Defining TTLS rules for connections to Db2 Data Gate
Define TTLS rules to specify the port numbers, network directions, key rings (certificates), and the encryption algorithms that a connection can use. A TTLS rule is required for each connection that is used by Db2 Data Gate. TTLS rules take effect when the address space for the Policy Agent (PAGENT) is refreshed.
Procedure
- Rules for the Policy Agent are defined in the main TCP/IP configuration file. So you have
to find this file first.
- Open the JCL job for the TCP/IP started task.
- Locate the
PROFILE DD
card in this job. - Check if AT-TLS is enabled by looking at the
TCPCONFIG
statement.It needs to contain the following entries:TCPCONFIG TTLS ; Enable AT-TLS Function INTERVAL 5 ; Send KeepAlive every 5 minutes TCPMAXRCVBUFRSIZE 2097152 TCPMAXSENDBUFRSIZE 2097152
- If AT-TLS has been enabled, you can identify the relevant TCP/IP configuration file by checking the Policy Agent started task.
- Locate the
PARM
option in the JCL job for the Policy Agent started task.It refers to a configuration file, which in turn refers to the AT-TLS configuration file by means of theTTLSConfig
statement:TTLSConfig //'SYS1.TCPPARMS(TTLS)'
So in this case, the name of the AT-TLS configuration file is
SYS1.TCPPARMS(TTLS)
.
- Open the AT-TLS configuration file identified in the previous step and add the required
settings for Db2 Data
Gate. Connections to the distributed data facility (DDF) for Db2 Data Gate must be encrypted. So each connection used for this purpose requires a TTLS rule. Connections are identified by their IP addresses, port numbers, and started task names.
The AT-TLS configuration file contains many blocks of settings, which are identified by a unique name. Each unique name can be used to refer to a shared set of settings from other rules. You can add new definitions to the end of the configuration file. Ensure that the chosen identifiers (names) are unique.
- A connection between a single Db2 subsystem and
Db2 Data
Gate requires a TTLS rule as shown in the
following example:
############################################## # Rules for SSL access to Db2 DDF ############################################### TTLSRule DB12Rule15111 { LocalPortRange 15111 JobName DB12DIST Direction Inbound TTLSGroupActionRef Db2SslGroup TTLSEnvironmentActionRef DB12SslEnv }
This rule refers to a standalone Db2 subsystem with the name DB12. The DDF listens to incoming connections on secure port 15111. The name of the Db2 subsystem is reflected in the address space name of the DDF, which is DB12DIST.
Important: A rule for a data sharing group is slightly different. However, most of the steps in this section also apply to the rule for a data sharing group. See the next section for instructions on how to make the necessary changes for a data sharing group.The rule contains two references to other definition blocks within the AT-TLS configuration file:
TTLSGroupActionRef Db2SslGroup
TTLSEnvironmentActionRef DB12SslEnv
This is a common way of referring to TTLS configuration options, which allows a reuse of the same options in other rules by just specifying the unique name of the block or section.
- A suitable definition block for the
TTLSGroupActionRef
looks as follows:TTLSGroupAction Db2SslGroup { TTLSEnabled On CtraceClearText On }
This definition block enables TTLS and sets a specific trace option.
- The other reference,
TTLSEnvironmentActionRef
points to a definition block that specifies the key ring to be accessed by the connection, the security protocol, the role in the TTLS handshaking process, and the encryption algorithms that can be used by the connection. Enable only the security protocol TLSv1.2 or an even higher protocol version. Older protocols are considered to be unsafe, and their use is deprecated.A suitable definition block for this reference looks like this:TTLSEnvironmentAction DB12SslEnv { TTLSKeyRingParms { Keyring DB2AKEYRING } TTLSENVIRONMENTADVANCEDPARMS { TLSV1 OFF TLSV1.1 OFF TLSV1.2 ON ClientAuthType PassThru } HandShakeRole Server TTLSCipherParmsRef Db2SslCipherParms }
The key ring referred to is
DB12KEYRING
; the handshake role must be set toServer
and needs to use TLS version 1.2 as the only supported protocol. The encryption algorithms are defined in a separate block, so again, you find a reference here. This reference points to a block namedDb2SslCipherParms
. - The following example shows what the
Db2SslCipherParms
block might look like:TTLSCipherParms Db2SslCipherParms { V3CipherSuites TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 V3CipherSuites TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 }
Important: Only use the ciphers listed in the example above. Do not specify other ciphers.
- A connection between a single Db2 subsystem and
Db2 Data
Gate requires a TTLS rule as shown in the
following example:
- Save your AT-TLS configuration file when your rule definitions are complete.
- To let the changes take effect, refresh the address space of the Policy Agent from the
console:
/f PAGENT,REFRESH