ObjectRocket Redis SSL FAQ¶
This document provides answers to frequently asked questions about using Secure Socket Layer (SSL) with the hosted Redis offering from ObjectRocket.
How does ObjectRocket Redis use SSL?¶
ObjectRocket offers an extra level of security by providing the option to use SSL encryption between your clients and your Redis instances. Customers now have access to either a ServiceNet or Public connection string with or without SSL encryption via the ObjectRocket Control Panel. Use the appropriate connection string when you connect to your instance.
How does SSL work with existing security?¶
Redis isn’t optimized for maximum security but for maximum performance and simplicity. As Redis use cases grow more complex and more integral to an application’s architecture, customers want more security around their Redis instances and how they connect to them. ObjectRocket already requires customers to set an Access Control List (ACL) before their Redis instance is usable. ObjectRocket also requires password authentication every time customers connect to their Redis instance. Additionally, ObjectRocket uses containerization to isolate each Redis instance and its associated resources, like the endpoints that the user connects to. Providing customers with the ability to use SSL encryption adds another layer of security.
Which ObjectRocket offerings have SSL availability?¶
SSL encryption is only available on new Redis instances. Create a new Redis instance, and the SSL encryption connection strings displays.
How do I enable SSL Encryption?¶
You don’t need to do anything to enable SSL encryption for a new Redis instance. By default, all new Redis instances have SSL encryption enabled. You receive a public connection string, a ServiceNet connection string, and two SSL connection strings.
How do I enable SSL encryption for my application?¶
You might need to use some type of SSL proxy to handle the SSL handshake that takes place between your client and the Redis endpoint. An example of this is stunnel. After you have a proxy in place, point your application to the appropriate SSL connection string. Unless you’re using a driver with built in SSL support and an extra connection option to specify SSL connectivity, you don’t need to make any additional code changes to your application.
What certificates and fingerprints do I need to enable SSL encryption?¶
For data encryption in transit, ObjectRocket recommends downloading a certification authority from Rackspace to verify the authenticity of the certificate that Rackspace is using during the handshake process. You can download the certificate authority here.
In the Control Panel, you also receive a key fingerprint next to the SSL connection strings. You can use this fingerprint to verify the encrypted connection during the handshake process.
What is the expected performance impact of using the SSL Encryption?¶
Any added step between your client and the ObjectRocket Redis endpoints has some network impact. ObjectRocket testing suggests a less than a 5% latency increase by using the SSL connections. We expect this impact to be much smaller for most customers. Customers should do some performance testing with SSL encryption before fully implementing the solution, if possible. Contact the ObjectRocket Support team if you’d like help setting up a staging instance alongside production for testing.