Customized Secure LDAP Connection Configuration

This section is about some advanced configuration for secure LDAP connections.

TLS session can be set up on an LDAP connection by negotiation between IBM Db2 Data Management Console and LDAP server. If network environment is not considered to be secure and verify the identity of LDAP server is very important, verifying certificate provided by LDAP server may be necessary. Customized CA truststore can be specified. And if the LDAP server requires client verification based on security policy of some organizations, client side keystore should be provided.

Some prerequisites, assumptions and restrictions about TLS support in IBM Db2 Data Management Console would be stated here.

First of all, IBM Db2 Data Management Console uses IBM(R) Runtime Environment, Java(TM) Technology Edition, Version 8 as Java runtime environment. So any encryption and decryption operations and password related operations would be handled by IBMJCE as the cryptography provider. And TLS protocols would be handled by IBMJSSE2 provider. Some detail implements may be different from other JCE and JSSE providers. Unique features available only in other JCE and JSSE providers in other types of JRE are not supported. IBM Db2 Data Management Console only support cryptography algorithms and TLS cipher suites provided by IBM JRE version 8. Please make sure any JKS type truststore or keystore is generated with IBM JRE version 8. Make sure LDAP server can support at least one TLS cipher suite that supported by IBM JRE version 8. Please do not replace IBM JRE version 8 libraries with other type of JRE or other versions. Please be careful if you want to add some security related Java environment variables.

Only one kind of truststore manager algorithms is supported in IBM Db2 Data Management Console, that is IbmX509 algorithm. IbmPKIX algorithm is not supported. Trust manager algorithoms provided by other types of JRE are not supported either. Which means, CRL information of a certificate would not be handled. In another word, trust manager with IbmX509 algorithm would not check if a certificate is already been revoked by its CA. The only algorithm used by key manager in IBM JRE is IbmX509. And IBMJSSE2 provider do not allow empty truststore or keystore. And do not allow null key manager.

Only two types of truststore or keystore are supported in IBM Db2 Data Management Console:

Java KeyStore (JKS), file extension .jks;

Public-Key Cryptography Standards (PKCS) 12, file extension .p12.

Other types of keystore are not supported, including

JCEKS, PKCS11, CMSKS, IbmISeriesKeyStore, JCERACFKS, JCE4758KS, JCECCAKS, JCECCARACFKS, JCEHYBRIDRACFKS, etc.

About protocols provided by JSSE, for security consideration SSL 3.0 protocol and protocols below it have been forbidden by Apache Directory API when creating LDAP connections. IBM Db2 Data Management Console only support TLS v1, TLS v1.1 and TLS v1.2 protocols provided by IBMJSSE2. TLS v1.3 protocol is not supported either, as it has not been implemented in IBM JRE version 8.

Errors about TLS handshake may not always be encountered at the 'Connection Setting' step, especially when 'StartTLS' method is selected. However, testing bind account would eventually fail at 'Authentication Method Setting' step, if LDAP server certificate can not be verified or LDAP client authentication failed. If so, please check the detail error messages, return to the first step, re-provide a proper truststore or keystore file and try again.

For customized CA truststore, please refer to task 'Configure Customized LDAP Client Side CA Truststore'.

For LDAP client authentication, please refer to task 'Configure LDAP Client Keystore for LDAP Client Authentication'.