This topic describes how to enable SSL encryption for an instance to enhance link security. After you enable SSL encryption, you must install SSL certificates that are issued by certificate authorities (CAs) on your application. You can use the SSL encryption feature to encrypt connections at the transport layer to enhance data security and ensure data integrity.
Prerequisites
A cluster DRAM-based instance that uses local disks is created. For more information, see DRAM-based instances and Cluster architecture.
Precautions
- An SSL certificate remains valid for one year. Before the used SSL certificate expires, you must update its validity period. To do so, you must download the required SSL certificate file and configure the certificate again. Otherwise, clients cannot connect to your instance over an encrypted connection.
- SSL encryption may cause higher network latency for Tair instances. Therefore, we recommend that you enable this feature only when encryption is needed. For example, you can enable SSL encryption if you connect to a Tair instance over the Internet.
- After you enable SSL encryption, both SSL and non-SSL connections are supported.
Procedure
- Log on to the Tair console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click its ID.
- In the left-side navigation pane, click SSL Settings.
- Perform one of the following operations.
Figure 1. Configure SSL encryption 
Operation Description Enable or disable SSL encryption Turn on or off SSL Certificate. Modify the earliest TLS version supported by the instance Click SSL next to Minimum TLS version, select a TLS version from the drop-down list, and then click Save. The default value is TLSv1. Note If the Minimum TLS version drop-down list is unavailable, update your instance to the latest minor version and try again. For more information, see Update the minor version of an instance.Update the CA certificate Click Update Validity in the upper-right corner of the page and then click OK. The CA certificate remains valid for one year. You can click Update Validity and then download and configure the CA certificate again. After the CA certificate is updated, it is valid for another year.
Download the CA certificate In the upper-right corner, click Download SSL Certificate. Warning The instance restarts after you enable SSL encryption or update the certificate validity period. The instance may encounter a transient connection that lasts for a few seconds. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.
FAQ
- Q: What do I do if the error message "version not supported" appears?
A: You must update your instance to the latest minor version. For more information, see Update the minor version of an instance.
- Q: What files are included in the downloaded CA certificate? A: The downloaded CA certificate is a compressed package that consists of the following files:
- ApsaraDB-CA-Chain.p7b: This file is used to import the CA certificate into the Windows operating system.
- ApsaraDB-CA-Chain.pem: This file is used to import the CA certificate into other operating systems such as Linux or applications.
- ApsaraDB-CA-Chain.jks: This file stores truststore certificates of Java and is used to import the CA certificate chain into Java applications.
SSL connection methods
Related API operations
| API | Description |
|---|---|
| ModifyInstanceSSL | Enables SSL encryption for a Tair instance. |