All Products
Search
Document Center

:Configure SSL encryption

Last Updated:Jul 12, 2024

This topic describes how to enable SSL encryption for an instance to enhance link security. After you enable SSL encryption, you must install SSL certificates that are issued by certificate authorities (CAs) on your application. SSL encryption can encrypt connections at the transport layer to increase data security and ensure data integrity.

Prerequisites

Usage notes

  • Tair upgrades SSL encryption to Transport Layer Security (TLS) encryption. Starting April 7, 2023, you cannot enable SSL encryption for your instance. If you have enabled SSL encryption for your instance, you can disable SSL encryption or continue to use SSL encryption. After you disable SSL for your instance, you can no longer enable SSL encryption for the instance. For more information, see Encryption upgrade from SSL to TLS.

    Note

    We recommend that you use TLS encryption to increase data security. For more information, see Enable TLS encryption.

  • An SSL certificate remains valid for three years. Before the used SSL certificate expires, you must update its validity period. In addition, you must download the required SSL certificate file and configure the certificate again. Otherwise, clients cannot connect to your instance over an encrypted connection.

  • SSL encryption may cause higher network latency for Tair instances. Therefore, we recommend that you enable this feature only when encryption is needed. For example, if you connect to an instance of Tair over the Internet, you can enable SSL encryption for the instance.

  • After you enable SSL encryption for an instance, both SSL and non-SSL connections are supported.

Procedure

  1. Log on to the Tair console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane, click TLS Settings (SSL).

  3. Perform one of the following operations based on your business needs.

    Operation

    Description

    Enable or disable SSL encryption

    Turn on or off SSL Certificate Information.

    Renew the CA certificate

    Click Update Certificate in the upper-right corner and then click OK.

    The CA certificate remains valid for three years. You can click Update Certificate and then download and configure the CA certificate again. After the CA certificate is renewed, it is valid for another three years.

    Download the CA certificate

    In the upper-right corner, click Download SSL Certificate.

    Warning

    The instance restarts after you enable SSL encryption or update the certificate validity period. The instance may encounter a transient connection that lasts for a few seconds. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.

FAQ

  • What do I do if the "version not supported" error message appears?

    You must update your instance to the latest minor version. For more information, see Update the minor version of an instance.

  • What files are included in the downloaded CA certificate package?

    The downloaded CA certificate package consists of the following files:

    • ApsaraDB-CA-Chain.p7b: This file is used to import the CA certificate into the Windows operating system.

    • ApsaraDB-CA-Chain.pem: This file is used to import the CA certificate into other operating systems such as Linux or applications.

    • ApsaraDB-CA-Chain.jks: This file stores truststore certificates of Java and is used to import the CA certificate chain into Java applications.

Methods to establish SSL connections

Related operations

API operation

Description

ModifyInstanceSSL

Enables SSL encryption for a Tair instance.