Securing IBM Db2 for LUW database connections
Introduction
The IBM Db2® for LUW (Linux, UNIX, and Windows) database system supports the use of the Transport Layer Security (TLS) protocol, to enable a client to validate the certificate of a Db2 server, and to provide private communication between the client and server by use of encryption. For more information, see the TLS configuration of Db2 section from IBM Db2 11.5 documentation.
The TLS protocol is a client or server cryptographic protocol. It is based on the earlier Secure Sockets Layer (SSL) specifications that are developed by Netscape Corporation for securing communications that use Transmission Control Protocol/Internet Protocol (TCP/IP) sockets. The TLS and SSL protocols are designed to run at the application level. Therefore, an application must be designed and coded to use TLS/SSL protection.
Prerequisites
- Make sure that IBM Global Security Kit (GSKit) is correctly installed. For more information, see GSKit V8 - Install Instructions.
- Make sure that the IBM Global Security Kit version matches your IBM
Db2 for LUW version. In case that you encounter any
error, see:
- GSKit stash format
- Common GSKit errors
- IAYAA0005E - The node is already cataloged with different settings
- Make sure that a certificate authority issues a signed certificate (.crt), a non-encrypted private key for the certificate (.key), and the keystore file that needs to have one of the following extensions: .jks, .keystore, .pfx, .p12, or .ks. These files are required when configuring Hypertext transfer protocol secure (HTTPS) as a default connection protocol in IBM AD Configuration Server. For more information, see Configuring Security Settings.
Configure IBM Db2 for LUW with TLS support for IBM AD
- Generate a .kdb keystore for Db2 server instance.
- Secure the Db2 instance with .kdb keystore and a new certificate.
- Create the Audit database.
- Configure Hypertext transfer protocol secure (HTTPS) as a default connection protocol in IBM AD Configuration Server
- Add an IBM Db2 relational database server in IBM AD Configuration Server
- Configure the Database names
- Configure IBM AD Build to use a Db2 server instance.
- (Optionally) Set the special variables for IBM AD Build Client when it is installed on a different machine than IBM AD Configuration Server and Db2 for LUW is configured with TLS
Generate a .kdb keystore for Db2 server instance
- Open a command prompt or a terminal window and add gsk8 to the system PATH
variables.
set PATH="C:\Program Files\ibm\gsk8\bin";%PATH% set PATH="C:\Program Files\ibm\gsk8\lib64";%PATH%
- Create a keystore and a stash
files.
gsk8capicmd_64 -keydb -create -db "<KEYSTORE_FILENAME>.kdb" -pw "<KEYSTORE_PASSWORD>" -stash
Example:mkdir c:\certificates cd c:\certificates gsk8capicmd_64 -keydb -create -db "db2.kdb" -pw "password" -stash
- Make sure that the
.kdb, .crl, .rdb,
and.sth
files are present in the output folder. - Create a new certificate in the
keystore.
gsk8capicmd_64 -cert -create -db “db2.kdb” -pw “password” -label “ibm_ad_db2” -dn “CN=IBM” -size 2048 -sigalg SHA256_WITH_RSA
- Extract the certificate in a file as it will be used later to generate a client
.kdb
keystore for IBM AD Build Client.gsk8capicmd_64 -cert -extract -db “db2.kdb” -pw “password” -label “ibm_ad_db2” -target “db2.arm” -format ascii -fips
Secure the Db2 instance with .kdb keystore and a new certificate
- Go to .
- Get the name of your Db2 instance by
executing:
db2 get instance
Output:
The current database manager instance is: DB2
- Edit
C:\Windows\System32\drivers\etc\services
and adddb2c_<INSTANCE_NAME>_ssl <SSL_PORT>/tcp
. Example:db2c_DB2_ssl 50001/tcp
- Execute the following commands after adjusting the path to the
keystore.
Example:db2 update dbm cfg using SSL_SVR_KEYDB "<KEYSTORE_FILE_PATH>" db2 update dbm cfg using SSL_SVR_STASH "<STASH_FILE_PATH>" db2 update dbm cfg using SSL_SVCENAME <SSL_SERVICE_NAME> db2 update dbm cfg using SSL_SVR_LABEL <CERTIFICATE_LABEL> db2 update dbm cfg using SSL_VERSIONS TLSV12
db2 update dbm cfg using SSL_SVR_KEYDB "c:\certificates\db2.kdb" db2 update dbm cfg using SSL_SVR_STASH "c:\certificates\db2.sth" db2 update dbm cfg using SSL_SVCENAME db2c_DB2_ssl db2 update dbm cfg using SSL_SVR_LABEL ibm_ad_db2 db2 update dbm cfg using SSL_VERSIONS TLSV12
- Check if the Db2 configuration has been updated
correctly.
db2 get dbm cfg
- Configure Db2 to SSL only or in mixed mode.
- To run in SSL only execute:
db2set -i DB2 DB2COMM=SSL
- To run in mixed mode - SSL and TCP
execute:
db2set -i DB2 DB2COMM=SSL,TCPIP
- To run in SSL only execute:
- Check if the communication mode has been applied.
db2set -all
- Restart Db2.
db2stop db2start
Create the Audit database
db2 create database EZAUDIT using codeset UTF-8 territory en PAGESIZE 16384
Configure Hypertext transfer protocol secure (HTTPS) as a default connection protocol in IBM AD Configuration Server
-
Open a command prompt or a terminal window and navigate to the folder where the Db2 for LUW certificates have been generated.
Example:
cd c:\certificates
-
Import the
db2.arm
exported certificate into the already generated .jks file for both the server and the client certificate packages by using the following command:keytool -import -trustcacerts -alias <ALIAS> -file <DB2_EXPORTED_CERT> -keystore <JAVA_KEYSTORE> -storepass <KEYSTORE_PASSWORD>
Examples:keytool -import -trustcacerts -alias ibm_ad_db2 -file db2.arm -keystore server.jks -storepass password
keytool -import -trustcacerts -alias ibm_ad_db2 -file db2.arm -keystore client.jks -storepass password
- Go to the Configuring Security Settings section and follow the steps to upload all the security files in IBM AD Configuration Server.
Add an IBM Db2 relational database server in IBM AD Configuration Server
By adding an IBM Db2 relational database, you correctly configure the connection between IBM® AD and IBM Db2 for LUW with TLS.
- Access Relational Database Server settings page is displayed. , and go to . The
- To add an IBM Db2 relational database server, click the Add button. The Add Relational Database Server page is displayed.
- Enter an appropriate name (alias) for the IBM Db2 relational database server.
- Make sure that IBM Db2 is selected as a database server type.
- Enter the host name or the IP of the computer where the IBM Db2 database server is installed.
- Enter the port for IBM Db2 for LUW with TLS.
- Make sure that the Use TLS checkbox is checked to enable Transport Layer Security (TLS) communication with Db2 for LUW.
- (Optionally) Enter the name of any database on the selected server. The database name that will be used to test connection.
- Enter the username and password of the IBM Db2 for LUW server instance.
- By clicking Test Connection, you can test the connection to your database. If the test connection succeeds, click Save..
Configure the Database names
- Access Database Names settings page is displayed. , and go to . The
- Associate the Db2 for LUW database server that was already defined under the Managing a Relational Database Server section.
- Enter the Audit Database name that was defined in the Create the Audit database step.
- Click Save.
Configure IBM AD Build to use a Db2 server instance
- Open a command prompt or a terminal window and navigate to the folder where the
db2.arm
certificate is located. - Create a new .kdb empty keystore
file.
gsk8capicmd_64 -keydb -create -db "db2client.kdb" -pw "password" -stash
- Import the
db2.arm
certificate into thedb2client.kdb
keystore.gsk8capicmd_64 -cert -add -db "db2client.kdb" -pw "password" -label "ibm_ad_db2" -file "db2.arm" -format ascii
- If the Db2 server instance is not on the same machine with IBM AD Build Client, make sure to follow the steps that are present in the IBM Db2 for LUW Server Configurations topic.
- Point the Db2 client instance to the db2client
files.
db2 update dbm cfg using SSL_CLNT_KEYDB C:\certificates\db2client.kdb SSL_CLNT_STASH C:\certificates\db2client.sth
- Restart Db2.
db2stop db2start
(Optionally) Set the special variables for IBM AD Build Client when it is installed on a different machine than IBM AD Configuration Server and Db2 for LUW is configured with TLS
- IBM AD Build Client is installed on a different machine than IBM AD Configuration Server.
- IBM Db2 for LUW is configured with TLS.
- On the machine where IBM AD Configuration Server is installed, go to c:\certificates and make sure that the server.jks file is present. Copy the server.jks file on the machine where IBM AD Build Client is installed.
- Manually perform the following steps:
- On the machine where IBM AD Build Client is installed, go to <IBM ADDI Installation Folder>\IBM Application Discovery Build Client\Bin\Release\conf folder.
- Open the jvm.options file by using a text editor.
- Add the following
lines:
javax.net.ssl.keyStore=<path of the server.jks file> javax.net.ssl.keyStorePassword=<encrypted password> javax.net.ssl.trustStore=<path of the server.jks file> javax.net.ssl.trustStorePassword=<encrypted password>
Where:- javax.net.ssl.keyStore - expects the location on the disk where the keystore was stored.
- javax.net.ssl.keyStorePassword - expects the password of the keystore that was used when
setting Hypertext transfer protocol secure (HTTPS) as a default connection protocol in IBM AD
Configuration Server. For more information, see Configuring Security Settings.Note: The password of the keystore is already stored in the jvmargs.txt file on the machine where Hypertext transfer protocol secure (HTTPS) was set as a default connection protocol in IBM AD Configuration Server.
- javax.net.ssl.trustStore - expects the location on the disk where the truststore was stored.
- javax.net.ssl.trustStorePassword - expects the password of the truststore that was used
when setting Hypertext transfer protocol secure (HTTPS) as a default connection protocol in
IBM AD Configuration Server. For more information, see Configuring Security Settings.Note: The password of the truststore is already stored in the jvmargs.txt file on the machine where Hypertext transfer protocol secure (HTTPS) was set as a default connection protocol in IBM AD Configuration Server.