Amazonrds 简明教程

Amazon RDS - MS SQL DB with SSL

为了保护数据不被非预期的用户查看,我们可以在客户端应用程序和 RDS DB 实例之间使用连接加密。加密适用于所有 AWS 区域以及 AWS RDS 支持的所有 DB 类型。在本节中,我们将看到如何启用 MSSQL Server 的加密。

To protect data from being viewed by unintended parties, we can use connection encryption between the client application and the RDS DB instance. Encryption is available in all AWS regions and for all the DB types supported by AWS RDS. In this chapter we will see how encryption is enabled for MSSQL Server.

有两种方法可以启用加密。

There are two ways to enable encryption.

  1. Force SSL for all connections — this happens transparently to the client, and the client doesn’t have to do any work to use SSL.

  2. Encrypt specific connections — this sets up an SSL connection from a specific client computer, and you must do work on the client to encrypt connections.

Force SSL

在此种方法中,我们强制来自 DB 客户端的所有连接都使用 SSL。这可以通过使用 rds.force_ssl 参数来实现。将 rds.force_ssl 参数设置为 true,以便强制连接使用 SSL。因为它是一个静态参数,我们必须重启 DB 实例才能让更改生效。下图显示了如何通过访问 DB 参数设置页面来重置 rds.force_ssl 参数的值。

In this approach we force all the connections form the DB client to use SSL. This is done by using the rds.force_ssl parameter. Set the rds.force_ssl parameter to true to force connections to use SSL. As it is a static parameter, we must reboot your DB instance for the change to take effect. The below diagram shows how to reset the value by visiting the DB parameters settings page to set the value for rds.force_ssl parameter.

SSL force conn

Encrypting Specific Connections

我们只能加密特定客户端计算机到 RDS DB 实例的连接。为了做到这一点,我们需要在客户端计算机上安装证书。以下是安装证书的步骤。

We can encrypt connections from specific client computers only to the RDS DB Instance. In order to do this, we need to install certificate on the client computer. Below are the steps to install the certificate.

Step-1

here 下载证书到客户端计算机。

Download the certificate to the client computer from here .

Step-2

按照路径 Windows → 运行 → 输入 MMC 并回车。它将打开以下窗口。

Follow the path Windows → Run → type MMC and enter. It opens the following window.

ssl mmc 1

Step-3

在“添加或删除管理单元”对话框中,选择“可用管理单元”中的“证书”,然后选择“添加”。

In the Add or Remove Snap-ins dialog box, for Available snap-ins, select Certificates, and then choose Add.

ssl mmc 2

Step-4

按照路径计算机帐户 → 本地计算机 → 完成。

Follow the Path Computer Account → Local Computer → Finish.

Step-5

在 MMC 控制台中,展开“证书”,为“受信根证书颁发机构”打开上下文(右键单击)菜单,选择“所有任务”,然后选择“导入”。

In the MMC console, expand Certificates, open the context (right-click) menu for Trusted Root Certification Authorities, choose All Tasks, and then choose Import.

image::https://www.iokays.com/tutorialspoint/amazonrds/_images/ssl_mmc_3.JPG [ ssl_mmc_3 .JPG ]

Step-6

选择在上一步骤中下载的 .pem 文件,然后通过选择默认值并单击“下一步”,完成导入向导。

Select the .pem file downloaded in the previous step and finish the import wizard by choosing the default values and clicking next.

Step-7

我们可以看到已安装的证书如下所示。

We can see the certificate installed as below.

image::https://www.iokays.com/tutorialspoint/amazonrds/_images/ssl_mmc_4.JPG [ ssl_mmc_4 .JPG ]

Step-8

当使用 SSMS 连接到 AWS RDS MSSQL Db 实例时,展开“选项”选项卡并选择“加密连接”。

When connecting to AWS RDS MSSQL Db instance using SSMS, expand the options tab and choose Encrypt connection.

image::https://www.iokays.com/tutorialspoint/amazonrds/_images/ssl_mmc_5.JPG [ ssl_mmc_5 .JPG ]

现在,该计算机与 RDS 之间的客户端连接将被加密。

Now the client connection to RDS from this computer will be encrypted.