ApsaraDB RDS for MySQL supports SSL encryption for database proxy endpoints. You can enable the SSL encryption feature and install an SSL certificate on your applications to improve the connection security of your RDS instance. This topic describes how to configure SSL encryption for a database proxy endpoint.
SSL encrypts the network connections at the transport layer between your RDS instance and your application. This enhances the security and integrity of data in transit but increases the response time.
Prerequisites
The RDS instance runs one of the following MySQL versions:
MySQL 8.0 with a minor engine version of 20200831 or later on RDS High-availability Edition
MySQL 8.0 on RDS Cluster Edition
MySQL 5.7 on RDS Cluster Edition
MySQL 5.7 with a minor engine version of 20200831 or later on RDS High-availability Edition
MySQL 5.6 with a minor engine version of 20200831 or later on RDS High-availability Edition
NoteIf your RDS instance is attached with read-only RDS instances, the read-only RDS instances must meet the requirements that are described in Update the minor engine version.
The database proxy feature is enabled. For more information, see Enable the database proxy feature.
The database proxy version is 1.12.8 or later. For more information, see Upgrade the database proxy version.
The total length of the dedicated proxy endpoint that you want to protect does not exceed 64 characters.
Usage notes
SSL encryption can be configured for only one dedicated proxy endpoint per proxy terminal.
If you enable or disable SSL encryption, change the protected database proxy endpoint, or update the validity period of an SSL certificate, your proxy instance restarts. Proceed with caution.
Enable SSL encryption
This operation triggers a restart of your RDS instance. Proceed with caution.
Log on to the ApsaraDB RDS console and go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the instance ID.
In the left-side navigation pane, click Database Proxy.
In the Connection Information section, move the pointer over the ID of the database proxy endpoint. In the SSL Encryption Configuration section of the dialog box that appears, click Enable to the right of SSL Encryption.
In the dialog box that appears, select the endpoint that you want to encrypt and click OK.
After the SSL encryption status changes to Enabled, click Download CA Certificate next to SSL Encryption.
NoteThe file that you downloaded is a package that contains the following files:
PEM file: suitable for most scenarios.
JKS file: suitable for Java applications. In most cases, the PEM-formatted CA certificate file must be imported to a truststore for conversion into a JKS file. You can use the JKS file in Java applications. The password of the file is apsaradb.
P7B file: suitable for a small number of Windows applications that require PKCS#7-formatted certificate files.
You can use the configured SSL certificate to verify the certificate for the database server.
When you use the .jks file in Java Development Kit (JDK) 7 or JDK 8, go to the
jre/lib/security/java.securitydirectory on the host where your application resides and run the following code to modify the default values of two configuration items:jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224 jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024If you do not modify these configurations, the following error is reported. In most cases, other similar errors are also caused by invalid Java security configurations:
javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints
Configure an SSL certificate
After you enable SSL encryption and download the CA certificate, you can configure the SSL certificate. For more information, see Download the CA certificate.
Change the protected proxy endpoint
This operation triggers an update to the validity period of the SSL certificate. This operation also triggers a restart of your RDS instance. Proceed with caution.
- Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Database Proxy.
In the Connection Information section, move the pointer over the ID of the database proxy endpoint. In the SSL Encryption Configuration section of the dialog box that appears, click Change Protected Endpoint below Protected Endpoint.
Select the endpoint that you want to encrypt and click OK.
Update the validity period of the SSL certificate
This operation triggers a restart of your RDS instance. Proceed with caution.
- Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Database Proxy.
In the Connection Information section, move the pointer over the ID of the database proxy endpoint. In the SSL Encryption Configuration section of the dialog box that appears, click Update Expiration Time to the right of SSL Certificate Expiration Time. In the dialog box that appears, click OK.
Disable SSL encryption
This operation triggers a restart of your RDS instance. Proceed with caution.
- Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane, click Database Proxy.
In the Connection Information section, move the pointer over the ID of the database proxy endpoint. In the SSL Encryption Configuration section of the dialog box that appears, click Disable to the right of SSL Encryption. In the dialog box that appears, click OK.
Related operations
Operation | Description |
Configures SSL encryption for a database proxy endpoint. | |
Queries SSL encryption settings of a database proxy endpoint. |
References
Sample code for connecting to a database over SSL
For more information, see Application code.
FAQ about SSL encryption
For more information, see FAQ.