ApsaraDB for Redis supports the Transport Layer Security (TLS) protocol to provide higher data security. Compared with the Secure Sockets Layer (SSL) protocol, the TLS protocol provides better encryption technologies and enhanced security.
Background information
TLS builds on the now-deprecated SSL protocol and becomes the widely used standard cryptographic protocol to provide communications security over a computer network. Compared with SSL, TLS has the following advantages:
Enhanced encryption: provides encryption by using more powerful technologies such as the Advanced Encryption Standard (AES) algorithm.
Enhanced security: uses more secure algorithms and protocols such as the Secure Hash Algorithm 2 (SHA-2).
Improved compatibility: serves as an up-to-date protocol that is compatible with more browsers and servers, and supports more encryption protocols and cipher suites.
Timely updates: supports real-time updates of encryption algorithms and protocols.
In this context, if you want to encrypt network connections at the transport layer, we recommend that you use TLS.
Prerequisites
The instance for which you want to enable TLS encryption meets one of the following requirements:
The instance is a DRAM-based or persistent memory-optimized instance of ApsaraDB for Redis Enhanced Edition (Tair) or an ApsaraDB for Redis Community Edition instance that runs Redis 5.0, 6.0, or 7.0.
The instance uses the master-replica architecture to ensure high availability.
Usage notes
Before you can enable TLS encryption for your instance, you must release the public and private endpoints of the instance. Only cluster instances have private endpoints.
NoteTLS encryption is not supported for ESSD-based cluster instances in direct connection mode.
After TLS encryption is enabled for an instance, you cannot apply for a public or private endpoint for the instance. Your client can connect to the instance only over a virtual private cloud (VPC) and the TLS protocol.
For more information about how to connect to your ApsaraDB for Redis instance that has TLS enabled, see Connect to an instance that has TLS (SSL) encryption enabled by using a client.
Procedure
Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the left-side navigation pane, click TLS Settings (SSL).
Click Enable.
In the dialog box that appears, select TLS Version.
Parameters:
TLSv1.3 (recommended): TLS 1.3 was released in 2018 and its specifications are defined in RFC 8446. Compared with TLS 1.2, TLS 1.3 comes with shorter response time and higher security.
TLSv1.2 (recommended): TLS 1.2 was released in 2008 and its specifications are defined in RFC 5246. This version comes with more powerful encryption technologies and enhanced security.
TLSv1.1: TLS 1.1 was released in 2006 and its specifications are defined in RFC 4346. This version includes fixes for known vulnerabilities found in TLS 1.0.
TLSv1.0: TLS 1.0 was released in 1999 and its specifications are defined in RFC 2246. As an upgraded version of SSL 3.0, TLS 1.0 is susceptible to attacks such as BEAST and POODLE.
Click OK.
WarningThis operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.
You can refresh the page to update the TLS status of the instance.
After you enable TLS, you can click Download SSL Certificate to export the CA certificate to your client. The downloaded package contains the following files:
ApsaraDB-CA-Chain.p7b: This file is used to import the CA certificate into the Windows operating system.
ApsaraDB-CA-Chain.pem: This file is used to import the CA certificate into other operating systems such as Linux or applications.
Manage TLS settings
After you enable TLS for your instance, you can perform the following operations.
Log on to the ApsaraDB for Redis console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.
In the left-side navigation pane, click TLS Settings (SSL).
Perform one of the following operations based on your business needs.
Operation
Description
Update the CA certificate
On the page that appears, click Update Certificate. Then, click OK.
By default, when you enable TLS, the certificate remains valid for one year. You cannot specify a custom validity period for the certificate. You can click Update Validity to download and configure the CA certificate again. After the CA certificate is updated, its validity is extended for another year.
WarningThis operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.
Change the TLS version
Click Setting to the right of the TLS version, select the version to which you want to change from the drop-down list, and then click Save. We recommend that you select TLSv1.2.
NoteIf the Minimum TLS Version drop-down list is unavailable, update your instance to the latest minor version and try again. For more information, see Update the minor version of an instance.
Disable TLS encryption
Turn off TLS Status.
WarningThis operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.
After you update the certificate or modify the TLS version, you do not need to download the CA certificate again.
Related API operations
Operation | Description |
Modifies the TLS (SSL) settings of an ApsaraDB for Redis instance. |
What to do next
Connect to an instance that has TLS (SSL) encryption enabled by using a client