You can configure Db2 database clients, such as CLI, CLP, and .Net Data Provider clients,
to support Transport Layer Security (TLS) with certificate authentication. You use certificate
authentication to establish a TLS connection with a Db2 for z/OS server.
About this task
This task configures TLS and certificate authentication support in a non-Java Db2 client. To
configure TLS support in a Db2 client without certificate authentication, see the following topics:
- Configuring TLS Support in a non-Java Db2 client using a keystore
- Configuring TLS Support in a non-Java Db2 client using a certificate file
Note: Certificate authentication is supported only for connections to Db2 for z/OS. Db2 for
Linux, Unix, and Windows does not support certificate authentication.
Procedure
- On a computer where gsk8capicmd_64 is available, create a keystore
from the server certificate.
This can be done on the server computer, or a client
computer where GSKit has been installed separately from the client. For more information, see
Introduction to
Global Security Kit
installation.
gsk8capicmd_64 -keydb -create -db "client.p12" -pw "myClientPassw0rdpw0" -stash
where
-stash creates a stash file at the same path as the key database, with a file
extension of
.sth. At connect time, GSKit uses the stash file to obtain the
password to the key database.
- Add the server certificate to the client keystore.
If the server certificate
is self-signed, ask your administrator to extract the certificate from the server into an ascii
formatted file. If the server certificate is signed by a third party CA, obtain the CA's root
certificate. This can be done by asking the CA, and is usually provided when signing the server
certificate.
Note: The root certificate must be used on the client when configuring TLS support for
a CA-signed server
certificate.
gsk8capicmd_64 -cert -add -db "client.p12" -stashed -label "myServerCert" -file "server.pem" -format ascii
- Configure an authentication certificate.
To successfully configure certificate
authentication, the client keystore must contain a certificate and private key that identifies the
client. The procedure is similar to creating a certificate in a Db2 server.
- When the authentication certificate has been created, extract the certificate to a
Base64-encoded certificate file and send it to your system administrator for configuration in the
Db2 server.
Replace
-label clientCert with the label of the
authentication certificate.
gsk8capicmd_64 -cert -extract -db client.p12 -stashed -label clientCert -target clientCert.crt -format ascii
Note: Always
use the -extract option for moving certificates to a certificate file for nodes in
your network, and not the -export option. Using the -export option
moves the private key from your keystore into the certificate file, making it visible to your
network.
- Save the extracted certificate in a convenient location and send it to your system
administrator.
- Copy the key database and stash file to the client computer.
Ensure that the
client has the proper file permissions to read both the key database and the stash file. To
configure your client application, set the appropriate connection string or configuration
parameters, as shown in the applicable example for your client.
Example
Example 1: Connecting to a Db2 for z/OS database from a CLI/ODBC application, using a connection
string:
Use a connection string that contains the
SECURITY=SSL,
SSLClientKeystoredb,
SSLClientStash,
Authentication, and
SSLClientLabel keywords to call the
SQLDriverConnect function t. For
example:
"Database=sampledb; Protocol=tcpip; Hostname= myhost; Servicename=50001;
Security=ssl; SSLClientKeystoredb=/home/db2inst1/client.p12;
SSLClientKeystash=/home/db2inst1/client.sth;Authentication=CERTIFICATE;SSLClientLabel=clientCert;"
Example 2: Connecting to a Db2 for z/OS database from a CLI/ODBC application, using a db2cli.ini
configuration file:
Use the
db2cli.ini file to set the needed connection
parameters:
[sampledb]
Database=sampledb
Protocol=tcpip
Hostname=myhost
Servicename=50001
Security=ssl
SSLClientKeystoredb=/home/db2inst1/client.p12
SSLClientKeystash=/home/db2inst1/client.sth
Authentication=CERTIFICATE
SSLClientLabel=clientCert
Example 3: Connecting to a Db2 for z/OS database from a CLI/ODBC application, using the
SQLDriverConnect function (CLI):
Use the FileDSN CLI/ODBC keyword to identify a DSN file from which a connection
string is built for connecting to the Db2 server. You specify the value of
FileDSN in the connection string of the SQLDriverConnect
function.
The following example shows how the DSN file might be written:
[ODBC]
DRIVER=IBM DB2 ODBC DRIVER – DB2COPY1
UID=user1
AUTHENTICATION=SERVER
PORT=50001
HOSTNAME=myhost
PROTOCOL=TCPIP
DATABASE=SAMPLEDB
SECURITY=SSL
SSLClientKeystoredb=/home/db2inst1/client.p12
SSLClientKeystash=/home/db2inst1/client.sth
Authentication=CERTIFICATE
SSLClientLabel=clientCert
Example 4: Connecting to a Db2 for z/OS database from a CLI/ODBC application or embedded SQL
application, using the db2dsdriver.cfg configuration file.
The following example shows how the
db2dsdriver.cfg configuration file might
be written:
<dsn alias="sample" host="myhost.ibm.com" name="sample" port="50001">
<parameter name="SSLClientKeystoredb" value="/home/db2inst1/client.p12"/>
<parameter name="SSLClientKeystash" value="/home/db2inst1/client.sth">
<parameter name="SecurityTransportMode" value="SSL"/>
<parameter name="Authentication" value="CERTIFICATE"/>
<parameter name="SSLClientLabel" value="clientCert"/>
</dsn>