This topic describes how to configure SSL encryption on your Lindorm instance. You can enable SSL encryption on your Lindorm instance and install the SSL certificates issued by certificate authorities (CAs) on your applications. SSL encrypts the network connections at the transport layer between your Lindorm instance and your application. This enhances the security and integrity of data in transit but increases the response time.
After you enable or disable SSL encryption for a Lindorm instance, the instance is restarted and is disconnected for a few seconds. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.
Prerequisites
A Lindorm instance is created. For more information, see Create an instance.
Java Development Kit (JDK) 1.8 or later is installed.
Background information
SSL is developed by Netscape to allow encrypted communication between a web server and a browser. SSL supports various encryption algorithms, such as RC4, MD5, and RSA. The Internet Engineering Task Force (IETF) upgraded SSL 3.0 to transport layer security (TLS). However, the term "SSL encryption" is still used in the industry. In this topic, SSL encryption refers to TLS encryption.
Usage notes
The validity period of an SSL certificate is 10 years.
If you disable SSL encryption, your application can connect to your Lindorm instance only over a non-SSL connection.
If you disable SSL encryption, the SSL certificate that is used becomes invalid. If you want to enable SSL encryption again, you must download the SSL certificate file and configure the SSL certificate again. Otherwise, your Lindorm instance cannot connect to your application over an SSL connection.
After you enable or disable SSL encryption on a Lindorm instance, the instance is restarted and may experience a transient connection of a few seconds. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.
Procedure
Log on to the Lindorm console.
In the upper-left corner of the page, select the region where the instance is deployed.
On the Instances page, click the ID of the instance that you want to manage or click Manage in the Actions column corresponding to the instance.
In the left-side navigation pane, click Wide Table Engine.
On the Data Security tab, click Data Link SSL.
Enable SSL encryption for the instance.
Turn on the Current Status switch.
In the Enable SSL Encryption dialog box, click OK.
In the lower-left corner of the page, click Download CA Certificate.
Optional:Disable SSL encryption for the instance.
Turn off the Current Status switch.
In the Disable SSL Encryption dialog box, click OK.
Import an SSL certificate
Before an application can access your Lindorm instance over an SSL connection, you must import an SSL certificate to the trusted certificate library of the application. The following example shows how to import an SSL certificate to the trusted certificate library of a Java application.
Go to the
jre/bindirectory in the installation directory of JDK.Run the following command to import the downloaded SSL certificate to the trusted certificate library of the Java application. You must input the password when you import the certificate. The default password is "changeit".
keytool -import -alias server -keystore cacerts -file /path-to-crt/server.crtIn the preceding command,
/path-to-crt/server.crtis the path in which the downloaded SSL certificate is stored.Sample command:
keytool -import -alias server -keystore cacerts -file /root/CA/ld-bp12pc23yfb38****.crtAfter the SSL certificate is imported, the application can access your Lindorm instance over an SSL connection. For more information, see Use the ApsaraDB for HBase API for a non-Java language to develop applications.