Configuring MFT Db2 database logger for TLS

In this scenario, you can configure an IBM® MQ Managed File Transfer (MFT) Db2® database logger to connect to a Db2 database by using TLS. This process establishes a secure communication between the MFT database logger and the Db2 database.

Before you begin

This task assumes that you have the following:
  • A functioning MFT logger queue manager.
  • An existing MFT database logger.
  • Administrative access to the Db2 database.
  • A properly configured Db2 instance with TLS enabled.

As an example, the rest of these instructions assume that the MFT logger queue manager is called QM1, and the database logger is called LOGGER0. For more information, see TLS security protocols in IBM MQ and Using self-signed certificates for mutual authentication of a client and queue manager.

Configure the database logger for TLS as follows:

Procedure

  1. Prepare the truststore TLS certificate and the keystore TLS certificate in the Public Key Cryptography Standards #12 (PKCS12) format. Save these certificate files as trust.p12 and key.p12 in the following directory: /var/mqm/mqft/config/QM1/loggers/LOGGER0/.
  2. Create the jcc.properties file in the directory as /var/mqm/mqft/config/QM1/loggers/LOGGER0/. Add the following properties to the Db2 JCC properties file: 
    # SSL/TLS Section
db2.jcc.sslConnection=true
db2.jcc.sslTrustStoreLocation=/var/mqm/mqft/config/QM1/loggers/LOGGER0/trust.p12
db2.jcc.sslTrustStorePassword=YourTrustStorePassword
db2.jcc.sslKeyStoreLocation=/var/mqm/mqft/config/QM1/loggers/LOGGER0/key.p12
db2.jcc.sslKeyStorePassword=YourKeyStorePassword
db2.jcc.sslKeyStoreType=pkcs12
  3. Set correct permissions to secure the jcc.properties file, the trust.p12 certificate file, and the key.p12 certificate file by using the following commands: 
    
chmod 600 /var/mqm/mqft/config/QM1/loggers/LOGGER0/trust.p12 
chown mqm:mqm /var/mqm/mqft/config/QM1/loggers/LOGGER0/trust.p12 
    
chmod 600 /var/mqm/mqft/config/QM1/loggers/LOGGER0/key.p12 
chown mqm:mqm /var/mqm/mqft/config/QM1/loggers/LOGGER0/key.p12
     
chmod 600 /var/mqm/mqft/config/QM1/loggers/LOGGER0/jcc.properties 
chown mqm:mqm /var/mqm/mqft/config/QM1/loggers/LOGGER0/jcc.properties
  4. Configure the JVM properties by setting the MFT BFG_JVM_PROPERTIES environment variable to include the Db2 JCC properties file: 
    BFG_JVM_PROPERTIES= "-Ddb2.jcc.propertiesFile=/var/mqm/mqft/config/QM1/loggers/LOGGER0/jcc.properties"
  export BFG_JVM_PROPERTIES
  5. Restart the MFT logger to apply the configuration.
  6. Verify the configuration by checking the MFT logger logs for any SSL/TLS connection errors and confirm that the connection to the Db2 database is established by using TLS.
    Note: You can further customize the SSL/TLS configuration by adding more properties to the jcc.properties file as needed. For production environments, you need to make sure that your TLS certificates are securely managed.