Configuring the Db2 server for SSL

To implement SSL support for a Db2 server, you need to make sure that the TCP/IP SQL Listener service task of DDF is capable of listening to a secondary secure port for inbound SSL connections.

About this task

The TCP/IP Listener accepts regular (non-SSL) connections on the DRDA port, whereas the secure port accepts only SSL connections to provide secure communications with a partner. Clients are assured of getting the SSL protocol connections that they require.

The secure port is used only for accepting secure connections that use the SSL protocol. When the TCP/IP Listener accepts an inbound connection on the secure port, DDF invokes the SIOCTTLSCTL IOCTL service with TTLSi_Req_Type set to TTLS_QUERY_ONLY. It also retrieves the following AT-TLS policy information:

Status of the connection. The status of a connection is either SECURE or NOT SECURE.
Policy status of the connection. The IOCTL returns one of the following policy status:
- If the IOCTL returns a policy status of TTLS_POL_NO_POLICY, a matching policy rule is not found for the connection and subsequently the connection status is not secure.
- If the IOCTL returns a policy status of TTLS_POL_NOT_ENABLED, a matching policy rule is found for the connection but the policy is not configured to allow a secure connection for that client.
- If the IOCTL returns a policy status of TTLS_POL_ENABLED, a matching policy rule is found, and SSL is enabled for the connection.
Security type for the connection. The security type is either server or server with client authentication (with ClientAuthType = SAFCheck)
A RACF®-defined user ID that is associated with a client certificate. If a client certificate is provided by the client and validated by AT-TLS, and if a user ID is mapped to the certificate, the user ID is returned. Otherwise, the user ID is not returned.

If a secure port is not properly configured, DDF rejects the inbound connection request on the secure port. You must change the client system to either use the non-secure port, or you can configure the secure port to access Db2 remotely.

Start of change Db2 uses the resync port only for transaction completion states after failures, so no user data or authentication protocols are ever exchanged on the secure port. You can enable SSL security for the resync port by defining a network policy on all Db2 requesters and Db2 servers. End of change

Procedure

To specify a secure port to Db2, use one of the following approaches:

Specify the TCP/IP port number in the SECURE PORT field of Distributed Data Facility Panel 1 (DSNTIPR) during Db2 installation.

The SECURE PORT field specifies the port number that is to be used for accepting TCP/IP connection requests from remote DRDA clients that want to establish a secure connection using the SSL protocol. The value of the secure port number is a decimal number in the range 1–65534, and it cannot have the same value as the value of the RESYNC PORT field. If the SECURE PORT field has the same value as the TCP/IP PORT field, the TCP/IP port accepts only secure TCP/IP connection requests. Any non-zero port numbers are verified to ensure that they are all unique port numbers. If an error is detected, installation is not allowed to proceed until you resolve the error condition. If the DRDA SECURE PORT field is blank, SSL verification support is disabled, and the Db2 TCP/IP SQL Listener does not accept any inbound SSL connections on the secure port.
Update the SECPORT parameter of the DDF statement in the BSDS with the change log inventory (DSNJU003) stand-alone utility.

The SECPORT parameter specifies the port number for the Db2 TCP/IP SQL Listener to accept inbound SSL connections. The value of the port number is a decimal number between 0 to 65535. If the value of the SECPORT secure port is the same as the value of RESPORT, Db2 issues an error message. If you specify a value of 0 for the SECPORT parameter, SSL verification support is disabled, and the Db2 TCP/IP SQL Listener does not accept any inbound SSL connections on the secure port.

If the value of SECPORT is disabled, the client can still use the DRDA port and use SSL on it, but Db2 does not validate whether the connection uses SSL protocol.

What to do next

Data sharing environments: In a data sharing environment, each Db2 member with SSL support must specify a secure port. The secure port for each Db2 member of the group should be the same, just as the DRDA port for each member should also be the same. If each Db2 member specifies a unique secure port, unpredictable behaviors might occur. For example, Sysplex member workload balancing might not work correctly.

Similarly, for Db2 members that are defined as a subset of the data sharing group, each Db2 member that belongs to the subset needs to configure the secure port. You do not need to define a separate unique secure port for the location alias.