Configuring TLS client connections with Db2

Use transport layer security (TLS) to create secure connections from Db2® clients to the integrated Db2 database server deployed on IBM Cloud Pak for Data.

About this task

A Db2 deployment on Cloud Pak for Data contains self-signed TLS support for connections to the Db2 database. This task outlines how to extract the client certificate and enable TLS support for any Db2 client or application that uses IBM® Data Server Drivers.

For a detailed description of TLS and how it works in the context of a Db2 client connection, see TLS configuration of Db2.

Procedure

  1. To get the Db2 secure sockets layer (SSL) certificate, click Download SSL Certificate on the Access Information section of the database details page.
  2. Copy the Db2 TLS certificate chain over to the system that contains your Db2 client application. The procedure to install the TLS certificate depends on the method that the application uses to connect to the Db2 database.
    1. For non-Java™ clients such as CLI/CLP, ODBC, and .Net, see Configuring TLS support in non-Java Db2 clients
    2. For Java applications that use JDBC or JCC connections, see Configuring the Java Runtime Environment to use TLS
  3. You need to find the TLS NodePort on your cluster that is used by the Db2 database.
    OpenShift®
    oc -n ${PROJECT_CPD_INSTANCE} get svc | grep db2u-engn-svc
    On Kubernetes-based cluster:
    oc -n ${PROJECT_CPD_INSTANCE} get svc | grep db2u-engn-svc
    Consider the following example output:
    mpp2-db2u-engn-svc    NodePort    10.0.86.99     <none>        50000:32209/TCP,50001:31050/TCP      20h
    
  4. Configure your database client application to use that NodePort value when it connects to the database with the installed TLS certificate.
    Using the previous example, you would configure your client application to use 10.0.86.99 as the IP address and port 31050 to connect to the Db2 database server that is running on the Cloud Pak for Data cluster.