Tair:Enable TLS encryption

Prerequisites

• A DRAM-based or persistent memory-optimized instance is created.

• The instance uses the master-replica architecture to ensure high availability.

• If a public endpoint is allocated to the instance, release the public endpoint. You can enable TLS encryption for the instance only after the public endpoint is released.

  Note

  If a private endpoint is allocated to a local disk-based cluster instance, release the private endpoint before you enable TLS encryption for the instance.

Precautions

• After you enable TLS encryption for an instance, you cannot apply for a public endpoint for the instance. If you enable TLS encryption for a local disk-based cluster instance, you also cannot apply for a private endpoint for the instance. Your client can connect to the instance only over a virtual private cloud (VPC) and the TLS protocol. For more information about how to connect to an instance for which TLS is enabled, see Use a client to connect to a Tair instance for which TLS (SSL) encryption is enabled.

• After TLS encryption is enabled for an instance, the instance cannot be migrated across zones.

Procedure

1. Log on to the Tair console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

2. In the left-side navigation pane, click TLS Settings (SSL).

3. Click Enable.

4. In the dialog box that appears, select a TLS version.

   Valid values of the TLS version parameter:

   • TLSv1.3 (recommended): TLS 1.3 was released in 2018 and its specifications are defined in RFC 8446. Compared with TLS 1.2, TLS 1.3 facilitates faster and more secure communication.

   • TLSv1.2 (recommended): TLS 1.2 was released in 2008 and its specifications are defined in RFC 5246. This version comes with more powerful encryption technologies and enhanced security.

   • TLSv1.1: TLS 1.1 was released in 2006 and its specifications are defined in RFC 4346. This version includes fixes for known vulnerabilities found in TLS 1.0.

   • TLSv1.0: TLS 1.0 was released in 1999 and its specifications are defined in RFC 2246. As an upgraded version of SSL 3.0, TLS 1.0 is susceptible to attacks such as BEAST and POODLE.

5. Click OK.

   Warning

   This operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.

   You can refresh the page to update the TLS status of the instance.

   After you enable TLS, you can click Download SSL Certificate to export the CA certificate to your client. The downloaded package contains the following files:

   • ApsaraDB-CA-Chain.p7b: This file is used to import the CA certificate into the Windows operating system.

   • ApsaraDB-CA-Chain.pem: This file is used to import the CA certificate into non-Windows systems such as Linux or applications.

   • ApsaraDB-CA-Chain.jks: This file stores truststore certificates of Java and is used to import the CA certificate chain into Java applications.

   The CA certificates provided for different instances are the same and can be used to connect to any instance.

Manage TLS settings

After you enable TLS for your instance, you can perform the following operations:

1. Log on to the Tair console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

2. In the left-side navigation pane, click TLS Settings (SSL).

3. Perform one of the following operations based on your business requirements.

   Operation	Description
   Renew the CA certificate	On the page that appears, click Update Certificate. Then, click OK. After you enable TLS encryption, the TLS certificate is issued with a default validity period of three years. You cannot specify a custom validity period for the certificate. Tair initiates proactive O&M 20 days before the certificate expires to update the validity period of the certificate. You can choose Events > Scheduled Events to change the O&M time. Alternatively, you can click Update Certificate to renew the CA certificate, and then download and configure the CA certificate again. After the CA certificate is renewed, its validity is extended for another three years. Warning This operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.
   Change the TLS version	Click the icon to the right of TLS version, and select the version to which you want to change from the drop-down list. We recommend that you select TLSv1.2. Note If the Minimum TLS Version drop-down list is unavailable, update your instance to the latest minor version and try again. For more information, see Update the minor version of an instance.
   Disable TLS encryption	Turn off TLS Status. Warning This operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.

   After you renew the CA certificate or change the TLS version, you do not need to download the CA certificate again.

Related API operations

FAQ

• Why am I unable to enable TLS for my instance?

  If your instance is a local disk-based instance that uses the read/write splitting architecture, you cannot enable TLS for the instance.