Encrypting outbound network traffic from Db2 for z/OS to Db2 Data Gate
To encrypt network traffic between Db2 for z/OS® and a Db2 Data Gate instance on IBM Cloud Pak® for Data, specific software components are required.
On IBM Cloud Pak for Data, Db2 Data
Gate will define an OpenShift route when the service is provisioned. An OpenShift route exposes a service with an externally-reachable hostname like dg01.apps.dgsvt2.os.fyre.ibm.com. For more information, see Creating a Db2 Data Gate instance.
On z/OS, various components of the z/OS Communications Server must be configured. z/OS makes use of AT-TLS. In addition, a certificate and an RSA key pair are required.
- Software
- The following software components on the z/OS (LPAR) side must be operational:
- Policy Agent (a component of z/OS Communications Server. Version 1.2 or higher is required.)
- Optional: SYSLOG daemon (SYSLOGD)
- Certificate and keys
-
To encrypt the network traffic between a z/OS LPAR and an accelerator, you need:
- An RSA key pair
- Public key certificate signed by shared certificate authority, type X.509 in PKCS#12 format
The certificate is stored in a keyring on the LPAR. The keyring contains all credentials used by the AT/TLS policy configuration. The private RSA key, as well as the certificate from the keyring (in PKCS#12 format), are required on the Db2 Data Gate instance on IBM Cloud Pak for Data.
If more than one Db2 Data Gate instance is involved: Each Db2 Data Gate instance needs a dedicated private key signed with a certificate that was issued by the certificate authority (CA). All Db2 Data Gate instance attached to a specific LPAR require certificates that were signed by the same CA.