All Products
Search
Document Center

ApsaraDB for Redis:Enable TLS encryption

Last Updated:Aug 08, 2023

ApsaraDB for Redis supports the Transport Layer Security (TLS) protocol to provide higher data security. Compared with the Secure Sockets Layer (SSL) protocol, the TLS protocol provides better encryption technologies and enhanced security.

Background information

TLS builds on the now-deprecated SSL protocol and becomes the widely used standard cryptographic protocol to provide communications security over a computer network. Compared with SSL, TLS has the following advantages:

  • Enhanced encryption: provides encryption by using more powerful technologies such as the Advanced Encryption Standard (AES) algorithm.

  • Enhanced security: uses more secure algorithms and protocols such as the Secure Hash Algorithm 2 (SHA-2).

  • Improved compatibility: serves as an up-to-date protocol that is compatible with more browsers and servers, and supports more encryption protocols and cipher suites.

  • Timely updates: supports real-time updates of encryption algorithms and protocols.

In this context, if you want to encrypt network connections at the transport layer, we recommend that you use TLS.

Prerequisites

The instance for which you want to enable TLS encryption meets one of the following requirements:

  • The instance is a DRAM-based or persistent memory-optimized instance of ApsaraDB for Redis Enhanced Edition (Tair) or an ApsaraDB for Redis Community Edition instance that runs Redis 5.0, 6.0, or 7.0.

  • The instance uses the master-replica architecture to ensure high availability.

Usage notes

  • Before you can enable TLS encryption for your instance, you must release the public and direct connection endpoints of the instance. Only cluster instances have direct connection endpoints.

    Note

    TLS encryption is not supported for ESSD-based cluster instances in direct connection mode.

  • After you enable TLS for your instance, your client can connect to the instance only over a virtual private cloud (VPC) and the TLS protocol.

    For more information about how to connect to your ApsaraDB for Redis instance that has TLS enabled, see Connect to an instance that has TLS (SSL) encryption enabled by using a client.

Procedure

  1. Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click its ID.
  2. In the left-side navigation pane, click TLS Settings (SSL).

  3. Click Enable.

  4. In the dialog box that appears, select TLS Version.

    Parameters:

    • TLSv1.3 (recommended): TLS 1.3 was released in 2018 and its specifications are defined in RFC 8446. Compared with TLS 1.2, TLS 1.3 comes with shorter response time and higher security.

    • TLSv1.2 (recommended): TLS 1.2 was released in 2008 and its specifications are defined in RFC 5246. This version comes with more powerful encryption technologies and enhanced security.

    • TLSv1.1: TLS 1.1 was released in 2006 and its specifications are defined in RFC 4346. This version includes fixes for known vulnerabilities found in TLS 1.0.

    • TLSv1.0: TLS 1.0 was released in 1999 and its specifications are defined in RFC 2246. As an upgraded version of SSL 3.0, TLS 1.0 is susceptible to attacks such as BEAST and POODLE.

  5. Click OK.

    Warning

    This operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.

    You can refresh the page to update the TLS status of the instance.

    After you enable TLS, you can click Download SSL Certificate to export the CA certificate to your client. The downloaded package contains the following files:

    • ApsaraDB-CA-Chain.p7b: This file is used to import the CA certificate into the Windows operating system.

    • ApsaraDB-CA-Chain.pem: This file is used to import the CA certificate into other operating systems such as Linux or applications.

    • ApsaraDB-CA-Chain.jks: This file stores truststore certificates of Java and is used to import the CA certificate chain into Java applications.

Manage TLS settings

After you enable TLS for your instance, you can perform the following operations.

  1. Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click its ID.
  2. In the left-side navigation pane, click TLS Settings (SSL).

  3. Perform one of the following operations based on your business needs.

    Operation

    Description

    Update the CA certificate

    On the page that appears, click Update Certificate. Then, click OK.

    By default, when you enable TLS, the certificate remains valid for one year. You cannot specify a custom validity period for the certificate. You can click Update Validity to download and configure the CA certificate again. After the CA certificate is updated, its validity is extended for another year.

    Warning

    This operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.

    Change the TLS version

    Click Setting to the right of the TLS version, select the version to which you want to change from the drop-down list, and then click Save. We recommend that you select TLSv1.2.

    Note

    If the Minimum TLS version drop-down list is unavailable, update your instance to the latest minor version and try again. For more information, see Update the minor version.

    Disable TLS

    Turn off TLS Status.

    Warning

    This operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.

    After you update the certificate or modify the TLS version, you do not need to download the CA certificate again.

Related API operations

Operation

Description

ModifyInstanceTLS(SSL)

Modifies the TLS (SSL) settings of an ApsaraDB for Redis instance.

What to do next

Connect to an instance that has TLS (SSL) encryption enabled by using a client