Configure SSL encryption

更新时间:
复制 MD 格式

Enable Secure Sockets Layer (SSL) encryption and install the CA certificate on your applications to secure data in transit. SSL encrypts connections at the transport layer, which improves data security and integrity but increases connection response time.

Usage notes

  • An SSL certificate expires after one year. Renew it before expiration to avoid connection failures.
  • SSL encryption can significantly increase CPU utilization. Enable it only for internet-facing instances — internal network connections are generally secure.

Enable SSL encryption

Warning This operation restarts the instance. Perform it during off-peak hours to avoid service interruptions.
  1. Log on to the AnalyticDB for PostgreSQL console.
  2. In the upper-left corner of the console, select a region.
  3. Find the instance that you want to manage and click the instance ID.
  4. In the left-side navigation pane, click Security Controls.
  5. Click the SSL Encryption tab.
  6. Turn on the SSL Encryption switch.
  7. In the Enable SSL Encryption dialog box, click OK.
  8. When the SSL Encryption status changes to Enabled, click Download Certificate.
    The downloaded archive contains the following files:
    • .p7b file: Imports the CA certificate into Windows.
    • .pem file: Imports the CA certificate into other operating systems or applications.
    • .jks file: Imports the CA certificate chain into Java applications. The keystore password is apsaradb.

      For JDK 7 or JDK 8, modify the following settings in the jre/lib/security/java.security file on the host:

      jdk.tls.disabledAlgorithms=SSLv3, RC4, DH keySize < 224
      jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024

      Without these changes, the following error may occur due to Java security configurations.

      javax.net.ssl.SSLHandshakeException: DHPublicKey does not comply to algorithm constraints

Update the validity period

Warning This operation restarts the instance. Perform it during off-peak hours to avoid service interruptions.
  1. Log on to the AnalyticDB for PostgreSQL console.
  2. In the upper-left corner of the console, select a region.
  3. Find the instance that you want to manage and click the instance ID.
  4. In the left-side navigation pane, click Security Controls.
  5. Click the SSL Encryption tab.
  6. Click Update Validity next to SSL Encryption.
  7. In the Update SSL Certificate Validity dialog box, click OK.

Disable SSL encryption

Warning This operation restarts the instance. Perform it during off-peak hours to avoid service interruptions.
  1. Log on to the AnalyticDB for PostgreSQL console.
  2. In the upper-left corner of the console, select a region.
  3. Find the instance that you want to manage and click the instance ID.
  4. In the left-side navigation pane, click Security Controls.
  5. Click the SSL Encryption tab.
  6. Turn off the SSL Encryption switch.
  7. In the Disable SSL Encryption dialog box, click OK.

API reference

API Description
DescribeDBInstanceSSL Queries SSL encryption details for an instance.
ModifyDBInstanceSSL Enables or disables SSL encryption, or updates the validity period of an SSL certificate.