Enabling SSL connectivity to managed databases (LUW)

IBM® Data Server Manager (DSM) can be connected to managed databases using SSL, if you have configured SSL on the managed database. This topic describes the case for LUW databases.

About this task

This procedure assumes the following prerequisites are in place:
  • SSL is set up and configured on the Db2® database that you will be monitoring with DSM. For more details, see Configuring Secure Sockets Layer (SSL) support in a DB2 instance.
  • The certificate has been extracted from the Db2 server and made available on the DSM server in a truststore. DSM uses Java Database Connectivity (JDBC) to connect to the databases. You will need to follow the same steps outlined here for connecting any other JDBC clients to the SSL-configured database. Note that you can use the keytool utility from the Java Runtime Environment (JRE) that is shipped with DSM. For more details, see Configuring the Java Runtime Environment to use SSL.

Configuring the database connection on Data Server Manager

  1. Log in to DSM.
  2. Go to Product Setup > Database Connections.
  3. Add (or edit) your database connection information, paying special attention to these four fields:
    Table 1.
    Field Value
    Port number The SSL port as set at the Db2 server - see DBM CFG parm SSL_SVCENAME
    JDBC Security Select "SSL connectivity" from the drop list. When selected the truststore fields will appear
    Truststore location Enter the fully qualified path to the file you created or updated with the keytool utility
    Truststore password Type the password to the truststore (the password you entered in the keytool utility)
  4. Click Test connection.
  5. Save your connection profile.

Example

In this part of the example, we are logged into the Db2 server, testbox1, as the instance owner, db2inst1.

Procedure

  1. Create the key database: 
    sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "myfooserver.kdb" -pw "xxxxxxxx" -stash
  2. Add the digital certificate to the key database: 
    sqllib/gskit/bin/gsk8capicmd_64 -cert -create -db "myfooserver.kdb" -label "testselfsigned" -dn "CN=testbox1.svl.ibm.com" -stash
    By default, the algorithm used to add the digital certificate to the key database is SHA1WithRSA signature. If you wish to use a different algorithm, use -sigalg to generate a new certificate. For example:
    -sigalg SHA256
    Note: Starting from DSM v2.1.4, DSM disabled the weak algorithm SHA1. To ensure that the SSL connection can be established successfully from DSM to the database, use -sigalg to generate a certificate with a stronger signature algorithm.
  3. Extract the certificate that clients will use 
    sqllib/gskit/bin/gsk8capicmd_64 -cert -extract -db "myfooserver.kdb"  -label "testselfsigned" -target "myfooserver.arm" -format ascii
    Note: Starting with DSM v2.1.4, DSM disables the weak algorithm SHA1. To make sure the SSL connection can be established from DSM to databases successfully, also set the SSL_VERSIONS instance configuration to TLSv12.
  4. Copy the extracted certificate file, myfooserver.arm, to the DSM server machine.

    In this part of the example, we are now working on the DSM machine, logged in as a user with privileges to run the commands (e.g., DSM Owner user).

  5. Run the keytool utility to import the certificate to the truststore. In this example, the logged in user is tttuser and we have created a directory named, \SSL, for the files. We are using the keytool utility that comes with the DSM Java Runtime Environment (JRE). 
    <dsminstalldir>/ibm-datasrvrmgr/java/jre/bin/keytool -import -file ./myfooserver.arm -keystore mydsmclientkeystore.jks
    1. Enter a new password when prompted when prompted for the keystore password.
    2. Enter it again when prompted to re-enter.
    3. Enter yeswhen prompted to trust the keystore.

    Now you can use the DSM console to configure the connectivity, as described above.