Updated on 2024-12-02 GMT+08:00

Connecting to an Instance over SSL

GeminiDB Redis allows you to connect to a GeminiDB Redis instance through Redis-cli in SSL mode for data encryption and higher security. This section describes how to connect to a GeminiDB Redis instance using SSL.

Precautions

  • The instances must be in the same VPC subnet as the ECS.
  • The ECS must be in a security group that has access to the instances. For details, see Configuring Security Group Rules for Nodes.
  • After the SSL connection is enabled, download the SSL certificate for your applications to access to the GeminiDB Redis instance.
  • If the SSL connection is used, ensure that the Redis client, for example, Redis-cli 6.x, supports SSL.

Prerequisites

An ECS has been created. The following uses a Linux ECS as an example. For details, see Purchasing an ECS in Getting Started with Elastic Cloud Server.

Procedure

  1. Log in to the ECS. For details, see Logging In to an ECS in Getting Started with Elastic Cloud Server.
  2. Download the Redis client.

    Method 1

    Run the following command to download the Redis client.

    wget https://download.redis.io/releases/redis-6.2.6.tar.gz

    Method 2

    Download the Redis client and upload the Redis client installation package to the ECS.

  3. Obtain the SSL certificate.

    Click the target instance name. On the Basic Information page, in the Connection Information area, click the download button in the SSL field to obtain the SSL certificate.

    Figure 1 Obtaining the SSL certificate

  4. Upload the SSL certificate to the ECS.
  5. Check the OpenSSL version supported by the ECS OS.

    openssl version
    • The SSL function provided by GeminiDB Redis supports only TLS 1.3 or later.
    • The OpenSSL version in the ECS OS must be 1.1.1 or later so that redis-cli can support TLS 1.3 or later.
    • If the OS version is earlier than 1.1.1, perform the following steps to install OpenSSL:
      wget https://www.openssl.org/source/openssl-1.1.1m.tar.gz
      tar -zxvf openssl-1.1.1m.tar.gz
      cd openssl-1.1.1m/
      ./config --prefix=/usr/local/openssl-1.1.1m_install_dir
      make
      make install

      After OpenSSL is installed, go to 6.

    • If the OS is 1.1.1 or later, go to 6.

  6. Decompress the client package.

    tar -xzf redis-6.2.6.tar.gz

  7. Connect to the instance in the src directory.

    • If the required OpenSSL version has been installed by performing 5 and the version is earlier than 1.1.1, you can connect to the DB instance using the following method:
      cd redis-6.2.6
      make BUILD_TLS=yes OPENSSL_PREFIX=/usr/local/openssl-1.1.1m_install_dir
      cd src
      LD_PRELOAD=/usr/local/openssl-1.1.1m_install_dir/lib/libssl.so.1.1:/usr/local/openssl-1.1.1m_install_dir/lib/libcrypto.so.1.1 ./redis-cli -h <DB_HOST> -p <DB_PORT> -a <DB_PWD> --tls --cacert <CACERT_PATH>

      For example:

      LD_PRELOAD=/usr/local/openssl-1.1.1m_install_dir/lib/libssl.so.1.1:/usr/local/openssl-1.1.1m_install_dir/lib/libcrypto.so.1.1 ./redis-cli -h 192.168.0.208 -p 8635 -a <DB_PWD> --tls --cacert ./cacert.crt
    • If the OpenSSL version in the ECS OS is 1.1.1 or later, you can connect to the DB instance using the following method:
      cd redis-6.2.6
      make BUILD_TLS=yes
      cd src
      ./redis-cli -h <DB_HOST> -p <DB_PORT> -a <DB_PWD> --tls --cacert <CACERT_PATH>

      For example:

      ./redis-cli -h 192.168.0.208 -p 8635 -a <DB_PWD> --tls --cacert ./cacert.crt
    Table 1 Parameter Description

    Parameter

    Description

    <DB_HOST>

    The private IP address of the instance to be accessed.

    To obtain this IP address, go to the Instances page, locate the instance, and click its name. The IP address can be found in the Private IP Address field under Node Information on the Basic Information page.

    If the instance you purchased has multiple nodes, select the private IP address of any node.

    <DB_PORT>

    Port for accessing the target instance. Configure this parameter based on service requirements.

    To obtain the port number, perform the following steps:

    On the Instances page, locate the instance and click its name. On the Basic Information page, in the Network Information area, view the database port.

    <DB_PWD>

    Specifies the administrator password set when you buy a GeminiDB Redis instance.

    <CACERT_PATH>

    Path of the SSL certificate.

  8. If information similar to the following is displayed, the connection was successful.

    IP:port>