Defining TTLS rules for connections to Db2 Data Gate

Define TTLS rules to specify the port numbers, network directions, key rings (certificates), and the encryption algorithms that a connection can use. A TTLS rule is required for each connection that is used by Db2 Data Gate. TTLS rules take effect when the address space for the Policy Agent (PAGENT) is refreshed.

Procedure

  1. Rules for the Policy Agent are defined in the main TCP/IP configuration file. So you have to find this file first.
    1. Open the JCL job for the TCP/IP started task.
    2. Locate the PROFILE DD card in this job.
    3. Check if AT-TLS is enabled by looking at the TCPCONFIG statement.
      It needs to contain the following entries:
      TCPCONFIG
          TTLS                     ; Enable AT-TLS Function
          INTERVAL 5               ; Send KeepAlive every 5 minutes
          TCPMAXRCVBUFRSIZE  2097152
          TCPMAXSENDBUFRSIZE 2097152
      
    4. If AT-TLS has been enabled, you can identify the relevant TCP/IP configuration file by checking the Policy Agent started task.
    5. Locate the PARM option in the JCL job for the Policy Agent started task.
      It refers to a configuration file, which in turn refers to the AT-TLS configuration file by means of the TTLSConfig statement:
      TTLSConfig  //'SYS1.TCPPARMS(TTLS)'

      So in this case, the name of the AT-TLS configuration file is SYS1.TCPPARMS(TTLS).

  2. Open the AT-TLS configuration file identified in the previous step and add the required settings for Db2 Data Gate.
    Connections to the distributed data facility (DDF) for Db2 Data Gate must be encrypted. So each connection used for this purpose requires a TTLS rule. Connections are identified by their IP addresses, port numbers, and started task names.

    The AT-TLS configuration file contains many blocks of settings, which are identified by a unique name. Each unique name can be used to refer to a shared set of settings from other rules. You can add new definitions to the end of the configuration file. Ensure that the chosen identifiers (names) are unique.

    1. A connection between a single Db2 subsystem and Db2 Data Gate requires a TTLS rule as shown in the following example:
      ##############################################
      # Rules for SSL access to Db2 DDF
      ###############################################
      TTLSRule DB12Rule15111
      {
         LocalPortRange           15111
         JobName                  DB12DIST
         Direction                Inbound
         TTLSGroupActionRef       Db2SslGroup
         TTLSEnvironmentActionRef DB12SslEnv
      }
      

      This rule refers to a standalone Db2 subsystem with the name DB12. The DDF listens to incoming connections on secure port 15111. The name of the Db2 subsystem is reflected in the address space name of the DDF, which is DB12DIST.

      Important: A rule for a data sharing group is slightly different. However, most of the steps in this section also apply to the rule for a data sharing group. See the next section for instructions on how to make the necessary changes for a data sharing group.

      The rule contains two references to other definition blocks within the AT-TLS configuration file:

      • TTLSGroupActionRef Db2SslGroup
      • TTLSEnvironmentActionRef DB12SslEnv

      This is a common way of referring to TTLS configuration options, which allows a reuse of the same options in other rules by just specifying the unique name of the block or section.

    2. A suitable definition block for the TTLSGroupActionRef looks as follows:
      TTLSGroupAction Db2SslGroup
      {
         TTLSEnabled       On
         CtraceClearText   On
      }
      

      This definition block enables TTLS and sets a specific trace option.

    3. The other reference, TTLSEnvironmentActionRef points to a definition block that specifies the key ring to be accessed by the connection, the security protocol, the role in the TTLS handshaking process, and the encryption algorithms that can be used by the connection. Enable only the security protocol TLSv1.2 or an even higher protocol version. Older protocols are considered to be unsafe, and their use is deprecated.
      A suitable definition block for this reference looks like this:
      TTLSEnvironmentAction DB12SslEnv
      {
         TTLSKeyRingParms
         {
             Keyring           DB2AKEYRING
         }
         TTLSENVIRONMENTADVANCEDPARMS
         {
          TLSV1 OFF
          TLSV1.1 OFF
          TLSV1.2 ON
          ClientAuthType    PassThru
         }
         HandShakeRole         Server
         TTLSCipherParmsRef    Db2SslCipherParms
      }

      The key ring referred to is DB12KEYRING; the handshake role must be set to Server and needs to use TLS version 1.2 as the only supported protocol. The encryption algorithms are defined in a separate block, so again, you find a reference here. This reference points to a block named Db2SslCipherParms.

    4. The following example shows what the Db2SslCipherParms block might look like:
      TTLSCipherParms Db2SslCipherParms
      {     
          V3CipherSuites     TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
          V3CipherSuites     TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
       }
      
      Important: Only use the ciphers listed in the example above. Do not specify other ciphers.
  3. Save your AT-TLS configuration file when your rule definitions are complete.
  4. To let the changes take effect, refresh the address space of the Policy Agent from the console:
    /f PAGENT,REFRESH