All Products
Search
Document Center

:Enable TLS encryption

Last Updated:Sep 18, 2024

Tair supports the Transport Layer Security (TLS) protocol to provide higher data security. Compared with the SSL protocol, the TLS protocol comes with better encryption technologies and enhanced security.

Background information

TLS builds on the now-deprecated SSL protocol and becomes the widely used standard cryptographic protocol to provide communications security over a computer network. Compared with SSL, TLS has the following advantages:

  • Enhanced encryption: provides encryption by using more powerful technologies such as the Advanced Encryption Standard (AES) algorithm.

  • Enhanced security: uses more secure algorithms and protocols such as the Secure Hash Algorithm 2 (SHA-2).

  • Improved compatibility: serves as an up-to-date protocol that is compatible with more browsers and servers, and supports more encryption protocols and cipher suites.

  • Timely updates: supports real-time updates of encryption algorithms and protocols.

In this context, if you want to encrypt network connections at the transport layer, we recommend that you use TLS. By default, TLS is disabled.

Prerequisites

  • A DRAM-based or persistent memory-optimized instance is created.

  • The instance uses the master-replica architecture to ensure high availability.

  • If a public endpoint is allocated to the instance, release the public endpoint. You can enable TLS encryption for the instance only after the public endpoint is released.

    Note

    If a private endpoint is allocated to a local disk-based cluster instance, release the private endpoint before you enable TLS encryption for the instance.

Precautions

  • After you enable TLS encryption for an instance, you cannot apply for a public endpoint for the instance. If you enable TLS encryption for a local disk-based cluster instance, you also cannot apply for a private endpoint for the instance. Your client can connect to the instance only over a virtual private cloud (VPC) and the TLS protocol. For more information about how to connect to an instance for which TLS is enabled, see Use a client to connect to a Tair instance for which TLS (SSL) encryption is enabled.

  • After TLS encryption is enabled for an instance, the instance cannot be migrated across zones.

  • If you change the endpoint or port number of an instance for which TLS encryption is enabled, renew the TLS certificate of the instance before you connect to the instance. Otherwise, the No subject alternative DNS name matching xxx found error is returned.

Procedure

  1. Log on to the Tair console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane, click TLS Settings (SSL).

  3. Click Enable.

  4. In the dialog box that appears, select a TLS version.

    Valid values of the TLS version parameter:

    • TLSv1.3 (recommended): TLS 1.3 was released in 2018 and its specifications are defined in RFC 8446. Compared with TLS 1.2, TLS 1.3 facilitates faster and more secure communication.

    • TLSv1.2 (recommended): TLS 1.2 was released in 2008 and its specifications are defined in RFC 5246. This version comes with more powerful encryption technologies and enhanced security.

    • TLSv1.1: TLS 1.1 was released in 2006 and its specifications are defined in RFC 4346. This version includes fixes for known vulnerabilities found in TLS 1.0.

    • TLSv1.0: TLS 1.0 was released in 1999 and its specifications are defined in RFC 2246. As an upgraded version of SSL 3.0, TLS 1.0 is susceptible to attacks such as BEAST and POODLE.

  5. Click OK.

    Warning

    This operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.

    You can refresh the page to update the TLS status of the instance.

    After you enable TLS, you can click Download SSL Certificate to export the CA certificate to your client. The downloaded package contains the following files:

    • ApsaraDB-CA-Chain.p7b: This file is used to import the CA certificate into the Windows operating system.

    • ApsaraDB-CA-Chain.pem: This file is used to import the CA certificate into non-Windows systems such as Linux or applications.

    • ApsaraDB-CA-Chain.jks: This file stores truststore certificates of Java and is used to import the CA certificate chain into Java applications.

    The CA certificates provided for different instances are the same and can be used to connect to any instance.

Manage TLS settings

After you enable TLS for your instance, you can perform the following operations:

  1. Log on to the Tair console and go to the Instances page. In the top navigation bar, select the region in which the instance that you want to manage resides. Then, find the instance and click the instance ID.

  2. In the left-side navigation pane, click TLS Settings (SSL).

  3. Perform one of the following operations based on your business requirements.

    Operation

    Description

    Renew the CA certificate

    On the page that appears, click Update Certificate. Then, click OK.

    After you enable TLS, the TLS certificate is issued with a default validity period of three years. You cannot specify a custom validity period for the certificate. Tair initiates proactive O&M 20 days before the certificate expires to update the validity period of the certificate. You can choose Events > Scheduled Events to change the O&M time. Alternatively, you can click Update Certificate to renew the CA certificate, and then download and configure the CA certificate again. After the CA certificate is renewed, its validity is extended for another three years.

    Warning

    This operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.

    Change the TLS version

    Click the image icon to the right of TLS version, and select the version to which you want to change from the drop-down list. We recommend that you select TLSv1.2.

    Note

    If the Minimum TLS Version drop-down list is unavailable, update your instance to the latest minor version and try again. For more information, see Update the minor version of an instance.

    Disable TLS encryption

    Turn off TLS Status.

    Warning

    This operation may cause a transient connection that lasts for a few seconds on the instance. We recommend that you perform this operation during off-peak hours and make sure that your application can automatically reconnect to the instance.

    After you renew the CA certificate or change the TLS version, you do not need to download the CA certificate again.

Related API operations

API operation

Description

ModifyInstanceTLS (SSL)

Modifies the TLS (SSL) settings of a Tair instance.

What to do next

Use a client to connect to a Tair instance for which TLS (SSL) encryption is enabled

FAQ

  • Why am I unable to enable TLS for my instance?

    If your instance is a local disk-based instance that uses the read/write splitting architecture, you cannot enable TLS for the instance.