This topic describes how to make data transmission more secure by configuring SSL encryption. You must enable SSL encryption and install SSL certificates that are issued by certificate authorities (CAs) to the required applications. SSL is used to encrypt connections at the transport layer and enhance the security and integrity of the transmitted data. However, SSL encryption increases the round-trip time.

Precautions

  • An SSL certificate remains valid for one year. Before the used SSL certificate expires, you must update the validity period of the SSL certificate. Otherwise, your application or client that uses encrypted network connections cannot connect to your instance.
  • SSL encryption may cause a significant increase in CPU utilization. We recommend that you enable SSL encryption only when you need to encrypt the public connections to your instance.

Enable SSL encryption

Warning This operation restarts your instance. We recommend that you perform this operation during off-peak hours to prevent impacts on your business.
  1. Log on to the AnalyticDB for PostgreSQL console.
  2. In the upper-left corner of the console, select the region where the instance resides.
  3. Find the instance that you want to manage and click its ID.
  4. In the left-side navigation pane, click Security Controls.
  5. Click the SSL Encryption tab.
  6. Turn on SSL Encryption.
  7. In the Enable SSL Encryption message, click OK.
  8. After SSL Encryption is set to Enabled, click Download Certificate.
    The downloaded package contains the following files:
    • P7B file: the SSL certificate file that is used for a Windows operating system.
    • PEM file: the SSL certificate file that is used for an operating system other than Windows or an application that is not run on Windows
    • JKS file: the CA certificate file that is stored in the Java-supported truststore. You can use this file to import the CA certificate chain into Java-based applications. The default password is apsaradb.

      When you use the JKS file in JDK 7 or JDK 8, you must modify the following default JDK security configuration items in the jre/lib/security/Java.security file on the host where your application resides:

      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

      If you do not modify these configurations, the following error is reported. In most cases, similar errors are caused by invalid Java security configurations. 

      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Update the validity period

Warning This operation restarts your instance. We recommend that you perform this operation during off-peak hours to prevent impacts on your business.
  1. Log on to the AnalyticDB for PostgreSQL console.
  2. In the upper-left corner of the console, select the region where the instance resides.
  3. Find the instance that you want to manage and click its ID.
  4. In the left-side navigation pane, click Security Controls.
  5. Click the SSL Encryption tab.
  6. Click Update Validity to the right of SSL Encryption.
  7. In the Update SSL Certificate Validity message, click OK.

Disable SSL encryption

Warning This operation restarts your instance. We recommend that you perform this operation during off-peak hours to prevent impacts on your business.
  1. Log on to the AnalyticDB for PostgreSQL console.
  2. In the upper-left corner of the console, select the region where the instance resides.
  3. Find the instance that you want to manage and click its ID.
  4. In the left-side navigation pane, click Security Controls.
  5. Click the SSL Encryption tab.
  6. Turn off SSL Encryption.
  7. In the Disable SSL Encryption message, click OK.

Related operations

OperationDescription
DescribeDBInstanceSSLQueries the SSL encryption information of an instance.
ModifyDBInstanceSSLEnables or disables SSL encryption, or updates the validity period of SSL encryption.