Configuring TLS 1.3 on DB2 during runtime

You can configure TLS 1.3 for a secure connection between Sterling B2B Integrator and DB2 during runtime.

Before you begin

For more information on how to configure SSL on a DB2 instance, see IBM DB2 Documentation.

About this task

Currently, Sterling B2B Integrator supports SSL encryption mechanism using the Java Key Store (JKS) files.

To convert the DB2 server key files b2biclient.arm or b2biclient.cer, use the following commands:
  • keytool -import -noprompt -trustcacerts -alias b2bidb2 -file b2biclient.arm -keystore key.jks -storepass password -keypass password
  • keytool -import -v -trustcacerts -alias keyAlias -file server.cer -keystore cacerts.jks -keypass changeit
Note:
  • The keytool is located in the <B2Bi_install>/jdk/bin directory.
  • TLS 1.3 can be configured on DB2 v11.5.8 or later versions.
  • Currently, only one-way SSL is supported.

Procedure

  1. Download the JDBC drivers from here: DB2 JDBC Driver Versions and Downloads.
  2. Stop the Sterling B2B Integrator services.
  3. Install DB2 with the SSL option.
  4. Access sandbox.cfg from Sterling B2B Integrator installation directory. Find the following non-SSL ports and replace them with SSL ports: 
    DB2_PORT
DB_PORT
YANTRA_DB_PORT
sslConnection = true
    For example, if SSL is configured on port 55000, then the ports must be updated as: 
    DB2_PORT=55000
DB_PORT=55000
YANTRA_DB_PORT=55000
sslConnection = true
  5. Navigate to the Properties folder in the Sterling B2B Integrator installation directory. Back up the following files before you update them:
    1. jdbc.properties.in
    2. jdbc.properties_platform_ifcresources_ext.in
  6. Specify the following parameters in jdbc.properties.in and jdbc.properties_platform_ifcresources_ext.in:
    Parameter Description Requirement
    key.jks File name in the modified URL for DB2 SSL setup. Mandatory
    password Password for the truststore file. Mandatory
    sslVersion SSL version to use TLS 1.3. Set this to:
    sslVersion=TLSv1.3;
    		 Mandatory
  7. Update the JDBC URLS with the SSL configured URLs.
    1. Update jdbc.properties.in with the following database pools:
      • db2Pool
      • db2Pool_local
      • db2Pool_NoTrans
      For example, existing URL:
      db2Pool.url=jdbc:db2://<IP address of DB2 server:port number>/B2Bi
db2Pool.url=jdbc:db2://b2biqarhlmk9:55000/B2Bi
      Updated URLs:
      db2Pool.url=jdbc:db2://b2biqarhlmk9:55000/B2Bi:sslConnection=true;sslVersion=TLSv1.3;sslTrustStoreLocation=/opt/db211.5/sslkey_b2biqarhlmk9/key.jks;sslTrustStorePassword=password
db2Pool_local.url=jdbc:db2://b2biqarhlmk9:55000/B2Bi:sslConnection=true;sslVersion=TLSv1.3;sslTrustStoreLocation=/opt/db211.5/sslkey_b2biqarhlmk9/key.jks;sslTrustStorePassword=password 
db2Pool_NoTrans.url=jdbc:db2://b2biqarhlmk9:55000/B2Bi:sslConnection=true;sslVersion=TLSv1.3;sslTrustStoreLocation=/opt/db211.5/sslkey_b2biqarhlmk9/key.jks;sslTrustStorePassword=password
    2. Update jdbc.properties_platform_ifcresources_ext.in with the following database pools:
      • db2ArchivePool
      • db2UIPool
      For example, existing URL:
      db2Pool.url=jdbc:db2://<IP address of DB2 server:port number>/B2Bi
db2Pool.url=jdbc:db2://b2biqarhlmk9:55000/B2Bi
      Updated URLs:
      db2ArchivePool.url=jdbc:db2://b2biqarhlmk9:55000/B2Bi:sslConnection=true;sslVersion=TLSv1.3;sslTrustStoreLocation=/opt/db211.5/sslkey_b2biqarhlmk9/key.jks;sslTrustStorePassword=password
db2UIPool.url=jdbc:db2://b2biqarhlmk9:55000/B2Bi:sslConnection=true;sslVersion=TLSv1.3;sslTrustStoreLocation=/opt/db211.5/sslkey_b2biqarhlmk9/key.jks;sslTrustStorePassword=password
  8. Ensure TLS 1.3 ciphers are enabled on the DB2 server.
    Run the following command to get the DB2 SSL config:
    db2 get dbm cfg | grep SSL
    Example DB2 SSL config:
    db2 get dbm cfg | grep SSL
 SSL server keydb file                   (SSL_SVR_KEYDB) = /home/db2inst1/db2keys/b2bidb2.kdb
 SSL server stash file                   (SSL_SVR_STASH) = /home/db2inst1/db2keys/b2bidb2.sth
 SSL server certificate label            (SSL_SVR_LABEL) = B2bi-self-signed
 SSL service name                         (SSL_SVCENAME) = 55000
 SSL cipher specs                      (SSL_CIPHERSPECS) = TLS_AES_256_GCM_SHA384,TLS_AES_128_CCM_SHA256,SECP256R1,SECP384R1,RSA_PKCS1_SHA256,ECDSA_SECP256R1_SHA256,RSA_PSS_RSAE_SHA256,RSA_PSS_PSS_SHA256
 SSL versions                             (SSL_VERSIONS) = TLSV13
 SSL client keydb file                  (SSL_CLNT_KEYDB) = 
 SSL client stash file                  (SSL_CLNT_STASH) =
    IBM JDK supports the following cipher suites for TLS 1.3:
    • TLS_AES_256_GCM_SHA384
    • TLS_AES_128_GCM_SHA256
    • TLS_CHACHA20_POLY1305_SHA256
    For more information, see Supported cipher specifications at the server.
  9. Run the command based on your operating system:
    • Unix/Linux: 
      setupfiles.sh
    • Windows:
      setupfiles.cmd
  10. Run the command based on your operating system:
    • Unix/Linux: 
      deployer.sh
    • Windows:
      deployer.cmd
  11. Restart the Sterling B2B Integrator services.