Enabling SSL support for Db2

You can enable Secure Socket Layer (SSL) support for Db2® for enabling secure communication with License Key Server Administration and Reporting Tool.

Procedure

Open the Db2 command line processor with administrator privilege on the Windows operating system or switch to Db2 user on the UNIX (such as, Linux) operating system.
Set the ssl_svr_keydb configuration parameter to the fully qualified path of the key database file with the following command:
```
 update dbm cfg using SSL_SVR_KEYDB <fully qualified path of key database file>
```
For example:
- update dbm cfg using SSL_SVR_KEYDB "C:\Program Files\ibm\gsk8\bin\mydbserver.kdb"
- /home/<DB2 instance name>/sqllib/gskit/bin
You cannot enable the Secure Socket Layer (SSL) support, if the ssl_svr_keydb configuration parameter is NULL (not set).
Set the ssl_svr_stash configuration parameter to the fully qualified path of the stash file with the following command:
```
update dbm cfg using SSL_SVR_STASH <fully qualified path of the stash file>
```
For Example:
- update dbm cfg using SSL_SVR_STASH "C:\Program Files\ibm\gsk8\bin\mydbserver.sth"
- db2 update dbm cfg using SSL_SVR_STASH "/home/rcldb2i1/sqllib/gskit/bin/mydbserver.sth"
You cannot enable the SSL support, if the ssl_svr_stash configuration parameter is NULL (not set).
Set the ssl_svr_label configuration parameter to the digital certificate label of the server with the following command:
```
update dbm cfg using SSL_SVR_LABEL <label>
```
For example:
- update dbm cfg using SSL_SVR_LABEL myselfsigned
- db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
Important: If the ssl_svr_label configuration parameter is not set, the default certificate in the key database is used. You cannot enable the SSL support, if there is no default certificate in the key database.
Set the ssl_svcename configuration parameter to the port number that the Db2 database uses for SSL connection with the following command:
```
update dbm cfg using ssl_svcename <SSL port number>
```
For example:
- update dbm cfg using ssl_svcename 50001
- db2 update dbm cfg using ssl_svcename 50001
Important:
1. If you enable both the TCP/IP and SSL connections (the DB2COMM registry variable is set to TCPIP,SSL), you must set the ssl_svcename configuration parameter to a different port number than the port number to which svcename configuration parameter is set. The svcename configuration parameter sets the port number that the Db2 database system uses for TCP/IP connections. If you set the ssl_svcename configuration parameter to same port number as the svcename configuration parameter, it does not enable either the TCP/IP or SSL connection.
2. You cannot enable the SSL support, if the ssl_svcename configuration parameter is NULL (not set).
Add the value SSL to the DB2COMM registry variable. For adding the SSL value to the DB2COMM registry variable, perform the following steps:
1. Click Start, select Run, and type db2cmd to go to the Db2 command prompt.
2. Go to the Db2 installation location and set the DB2COMM registry variable to SSL or SSL,TCPIP with the following commands:
- When <rcldb2i1> is the Db2 instance name:
```
db2set -i rcldb2i1 DB2COMM=SSL
```
- When you enable both the TCP/IP and SSL:
```
db2set -i rcldb2i1 DB2COMM=SSL,TCPIP
```
Important:
- When the DB2COMM registry variable is set to TCPIP,SSL and if the TCPIP support is not properly enabled. For example, due to the svcename configuration parameter being set to NULL, then it generates the error SQL5043N and does not enable the SSL support.
  Verify with db2 get dbm cfg command and update the svcename configuration parameter with the following command:
```
update dbm cfg using svcename <service_name>
```
  For example:
```
update dbm cfg using svcename rcldb2i1
```
- Make sure the service file contains the svcename configuration parameter and TCPIP port number. If not, add it manually by providing <service_name> and <port/tcp> as <service_name> <port/tcp>
  For example, rcldb2i1 41000/tcp
Restart the Db2 instance.
1. To stop the database, use one of the following commands:
  - Using db2stop command:
  - Using db2stop force command:
2. To start the database, use db2start command:
Tip:
1. If you are getting following message when the Db2 restarts, then the SSL support is not enabled:
```
01/25/2017 10:59:55 0 0 SQL5043N Support for one or more communications protocol specified in the DB2COMM environment variable failed go start successfully. However, core database manager functionality started successfully.
```
2. To troubleshoot this message, perform one of the following steps:
  - Run the db2set –all command and check whether DB2COMM variable is set properly.
  - Check the db2diag.log file and check the error message. The default location of the db2diag.log file depends on your operating system:
    C:\ProgramData\IBM\DB2\<DB2 copy name>\DB2
    
    /home/<DB2 instance name>/sqllib/db2dump
Attention: If the Db2 server and License Key Server Administration and Reporting Tool are on different machine, it may cause connection problem because of firewall settings. For this connection problem, either disable the firewall or enable the SSL port.
1. To enable the SSL port, perform the following steps:
  1. Go to the Firewall Setting > Inbound Rule > New Rule > Port, enter the port number and click Allow the connection.
  2. Provide name for new role and click Finish.
    Note: Repeat these steps for Outbound Rule.
2. To disable the firewall on the UNIX (such as, Linux) operating system, use the following command:
```
systemctl stop firewalld
```
3. To check the firewall status on the UNIX (such as, Linux) operating system, use the following command:
```
systemctl status firewalld
```

Feedback