ObjectRocket Redis SSL FAQ¶
Summary of OR Redis and SSL¶
ObjectRocket is now offering an additional level of security by providing the option of using SSL encryption between your client(s) and your Redis instance(s). Customers will now have access to either a ServiceNet or Public connection string with or without SSL Encryption via the ObjectRocket control panel. All that you have to do is to use the appropriate connection string when connecting to your instance.
How does this work with existing security¶
In general, Redis is not optimized for maximum security but for maximum performance and simplicity. As Redis use cases grow more complex and more integral to an applications architecture, customers want more security around their Redis instances and how they connect to them. ObjectRocket already requires customers to set an Access Control List (ACL) before their Redis instance is usable and password authentication every time that they connect to their Redis instance. ObjectRocket also uses containerization to isolate each Redis instance and it’s associated resources such as the endpoints that the user connects to. Providing customers with the ability to use SSL encryption adds another layer of security all the way back to their client(s).
Currently, SSL encryption is only available on new Redis instances. Simply create a new Redis instance and you will see the SSL encryption connection strings. All existing Redis instances will not initially have SSL capability. We’ll be enabling SSL Encryption across all legacy Redis instances without any interruptions to you in the coming weeks. If you want to enable SSL encryption on an existing ObjectRocket Redis instance(s) prior to us enabling it, just open a ticket with our support team and we’ll be happy to help with the migration to a new Redis instance.
How do I enable SSL Encryption?¶
You don’t need to do anything to enable SSL Encryption on an Redis instance, provided it’s newly created. All new Redis instances have SSL encryption enabled by default. You will simply be presented with an extra set of connection strings that are specific to SSL. Currently, you are presented with both a Public and ServiceNet connection string. Going forward, you will be presented with two additional connect strings that are meant for SSL connections.
What do I need to do with my application to use SSL Encryption¶
You may need to use some type of SSL proxy in order to handle the SSL handshake that takes place between your client and the Redis endpoint. An example of this would be stunnel. Once you have a proxy in place, all you need to do is point your application to the desired SSL connection string. There should be no additional code changes required in your application, unless you’re using a driver with built in SSL support, as they generarlly have an additional connection option to specify SSL connectivity.
Certificates & Fingerprints¶
In order to encrypt your data in transit, it is recommended that the you download a certificate authority or certification authority from Rackspace to verify the authenticity of the certificate that Rackspace is using during the handshake process. You can download the certificate authority here.
In the Control Panel you’ll also be provided with a key fingerprint next to the SSL connection strings. You can use this fingerprint to verify the encrypted connection during the handshake process.
What is the expected performance impact when I use SSL Encryption¶
With any added step between your client and our Redis endpoints, there will be some type of network impact. Through our testing, we expect that there is a <5% latency increase by using the SSL connections. For most customers our expectations are that this impact will be much smaller. As always, we recommend that customers do some performance testing with SSL Encryption before fully implementing the solution if possible. Please contact our support team if you’d like help setting up a staging instance alongside production for testing.