IBM Support

75 ways to demystify DB2 #63: Techtip :Steps to configure SSL connection from DB2 Client CLP

Technical Blog Post


Abstract

75 ways to demystify DB2 #63: Techtip :Steps to configure SSL connection from DB2 Client CLP

Body

Hi there!

 

Recently I had an opportunity to implement SSL connection from DB2 client's CLP. DB2 Server was already setup with SSL. Just wanted to share the steps I followed to implement SSL connectivity successfully from the client side:

 

1> Set LD_LIBRARY_PATH, PATH and LIBPATH to point to GSKit libraries (present at $INSTHOME/sqllib/lib64/gskit)  and tools needed to add SSL certificate (present at $INSTHOME/sqllib/gskit/bin)


[db2v10@ts-jkgera new]$ echo $LD_LIBRARY_PATH
/home/db2v10/sqllib/lib64/gskit:/home/db2v10/sqllib/gskit/bin:/home/db2v10/sqllib/lib64:/home/db2v10/sqllib/lib32


[db2v10@ts-jkgera new]$ echo $PATH
/home/db2v10/sqllib/lib64/gskit:/home/db2v10/sqllib/gskit/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/home/db2v10/sqllib/bin:/home/db2v10/sqllib/adm:/home/db2v10/sqllib/misc:/home/db2v10/sqllib/db2tss/bin:/home/db2v10/bin


[db2v10@ts-jkgera new]$ echo $LIBPATH
/home/db2v10/sqllib/lib64/gskit:/home/db2v10/sqllib/gskit/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/home/db2v10/sqllib/bin:/home/db2v10/sqllib/adm:/home/db2v10/sqllib/misc:/home/db2v10/sqllib/db2tss/bin:/home/db2v10/bin

 

2>Use the GSKCapiCmd tool to create a key database


[db2v10@ts-jkgera new]$ ls -la
total 24
drwxrwxr-x 2 db2v10 db2v10 4096 Sep 24 22:12 .
drwxrwxr-x 3 db2v10 db2v10 4096 Sep 24 22:07 ..
-rw-rw-r-- 1 db2v10 db2v10 1814 Sep 24 22:10 ehaasp-430-mastermanager.cert

 

Here ehaasp-430-mastermanager.cert is my SSL certificate, which I got after setting SSL on DB2 Server.

 

[db2v10@ts-jkgera new]$ gsk8capicmd_64 -keydb -create -db "keyclient.kdb" -pw "ibm654321" -stash

 

This command will create below files:

 

[db2v10@ts-jkgera new]$ ls -lttr
total 40
-rw-rw-r-- 1 db2v10 db2v10 1814 Sep 24 22:10 ehaasp-430-mastermanager.cert
-rw------- 1 db2v10 db2v10  129 Sep 24 22:13 keyclient.sth
-rw------- 1 db2v10 db2v10   88 Sep 24 22:13 keyclient.rdb
-rw------- 1 db2v10 db2v10   88 Sep 24 22:13 keyclient.kdb
-rw------- 1 db2v10 db2v10   88 Sep 24 22:13 keyclient.crl

 

3> Add the signer certificate  ehaasp-430-mastermanager.cert into the client key database keyclient.kdb


[db2v10@ts-jkgera new]$ gsk8capicmd_64 -cert -add -db "keyclient.kdb" -pw "ibm654321" -label "SSLLableClt" -file ehaasp-430-mastermanager.cert -format ascii -fips
[db2v10@ts-jkgera new]$

 

4> Update ssl_clnt_keydb and ssl_clnt_stash configuration parameters to specify the client key-database and the stash file


[db2v10@ts-jkgera new]$ db2 update dbm cfg using SSL_CLNT_KEYDB /home/db2v10/swati/new/keyclient.kdb
DB20000I  The UPDATE DATABASE MANAGER CONFIGURATION command completed
successfully.


[db2v10@ts-jkgera new]$ db2 update dbm cfg using SSL_CLNT_STASH /home/db2v10/swati/new/keyclient.sth
DB20000I  The UPDATE DATABASE MANAGER CONFIGURATION command completed
successfully.

 

5> Catalog the remote node as SSL followed by cataloging remote database

 

[db2v10@ts-jkgera new]$ db2 catalog TCPIP NODE BIGSQL  REMOTE  <IP_address_of_server>  SERVER 51000  SECURITY SSL
DB20000I  The CATALOG TCPIP NODE command completed successfully.
DB21056W  Directory changes may not be effective until the directory cache is
refreshed.

[db2v10@ts-jkgera new]$ db2 catalog DATABASE BIGSQL  AS BIGSQL  AT NODE BIGSQL
DB20000I  The CATALOG DATABASE command completed successfully.
DB21056W  Directory changes may not be effective until the directory cache is
refreshed.

[db2v10@ts-jkgera new]$ db2 terminate
DB20000I  The TERMINATE command completed successfully.

 

6> Connect to the remote database

 

[db2v10@ts-jkgera new]$ db2 connect to BIGSQL user **** using ****

   Database Connection Information

 Database server        = DB2/LINUXX8664 10.6.3
 SQL authorization ID   = *****

 Local database alias   = *****

---

 

And this is Yay! moment, you created SSL connection successfully to remote server!

 

These documents are good references in this task:

Configuring Secure Sockets Layer (SSL) support in non-Java DB2 clients

Secure Sockets Layer (SSL) support in DB2 for Linux, UNIX, and Windows

 

Please let me know if you have any questions.

 

Thanks,

-Swati Thorve

 

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

UID

ibm11140928

Page Feedback