Encrypting outbound network traffic from Db2 for z/OS to Db2 Data Gate

To encrypt network traffic between Db2 for z/OS® and a Db2 Data Gate instance on IBM Cloud Pak® for Data, specific software components are required.

On IBM Cloud Pak for Data, Db2 Data Gate will define an OpenShift route when the service is provisioned. An OpenShift route exposes a service with an externally-reachable hostname like dg01.apps.dgsvt2.os.fyre.ibm.com. For more information, see Creating a Db2 Data Gate instance.

On z/OS, various components of the z/OS Communications Server must be configured. z/OS makes use of AT-TLS. In addition, a certificate and an RSA key pair are required.

Software
The following software components on the z/OS (LPAR) side must be operational:
  • Policy Agent (a component of z/OS Communications Server. Version 1.2 or higher is required.)
  • Optional: SYSLOG daemon (SYSLOGD)
Certificate and keys
To encrypt the network traffic between a z/OS LPAR and an accelerator, you need:
  • An RSA key pair
  • Public key certificate signed by shared certificate authority, type X.509 in PKCS#12 format

The certificate is stored in a keyring on the LPAR. The keyring contains all credentials used by the AT/TLS policy configuration. The private RSA key, as well as the certificate from the keyring (in PKCS#12 format), are required on the Db2 Data Gate instance on IBM Cloud Pak for Data.

If more than one Db2 Data Gate instance is involved: Each Db2 Data Gate instance needs a dedicated private key signed with a certificate that was issued by the certificate authority (CA). All Db2 Data Gate instance attached to a specific LPAR require certificates that were signed by the same CA.

The following sections describe how to configure one connection from one LPAR to one Db2 Data Gate instance.
Attention: As indicated, the resulting AT-TLS configuration will accept any certificate issued by the chosen CA. Someone with a valid certificate from the same CA could therefore run a man-in-the-middle attack. You can mitigate that risk by choosing a private CA just for Db2 Data Gate, and use that CA to sign certificates for valid Db2 Data Gate only.