Configuring the Db2 server for SSL
To implement SSL support for a Db2 server, you need to make sure that the TCP/IP SQL Listener service task of DDF is capable of listening to a secondary secure port for inbound SSL connections.
About this task
The TCP/IP Listener accepts regular (non-SSL) connections on the DRDA port, whereas the secure port accepts only SSL connections to provide secure communications with a partner. Clients are assured of getting the SSL protocol connections that they require.
The secure port is used only for accepting secure connections that use the SSL protocol. When the TCP/IP Listener accepts an inbound connection on the secure port, DDF invokes the SIOCTTLSCTL IOCTL service with TTLSi_Req_Type set to TTLS_QUERY_ONLY. It also retrieves the following AT-TLS policy information:
- Status of the connection. The status of a connection is either SECURE or NOT SECURE.
- Policy status of the connection. The IOCTL returns one of the
following policy status:
- If the IOCTL returns a policy status of TTLS_POL_NO_POLICY, a matching policy rule is not found for the connection and subsequently the connection status is not secure.
- If the IOCTL returns a policy status of TTLS_POL_NOT_ENABLED, a matching policy rule is found for the connection but the policy is not configured to allow a secure connection for that client.
- If the IOCTL returns a policy status of TTLS_POL_ENABLED, a matching policy rule is found, and SSL is enabled for the connection.
- Security type for the connection. The security type is either server or server with client authentication (with ClientAuthType = SAFCheck)
- A RACF®-defined user ID that is associated with a client certificate. If a client certificate is provided by the client and validated by AT-TLS, and if a user ID is mapped to the certificate, the user ID is returned. Otherwise, the user ID is not returned.
If a secure port is not properly configured, DDF rejects the inbound connection request on the secure port. You must change the client system to either use the non-secure port, or you can configure the secure port to access Db2 remotely.
Db2 uses the resync port only for transaction completion states after failures, so no user data or authentication protocols are ever exchanged on the resync port. You can enable SSL security for the resync port by defining a network policy on all Db2 requesters and Db2 servers.
Procedure
To specify a secure port to Db2, use one of the following approaches: