Enable SSL encryption - Hologres - Alibaba Cloud Documentation Center

To secure the data transfer pipeline between your client application and Hologres, you can enable Secure Sockets Layer (SSL) encryption. SSL uses digital certificates and cryptographic protocols to establish a secure connection between your Hologres instance and the client. This protects the confidentiality and integrity of your data in transit.

Use cases

SSL encryption is suitable for the following scenarios:

Remote database access: When a client needs to access a database from a remote location, SSL encryption secures the data transfer.
Compliance with security requirements: Many industry standards and regulations require that data is encrypted in transit. Using SSL encryption helps your organization meet these security and compliance requirements.

SSL encrypts the network connection at the transport layer, improving data security and integrity. However, this process also increases network response time.

Prerequisites

You have an active Hologres instance. For more information, see Purchase a Hologres instance.
You have downloaded and installed the PSQL client or JDBC. For more information, see PSQL client or JDBC.

Usage notes

Version support: Hologres V1.1 and later support encryption in transit. Hologres V1.2 and later support the Transport Layer Security (TLS) protocol. Hologres V2.1 and later support using Certificate Authority (CA) certificates, and enabling this feature via the Hologres console.
Note
If your instance is an older version (earlier than V1.1), refer to Common upgrade preparation errors or get online support.
Enabling/Disabling SSL: SSL encryption is disabled by default. Enabling or disabling it restarts the Hologres instance. Proceed with caution.
- When enabled: Clients can connect over SSL. You must explicitly specify whether to encrypt the connection on the client side.
- When disabled: Clients can only connect using non-SSL connections.

Supported SSL modes: Hologres supports the following modes for SSL encryption:

SSL mode	Minimum supported version
Require: Encrypts only the data pipeline.	V1.1
Verify-CA: Encrypts the data pipeline and uses a CA certificate to authenticate the Hologres server.	V2.1
Verify-Full: Encrypts the data pipeline, uses a CA certificate to authenticate the Hologres server, and verifies that the Common Name (CN) or Domain Name System (DNS) in the certificate matches the Hologres endpoint configured for the connection.	V2.1

Certificate validity: SSL certificates are valid for one year. You must manually renew the certificate before it expires to continue using SSL encryption.
Performance impact: Enabling SSL encryption increases CPU consumption and read/write latency.
Connection re-establishment: After enabling SSL encryption, existing client connections must be disconnected and reconnected for the encryption to take effect.
Instance restarts: Enabling or disabling SSL encryption, as well as renewing an SSL certificate, restarts your Hologres instance. This restart typically takes about 3 minutes. It is recommended to perform these operations during off-peak hours.

Step 1: Enable SSL encryption

Log on to the Hologres console and select a region in the upper-left corner.
In the left navigation menu, select Instances and then click the instance ID.
On the instance details page, select Data Security.
Turn on the SSL Encryption switch.
In the Enable SSL Encryption dialog box, click Enable SSL Encryption.

Step 2: Download the CA certificate

Hologres provides an instance CA certificate for download, which clients can use to authenticate the instance during remote connections.

Log on to the Hologres console and select a region in the upper-left corner.
In the left navigation menu, select Instances and then click the instance ID.
On the instance details page, select Data Security.
In the SSL Encryption section, click Download Certificate.

Step 3: Connect to Hologres

Connect to Hologres using a PSQL client or JDBC and specify whether to enable SSL encryption.

PSQL

Connect to Hologres

PG_USER=<AccessKey ID> 
PG_PASSWORD=<AccessKey Secret> 
PG_SSLMODE=<SSL Mode> 
PG_SSLROOTCERT=<certificate folder> 
PGSSLMODE=$PG_SSLMODE PGSSLROOTCERT=$PG_SSLROOTCERT PGUSER=$PG_USER PGPASSWORD=$PG_PASSWORD psql -p <Port> -h <Endpoint> -d <Database>

Parameter descriptions

Parameter	Description
AccessKey ID	The AccessKey ID of your Alibaba Cloud account. Obtain it from the AccessKey Management page. To minimize the risk of credential leaks, we recommend using environment variables instead of hardcoding your AccessKey ID.
AccessKey Secret	The AccessKey secret of your Alibaba Cloud account. You can obtain the AccessKey secret from the AccessKey Management page. To minimize the risk of credential leaks, we recommend using environment variables instead of hardcoding your AccessKey ID.
SSL Mode	The encryption mode for the PSQL connection to Hologres. The following values are supported: `require`: Enables SSL encryption and encrypts only the data sent. `verify-ca`: Encrypts the data sent and authenticates the Hologres instance. `verify-full`: Encrypts the data sent, authenticates the Hologres instance, and verifies that the CN or DNS in the certificate matches the database endpoint that is configured for the connection. `disable`: Disables SSL encryption.
certificate folder	The storage path of the CA certificate. This parameter is required if the `SSL Mode` parameter is set to `verify-ca` or `verify-full`.
Port	The public port of the Hologres instance. Example: `80`.
Endpoint	The public endpoint of the Hologres instance. Example: `xxx-ap-southeast-1.hologres.aliyuncs.com`.
Database	The name of the Hologres database. Upon instance creation, Hologres automatically provisions a `postgres` database. While you can use `postgres` for initial connections, it has limited resources. For business development, it's recommended to create a new, dedicated database. For more information, see Create a database. Example: `mydb`.

Connection verification
If you set the PGSSLMODE parameter to require, the following message appears when you connect to Hologres. This indicates that the connection is encrypted using SSL.

JDBC

When you use JDBC to connect to Hologres, use the ssl and sslmode connection parameters to control whether to enable SSL encryption. The results in Hologres vary based on the parameter values, as shown in the following table.

Is SSL encryption enabled?	ssl setting	sslmode setting	Result
Yes	true	require verify-ca verify-full	Encryption in transit is enabled.
Yes	false	require verify-ca verify-full	Encryption in transit is disabled.
No	true	require verify-ca verify-full	The following error message is returned:
No	false	require verify-ca verify-full	Encryption in transit is disabled.

The following code provides an example.

 // Set the endpoint of the Hologres instance.
 String hostname = "hgxxxxxxx-ap-southeast-1-vpc.hologres.aliyuncs.com:80";
 // Set the port of the Hologres instance.
 String port = "80";
 // Set the name of the database to connect to.
 String dbname = "postgres";

 String jdbcUrl = "jdbc:postgresql://" + hostname + ":" + port + "/" + dbname+"?binaryTransfer=true";

 Properties properties = new Properties();
 // Set the username to connect to the database. We recommend that you use an environment variable.
 properties.setProperty("user", "accessid");
 // Set the password to connect to the database. We recommend that you use an environment variable.
 properties.setProperty("password", "accesskey");

  // SSL setting.
  properties.setProperty("ssl", "true");

  // Set the public key name of the CA.
  properties.setProperty("sslrootcert", path + "/" + "hologres_certificate.crt");

  // Configure the SSL mode.
  properties.setProperty("sslmode", "verify-full");

  try {
      Class.forName("org.postgresql.Driver");
      Connection connection = DriverManager.getConnection(jdbcUrl, properties);
      // This example assumes that a table named 'example' exists in the 'postgres' database. The following code queries data from the 'example' table.
      PreparedStatement preparedStatement = connection.prepareStatement("select * from " +
              "example");
      ResultSet resultSet = preparedStatement.executeQuery();
      while (resultSet.next()) {
          ResultSetMetaData rsmd = resultSet.getMetaData();
          int columnCount = rsmd.getColumnCount();
          Map map = new HashMap();
          for (int i = 0; i < columnCount; i++) {
              map.put(rsmd.getColumnName(i + 1).toLowerCase(), resultSet.getObject(i + 1));
          }
          System.out.println(map);
      }
  } catch (Exception exception) {
      exception.printStackTrace();
  }