Encrypt data in transit between clients and your Tair (Redis OSS-compatible) instance with TLS. TLS is disabled by default.
Prerequisites
Verify the following:
-
Your instance is one of the following types:
-
Tair (Enterprise Edition) memory-optimized instance
-
Tair (Enterprise Edition) persistent memory instance
-
Redis Open-Source Edition 5.0, 6.0, or 7.0 instance
-
-
Your instance uses the master-replica architecture.
-
Any public endpoint has been released.
-
Any private endpoint allocated to a cluster instance has been released.
Limitations
| Limitation | Impact | What to do |
|---|---|---|
| Connection overhead | TLS handshakes consume more resources and time than plain connections. | Use persistent connections to reduce handshake frequency. |
| Data transfer overhead | Encryption overhead scales with payload size. | Test in your environment to evaluate the impact. |
| No public endpoint | Public endpoints become unavailable. For classic-network cluster instances, direct connection endpoints also become unavailable. | Connect over a VPC. Connect to a TLS-enabled instance. |
| No zone migration | Zone migration becomes unavailable. | Plan your zone selection before enabling TLS. |
| Endpoint or port changes | Changing the endpoint or port causes the error No subject alternative DNS name matching xxx found. |
Update the TLS certificate after changing the endpoint or port. |
Enable TLS encryption
-
Log on to the console. On the Instances page, select the region and click the instance ID.
-
In the left-side navigation pane, click TLS Settings (SSL).
-
Click Enable.
-
In the dialog box, select a TLS version.
Version Description TLSv1.3 (Default, Recommended) RFC 8446 (2018). Faster and more secure than TLSv1.2. Requires Redis engine 5.5+ and proxy minor version 7.0.1+. If unavailable in the console, upgrade the minor version first. TLSv1.2 RFC 5246 (2008). Strong encryption. TLSv1.1 RFC 4346 (2006). Fixes TLSv1.0 vulnerabilities. TLSv1.0 RFC 2246 (1999). Based on SSL 3.0. Vulnerable to BEAST and POODLE attacks. -
Click OK.
WarningThis restarts the instance and may cause a brief connection interruption of a few seconds. Perform this during off-peak hours and ensure your application supports automatic reconnection.
-
Refresh the page to verify the TLS status.
Download the CA certificate
On the TLS Settings (SSL) page, click Download CA Certificate. The package contains:
| File | Description |
|---|---|
ApsaraDB-CA-Chain.p7b |
CA certificate for Windows |
ApsaraDB-CA-Chain.pem |
CA certificate for Linux, other systems, or applications |
ApsaraDB-CA-Chain.jks |
Java truststore for importing the CA certificate chain |
The CA certificate is shared across all Tair instances under your account and is not password-protected.
Manage TLS settings
On the TLS Settings (SSL) page, you can update certificates, change versions, or disable TLS.
Update the CA certificate
Click Update Certificate, and then click OK.
Certificates expire after 3 years (non-customizable). Automatic renewal is scheduled 20 days before expiry. To reschedule, go to Event Center > Scheduled Events. Click Update Certificate at any time to extend validity by 3 years.
This may cause a brief connection interruption of a few seconds. Perform this during off-peak hours and ensure your application supports automatic reconnection.
You do not need to re-download the certificate after updating the certificate or changing the TLS version.
Change the TLS version
Click the edit icon next to TLS version and select a version. TLSv1.3 is recommended and requires Redis engine 5.5+ and proxy minor version 7.0.1+. If unavailable, upgrade the minor version first.
If the Minimum TLS version drop-down list is unavailable, upgrade the minor version of the instance and try again. Upgrade the minor version and proxy version.
Disable TLS encryption
Turn off the switch next to TLS Status.
This restarts the instance and may cause a brief connection interruption of a few seconds. Perform this during off-peak hours and ensure your application supports automatic reconnection.
FAQ
Why can't I enable TLS for my instance?
TLS is not supported for instances that use the read/write splitting architecture in the classic network.
Related API
|
API |
Description |
|
Configures TLS (SSL) encryption for an instance. |