Setting up a Db2 connection that uses TLS and SSL

To connect to a Db2 server that uses TLS and SSL protocols, you need to create a custom CA certificate and add it to your keystore, and then configure TLS support in the Db2 instance. Next, in Cloud Pak for Data, you create a secret that contains your CA certificate and replace the default TLS certificate with your custom TLS certificate.

Steps for the Db2 server

  1. Create a custom CA certificate in the .pem format. Use the commands for the IBM Global Security Kit (GSKit) to create a self-signed certificate. See Creating a self-signed certificate with GSKit.

    Note: If you use an SSL or TLS Toolkit other than the GSKit, be sure that it conforms to your organization's security requirements.

  2. Add the CA certificate to your keystore. See Pulling a CA-signed certificate into a keystore.

  3. Configure TLS support in a Db2 instance. See Configuring TLS support in a Db2 instance.

Steps for Cloud Pak for Data

  1. Create a secret named connection-ca-certs to store the CA certificate. See Using a CA certificate to connect to internal servers from the platform.

  2. Replace the default TLS certificate with your custom TLS certificate. See Using a custom TLS certificate for HTTPS connections to the platform.

  3. Include the CA certificate with the SSL certificate when you create the Db2 connection. In the Create connection: Db2 form, select Port is SSL-enabled. Enter the Db2 server's CA certificate in the text box.

Note: For SSL, the Db2 connection does not support chained certificates. Only the certificate returned from the Db2 server, which is the first certificate, will work.

Parent topic: IBM Db2 connection