Encrypting outbound network traffic from Db2 for z/OS to Db2 Data Gate

Important: IBM Cloud Pak® for Data Version 4.6 will reach end of support (EOS) on 31 July, 2025. For more information, see the Discontinuance of service announcement for IBM Cloud Pak for Data Version 4.X.

Upgrade to IBM Software Hub Version 5.1 before IBM Cloud Pak for Data Version 4.6 reaches end of support. For more information, see Upgrading IBM Software Hub in the IBM Software Hub Version 5.1 documentation.

To encrypt network traffic between Db2 for z/OS® and a Db2 Data Gate instance on IBM Cloud Pak for Data, specific software components are required.

On IBM Cloud Pak for Data, Db2 Data Gate will define an OpenShift route when the service is provisioned. An OpenShift route exposes a service with an externally-reachable hostname like dg01.apps.dgsvt2.os.fyre.ibm.com. For more information, see Creating a Db2 Data Gate instance.

On z/OS, various components of the z/OS Communications Server must be configured. z/OS makes use of AT-TLS. In addition, a certificate and an RSA key pair are required.

Software
The following software components on the z/OS (LPAR) side must be operational:
  • Policy Agent (a component of z/OS Communications Server. Version 1.2 or higher is required.)
  • Optional: SYSLOG daemon (SYSLOGD)
Certificate and keys
To encrypt the network traffic between a z/OS LPAR and an accelerator, you need:
  • An RSA key pair
  • Public key certificate signed by shared certificate authority, type X.509 in PKCS#12 format

The certificate is stored in a keyring on the LPAR. The keyring contains all credentials used by the AT/TLS policy configuration. The private RSA key, as well as the certificate from the keyring (in PKCS#12 format), are required on the Db2 Data Gate instance on IBM Cloud Pak for Data.

If more than one Db2 Data Gate instance is involved: Each Db2 Data Gate instance needs a dedicated private key signed with a certificate that was issued by the certificate authority (CA). All Db2 Data Gate instance attached to a specific LPAR require certificates that were signed by the same CA.

The following sections describe how to configure one connection from one LPAR to one Db2 Data Gate instance.
Attention: As indicated, the resulting AT-TLS configuration will accept any certificate issued by the chosen CA. Someone with a valid certificate from the same CA could therefore run a man-in-the-middle attack. You can mitigate that risk by choosing a private CA just for Db2 Data Gate, and use that CA to sign certificates for valid Db2 Data Gate only.