This topic describes how to configure SSL encryption for your ApsaraDB RDS for SQL Server instance to improve the security of connections. You must enable SSL encryption for your RDS instance and install the SSL certificates that are issued by certificate authorities (CAs) for your application. SSL encrypts the network connections that are established between your RDS instance and your application at the transport layer. This helps improves the security and integrity of data in transit but increases the response time.
Background information
SSL is developed by Netscape to allow encrypted communication between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgraded SSL 3.0 to TLS. The term SSL encryption is used in the industry. In this topic, SSL encryption refers to TLS encryption.
ApsaraDB RDS supports TLS 1.0, TLS 1.1, and TLS 1.2.
Usage notes
An SSL certificate remains valid for one year. Before the used SSL certificate expires, you must update the validity period of the SSL certificate. If you do not update the validity period of the SSL certificate, your application or client that uses encrypted network connections cannot connect to your RDS instance. For more information about how to update the validity period of an SSL certificate, see Configure SSL encryption for an ApsaraDB RDS for SQL Server instance.
When you enable SSL encryption or update the SSL certificate for your RDS instance, the RDS instance restarts. The RDS instance is unavailable for a few minutes during the restart.
SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only when you need to encrypt the connections to the public endpoint of your RDS instance. In most cases, connections that are established to the internal endpoint of your RDS instance are secure and do not require SSL encryption.
SSL encryption is not supported for the connections to the read/write splitting endpoint of your RDS instance. For more information about the feature, see Enable the read-only routing endpoint to implement read/write splitting.
Enable SSL encryption
- Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
On the SSL tab, turn on Disabled.
In the Configure SSL dialog box, select the endpoint for which you want to enable SSL encryption and click OK.
NoteAfter SSL encryption is enabled, connections that are established to the RDS instance can be encrypted. You can connect your database client to your RDS instance over an SSL connection or non-SSL connection.
You can encrypt connections that are established to the internal or public endpoint of your RDS instance based on your business requirements. You cannot encrypt both types of connections.
On the SSL tab, click Download CA Certificate to download the SSL certificate.
The file that you downloaded is a package, which contains the following three files:
P7B file: a CA certificate file that is used for a Windows operating system.
PEM file: a CA certificate file that is used for an operating system or application that is not Windows-based.
JKS file: an SSL certificate file that is stored in the Java-supported truststore. You can use this file to import the SSL certificate files from an SSL certificate chain into Java-based applications. The default password is apsaradb.
ImportantWhen you use the JKS file in JDK 7 or JDK 8, you must modify the following default JDK security configuration items in the
jre/lib/security/Java.security
file on the host on which your application resides:jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024
If you do not modify these configurations, the following error is reported. In most cases, other similar errors are also caused by invalid Java security configurations:
javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
Configure an SSL certificate
After you enable SSL encryption, you must configure an SSL certificate on your application or client. This topic provides an example on how to use SQL Server Management Studio (SSMS) to install an SSL certificate. If you want to use other applications or clients, see the related instructions.
Enter certmgr.msc in the search box in the lower-left corner of the desktop and open certmgr.msc.
In the certmgr dialog box, right-click Trusted Root Certification Authorities.
Choose
.Click Next.
In the Certificate Import Wizard dialog box, click Browse to import the SSL certificate that you download, and click Next. For more information about how to download an SSL certificate, see Configure SSL encryption for an ApsaraDB RDS for SQL Server instance.
Select a directory to store the SSL certificate based on your business requirements and click Next.
Click Finish and wait until the certificate is imported.
Open SSMS and click Options in the lower-right corner of the dialog box.
On the Connection Properties tab, select Encrypt connection and Trust server certificate, and click Connect.
Execute the following statement. If TRUE is returned, the connection is encrypted.
SELECT ENCRYPT_OPTION FROM SYS.DM_EXEC_CONNECTIONS WHERE SESSION_ID = @@SPID
Update the validity period of the SSL certificate
An SSL certificate remains valid for one year. Before the used SSL certificate expires, you must update the validity period of the SSL certificate. If you do not update the validity period of the SSL certificate, your application or client that uses encrypted network connections cannot connect to your RDS instance.
Updating the validity period of an SSL certificate causes your RDS instance to restart. Proceed with caution when you update the validity period of the SSL certificate.
- Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Data Security.
On the page that appears, click the SSL tab. Click Update Validity.
Disable SSL encryption
When you disable SSL encryption, your RDS instance restarts. In this case, the system triggers a primary/secondary switchover to reduce the impacts on your workloads. We still recommend that you disable SSL encryption during off-peak hours.
After you disable SSL encryption, access performance increases, but security decreases. We recommend that you disable SSL encryption only in secure environments.
If you disable SSL encryption, your application can connect to your RDS instance only over a non-SSL connection.
- Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane of the page that appears, click Data Security.
On the page that appears, click the SSL tab.
In the SSL Settings section, turn off SSL Encryption. In the dialog box that appears, click OK.
Appendix: Sample code for connections over SSL
# -*- coding:utf-8 -*-
import ssl
import pyodbc
# Create an SSL context for establishing an SSL connection in Python.
context = ssl.create_default_context(purpose=ssl.Purpose.SERVER_AUTH, cafile="D:\ca\ApsaraDB-CA-Chain.pem")
# Establish a connection.
# SERVER specifies the IP address of the server on which the required database resides. DATABASE specifies the name of the database that you want to connect. UID specifies the username that is required to log on to the database. PWD specifies the password that is required to log on to the database. Encrypt specifies whether to enable SSL encryption. The value of yes indicates that SSL encryption is enabled.
conn = pyodbc.connect('DRIVER={ODBC Driver 17 for SQL Server};SERVER=rm-2zec********.sqlserver.rds.aliyuncs.com;DATABASE=master;UID=zhttest;PWD=zht****;Encrypt=yes', ssl=context)
cursor = conn.cursor()
cursor.execute('SELECT @@version')
rows = cursor.fetchall()
for row in rows:
print(row)
# Close the connection.
conn.close()
using System;
using System.Data.SqlClient;
namespace SqlConnectionSSLExample
{
class Program
{
static void Main(string[] args)
{
// Establish a connection.
// Data Source specifies the IP address of the server on which the required SQL Server database resides. Initial Catalog specifies the name of the required database that you want to connect. User ID specifies the username that is required to connect to the database. Password specifies the password that is required to connect to the database. Encrypt specifies whether to enable SSL-encrypted transmission. The value of true indicates that SSL encryption is enabled.
string connectionString = "Data Source=rm-2ze********.sqlserver.rds.aliyuncs.com;Initial Catalog=master;User ID=zhttest;Password=zht****;Encrypt=true;";
using (SqlConnection connection = new SqlConnection(connectionString))
{
// Open the connection.
connection.Open();
try
{
// Execute an SQL statement.
SqlCommand cmd = new SqlCommand("SELECT @@version", connection);
string result = cmd.ExecuteScalar().ToString();
Console.WriteLine(result);
}
catch (Exception ex)
{
Console.WriteLine($"Error: {ex.Message}");
}
}
}
}
}
In SQL Server, you can execute the following statements to check whether SSL encryption is enabled for the current connection:
SELECT session_id,encrypt_option
FROM sys.dm_exec_connections;
GO
If the session ID of the current connection is returned when the sys.dm_exec_connections
dynamic management view is queried and the value of the encrypt_option
parameter is true
, SSL encryption is enabled for the connection.
FAQ
What are the impacts on my business if I do not renew an expired SSL certificate? Does an error occur on my RDS instance or is data security decreased?
If you do not renew the SSL certificate after it expires, your RDS instance can continue to run as expected and data security is not compromised. Applications that are connected to your RDS instance over encrypted connections are disconnected.