Forcefully enable the client to connect to an ApsaraDB RDS for PostgreSQL instance over SSL connections - ApsaraDB RDS

If SSL encryption is enabled and no client ACLs are configured, you can still use the PGSSLMODE=disable setting on the client to connect to an ApsaraDB RDS for PostgreSQL instance over non-SSL connections. This topic describes how to forcefully enable the client to connect to the RDS instance over SSL connections.

Prerequisites

SSL encryption is enabled. This condition must be met if you want your client to connect to the RDS instance only over SSL connections. For more information, see Configure SSL encryption or Configure a custom certificate.
A client CA certificate is configured. This condition must be met if you want to verify the client certificate when the client connects to the RDS instance over SSL connections. For more information, see Configure a client CA certificate.

Procedure

You can use one of the following methods to forcefully enable the client to connect to the RDS instance over SSL connections:

Method 1: Configure a client ACL

After a client CA certificate is configured, you can configure an access control list (ACL) on the RDS instance. Then, the client can connect to the RDS instance only after the RDS instance validates the client based on the SSL mode that you specify. The RDS instance validates the client by using the client certificate and the private key of the client certificate.

Note

When you configure an ACL, no operations can be performed on the RDS instance. This configuration process requires approximately 1 minute.
If no client ACLs are configured for the RDS instance, you can use the PGSSLMODE=disable setting for the client to connect to the RDS instance over non-SSL connections. The default value for the authentication method is prefer. If you want to disable non-SSL connections, you must set the authentication method to a value other than prefer.

Click Modify to the right of Configure ACL and select an appropriate authentication method.

You can use one of the following authentication methods to forcefully enable the client to connect to the RDS instance over SSL connections:

cert: A client certificate rather than a password is used to validate the client. An SSL connection is established. In addition, the system validates the client certificate and checks whether the Common Name (CN) specified in the client certificate is consistent with the username that is used to connect to the RDS instance.
verify-ca: An SSL connection is established, and the system validates the client certificate.
verify-full: An SSL connection is established. The system validates the client certificate and checks whether the CN specified in the client certificate is consistent with the username that is used to connect to the RDS instance. This SSL mode is supported for PostgreSQL 12 or later.

Method 2: Configure the pg_hba.cnf file

After SSL encryption is configured, you can use the AD domain services configuration feature provided by ApsaraDB RDS for PostgreSQL to modify the pg_hba.cnf file. This way, the client must connect to the RDS instance over SSL connections.

Go to the Instances page. In the top navigation bar, select the region in which the RDS instance resides. Then, find the RDS instance and click the ID of the instance.
In the left-side navigation pane of the page that appears, click Accounts. On the page that appears, click the AD Domain Services tab.
Change the value of TYPE for the first record to hostssl.
Click Submit.
Note
After you click Submit, the status of your RDS instance changes to Maintaining Instance for approximately 1 minute. The new configurations take effect only for new connections. You must close the existing connections and re-establish these connections for the new configurations to take effect.