Encrypting outbound network traffic from Db2 for z/OS to Db2 Data Gate
Upgrade to IBM Software Hub Version 5.1 before IBM Cloud Pak for Data Version 4.6 reaches end of support. For more information, see Upgrading IBM Software Hub in the IBM Software Hub Version 5.1 documentation.
To encrypt network traffic between Db2 for z/OS® and a Db2 Data Gate instance on IBM Cloud Pak for Data, specific software components are required.
On IBM Cloud Pak for Data, Db2 Data
Gate will define an OpenShift route when the service is provisioned. An OpenShift route exposes a service with an externally-reachable hostname like dg01.apps.dgsvt2.os.fyre.ibm.com. For more information, see Creating a Db2 Data Gate instance.
On z/OS, various components of the z/OS Communications Server must be configured. z/OS makes use of AT-TLS. In addition, a certificate and an RSA key pair are required.
- Software
- The following software components on the z/OS (LPAR) side must be operational:
- Policy Agent (a component of z/OS Communications Server. Version 1.2 or higher is required.)
- Optional: SYSLOG daemon (SYSLOGD)
- Certificate and keys
-
To encrypt the network traffic between a z/OS LPAR and an accelerator, you need:
- An RSA key pair
- Public key certificate signed by shared certificate authority, type X.509 in PKCS#12 format
The certificate is stored in a keyring on the LPAR. The keyring contains all credentials used by the AT/TLS policy configuration. The private RSA key, as well as the certificate from the keyring (in PKCS#12 format), are required on the Db2 Data Gate instance on IBM Cloud Pak for Data.
If more than one Db2 Data Gate instance is involved: Each Db2 Data Gate instance needs a dedicated private key signed with a certificate that was issued by the certificate authority (CA). All Db2 Data Gate instance attached to a specific LPAR require certificates that were signed by the same CA.