTION FROM SYS.DM_EXEC_CONNECTIONS WHERE SESSION_ID = @@SPID

Update the validity period of the SSL certificate

An SSL certificate remains valid for one year. Before the used SSL certificate expires, you must update the validity period of the SSL certificate. If you do not update the validity period of the SSL certificate, your application or client that uses encrypted network connections cannot connect to your RDS instance.

Important

Updating the validity period of an SSL certificate causes your RDS instance to restart. Proceed with caution when you update the validity period of the SSL certificate.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane, click Data Security.

  3. On the page that appears, click the SSL tab. Click Update Validity. 更新证书有效期

Disable SSL encryption

Important
  • When you disable SSL encryption, your RDS instance restarts. In this case, the system triggers a primary/secondary switchover to reduce the impacts on your workloads. We still recommend that you disable SSL encryption during off-peak hours.

  • After you disable SSL encryption, access performance increases, but security decreases. We recommend that you disable SSL encryption only in secure environments.

  • If you disable SSL encryption, your application can connect to your RDS instance only over a non-SSL connection.

  1. Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
  2. In the left-side navigation pane of the page that appears, click Data Security.

  3. On the page that appears, click the SSL tab.

  4. In the SSL Settings section, turn off SSL Encryption. In the dialog box that appears, click OK.

Appendix: Sample code for connections over SSL

# -*- coding:utf-8 -*-

import ssl
import pyodbc

# Create an SSL context for establishing an SSL connection in Python.
context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile="D:\ca\ApsaraDB-CA-Chain.pem")

# Establish a connection.
# SERVER specifies the IP address of the server on which the required database resides. DATABASE specifies the name of the database that you want to connect. UID specifies the username that is required to log on to the database. PWD specifies the password that is required to log on to the database. Encrypt specifies whether to enable SSL encryption. The value of yes indicates that SSL encryption is enabled. 
conn = pyodbc.connect('DRIVER={ODBC Driver 17 for SQL Server};SERVER=rm-2zec********.sqlserver.rds.aliyuncs.com;DATABASE=master;UID=zhttest;PWD=zht****;Encrypt=yes', ssl=context)
cursor = conn.cursor()
cursor.execute('SELECT @@version')

rows = cursor.fetchall()

for row in rows:
    print(row)

# Close the connection.
conn.close()
using System;
using System.Data.SqlClient;

namespace SqlConnectionSSLExample
{
    class Program
    {
        static void Main(string[] args)
        {
            // Establish a connection.
            // Data Source specifies the IP address of the server on which the required SQL Server database resides. Initial Catalog specifies the name of the required database that you want to connect. User ID specifies the username that is required to connect to the database. Password specifies the password that is required to connect to the database. Encrypt specifies whether to enable SSL-encrypted transmission. The value of true indicates that SSL encryption is enabled. 
            string connectionString = "Data Source=rm-2ze********.sqlserver.rds.aliyuncs.com;Initial Catalog=master;User ID=zhttest;Password=zht****;Encrypt=true;";
            using (SqlConnection connection = new SqlConnection(connectionString))
            {
                // Open the connection.
                connection.Open();
                try
                {
                    // Execute an SQL statement.
                    SqlCommand cmd = new SqlCommand("SELECT @@version", connection);

                    string result = cmd.ExecuteScalar().ToString();

                    Console.WriteLine(result);
                }
                catch (Exception ex)
                {
                    Console.WriteLine($"Error: {ex.Message}");
                }
            }
        }
    }
}

In SQL Server, you can execute the following statements to check whether SSL encryption is enabled for the current connection:

SELECT session_id,encrypt_option
FROM sys.dm_exec_connections;
GO

If the session ID of the current connection is returned when the sys.dm_exec_connections dynamic management view is queried and the value of the encrypt_option parameter is true, SSL encryption is enabled for the connection.

FAQ

What are the impacts on my business if I do not renew an expired SSL certificate? Does an error occur on my RDS instance or is data security decreased?

If you do not renew the SSL certificate after it expires, your RDS instance can continue to run as expected and data security is not compromised. Applications that are connected to your RDS instance over encrypted connections are disconnected.