Using a Db2 instance that is SSL-enabled

Edit online

To use IBM® Content Manager with a Db2 instance that is SSL-enabled, you must make the certificate files that are used by Db2 available to the IBM Content Manager configuration program, and then tell IBM Content Manager to use SSL communication.

  1. Configure the Db2 server so that it supports TLS version 1.2.

    (The version of Java that is included in IBM Content Manager does not work with TLS version 1.1 or earlier.)

    For information about how to configure the Db2 server, see ssl_versions - Supported SSL versions at the server configuration parameter. For example, you might use following commands to activate TSL 1.2:

    db2 update dbm cfg using ssl_versions TLSv12
db2stop
db2start
  2. Create a folder in which to store the certificate files. For example:
    • Windows: Create a folder that is called C:\CMDB2SSL
    • UNIX and Linux: Create a folder that is called /CMDB2SSL, and then set the permissions of the folder to 644.
  3. Copy the certificate files (for example, CMserverRS.arm) to the new folder.

    UNIX and Linux: Set the permission of the certificate files to 644.

  4. In the same folder, create a file called DB2JccConfiguration.properties.

    For an example file, see ($CMRepository)/($CMVersion)/cmcfgmgr/DB2JccConfiguration.properties.sample.

  5. In the DB2JccConfiguration.properties file, set the following properties:

    Windows:

    db2.jcc.sslConnection=true
db2.jcc.sslCertLocation=C:\\CMDB2SSL\\certificate_file

    UNIX and Linux:

    db2.jcc.sslConnection=true
db2.jcc.sslCertLocation=/CMDB2SSL/certificate_file

    Replace certificate_file with the name of the certificate file, for example, CMserverRS.arm.

  6. Set the environments:

    Windows: Add the following environment variable:

    ICM_CONFIG_CLASSPATH_DIR=C:\CMDB2SSL

    UNIX and Linux: Add the following line to the .profile or .bashrc file for the root user:

    export ICM_CONFIG_CLASSPATH_DIR=/CMDB2SSL
  7. Make sure that the environment variable takes effect, and then do one of the following:

    Windows: Restart the computer, and then start the configuration manager.

    If you do not want to restart the computer, you can start the configuration manager by running this command:

    IBMCMREPO\8.7.00.000\bin\cmcfgmgr_CM.bat

    UNIX and Linux: Start the Configuration Manager: see Starting the configuration manager.

  8. On the library server and resource manager database configuration pages, set the database port number to the port that is set in Db2 for secure communication to the IBM Content Manager library server database and the resource manager database; for example, 50020.

Running the cmcfglsi utility

If you need to use the cmcfglsi utility after you have configured IBM Content Manager to work with an SSL-enabled Db2 instance, complete the following steps.

For information about when you might use the cmcfglsi utility, see:

Building default item types and component table views

Changing the ACL optimization mode

  1. UNIX and Linux: To run the cmcfglsi utility in interactive mode, set the following environment variables as the root user, and then export them:
    $IBMCMROOT
$instOwner
$dbType
$INSTHOME

    For example:

    IBMCMROOT=/opt/IBM/db2cmv8
instOwner=icmadmin
dbType=DB2
INSTHOME=/home/db2inst1
export IBMCMROOT
export instOwner
export dbType
export INSTHOME
  2. Change to the $IBMCMROOT/config directory, and then run the following command:
    cmcfglsi -t [comptypes|predefs|cacl|bind]
  3. Enter the port that is set in Db2 for secure communication to the IBM Content Manager library server database; for example, 50020.

Reverting to a Db2 instance that is not SSL-enabled

To revert to a Db2 instance that is not SSL-enabled, do one of the following:

  • Delete the ICM_CONFIG_CLASSPATH_DIR environment variable.
  • In the DB2JccConfiguration.properties file, set this property: 
    db2.jcc.sslConnection=false