All Products
Search

This Product

    AnalyticDB:SSL encryption

    Document Center

    AnalyticDB:SSL encryption

    Last Updated:Sep 03, 2024

    To improve data transmission security, you can enable SSL encryption and install SSL certificates that are issued by certificate authorities (CAs) to the required applications. SSL is used to encrypt connections at the transport layer. SSL can enhance the security and integrity of transmitted data, and prevent the data from being listened to, intercepted, and tampered with by third parties. However, SSL encryption increases the response time of network connections. This topic describes how to enable and disable SSL encryption and update the validity period of an SSL certificate for an AnalyticDB for MySQL cluster.

    Prerequisites

    Before you configure SSL encryption for an AnalyticDB for MySQL cluster, make sure that the following requirements are met:

    • The AnalyticDB for MySQL cluster is of Data Warehouse Edition.

    • The minor version of the AnalyticDB for MySQL cluster is 3.2.1.0 or later.

      Note

      For information about how to view and update the minor version of an AnalyticDB for MySQL Data Warehouse Edition cluster, see Update the minor version of a cluster.

    Background information

    SSL is developed by Netscape to allow encrypted communications between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgraded SSL 3.0 to Transport Layer Security (TLS). However, the term "SSL encryption" is still used in the industry. In this topic, SSL encryption refers to TLS encryption.

    Note

    To ensure data security, we recommend that you use TLS 1.2 in AnalyticDB for MySQL.

    Usage notes

    • An SSL certificate remains valid for one year. Before the used SSL certificate expires, you must update the validity period of the SSL certificate. Otherwise, an application or client that uses encrypted network connections cannot connect to AnalyticDB for MySQL clusters.

    • SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption based on your business requirements.

    • When you enable or disable SSL encryption or update the validity period of the SSL certificate for an AnalyticDB for MySQL cluster, the cluster is restarted and transient connections may occur. We recommend that you perform operations during off-peak hours and make sure that your applications can automatically reconnect to the cluster.

    Enable SSL encryption

    1. Log on to the AnalyticDB for MySQL console. In the upper-left corner of the console, select a region. In the left-side navigation pane, click Clusters. On the Data Warehouse Edition tab, find the cluster that you want to manage and click the cluster ID.

    2. In the left-side navigation pane, click Data Security.

    3. Click the SSL Settings tab and turn on SSL Status.

    4. In the Configure SSL Encryption dialog box, select a protected endpoint and click OK.

      Important

      • AnalyticDB for MySQL allows you to configure SSL encryption for the private endpoint or the public endpoint, but not both. You can change the protected endpoint. After the change, the certificate is automatically updated and the AnalyticDB for MySQL cluster is restarted.

      • To encrypt the public endpoint of an AnalyticDB for MySQL cluster, make sure that you applied for a public endpoint for the cluster. For more information, see Apply for or release a public endpoint.

    5. After you turn on SSL Status, click Download Certificate.

      The downloaded package contains the following files:

      • P7B file: the SSL certificate file that is used for a Windows operating system.

      • PEM file: the SSL certificate file that is used for an operating system other than Windows or an application that is not run on Windows.

      • JKS file: the CA certificate file that is stored in the Java-supported truststore. You can use this file to import the CA certificate chain into Java-based applications. The default password is apsaradb.

        When you use the JKS file in JDK 7 or JDK 8, you must modify the following default JDK security configuration items in the jre/lib/security/Java.security file on the host on which your application is deployed:

        jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

        If you do not modify the preceding configurations, the following error is returned. In most cases, similar errors are caused by invalid Java security configurations. 

        javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

    Update the validity period of an SSL certificate

    1. Log on to the AnalyticDB for MySQL console. In the upper-left corner of the console, select a region. In the left-side navigation pane, click Clusters. On the Data Warehouse Edition tab, find the cluster that you want to manage and click the cluster ID.

    2. In the left-side navigation pane, click Data Security.

    3. Click the SSL Settings tab and click Update Validity Period.

    Disable SSL encryption

    1. Log on to the AnalyticDB for MySQL console. In the upper-left corner of the console, select a region. In the left-side navigation pane, click Clusters. On the Data Warehouse Edition tab, find the cluster that you want to manage and click the cluster ID.

    2. In the left-side navigation pane, click Data Security.

    3. Click the SSL Settings tab and turn off SSL Status.

    4. In the Disable SSL Encryption message, click OK.

    Related operations

    Operation

    Description

    ModifyDBClusterSSL

    Modifies the SSL configurations of an AnalyticDB for MySQL Data Warehouse Edition cluster.

    DescribeDBClusterSSL

    Queries the SSL configurations of an AnalyticDB for MySQL Data Warehouse Edition cluster.