Configuring the Db2 requester for SSL
A Db2 requester must be able to insist on an SSL-protected connection to certain servers. To ensure SSL-protected connections, you can make communications database (CDB) changes that indicate that SSL-protected connections are required to certain remote locations.
About this task
If a secure connection is required, DDF must determine whether an AT-TLS policy rule is defined and whether AT-TLS is enabled for the connection. To obtain this AT-TLS information, DDF invokes SIOCTTLSCTL IOCTLwith TTLSi_Req_Type = TTLS_QUERY_ONLY. If the IOCTL returns a policy status of TTLS_POL_NO_POLICY, a matching policy rule is not found for the connection.
If the IOCTL returns a policy status of TTLS_POL_NOT_ENABLED, a policy rule is defined for the connection, but AT-TLS is not enabled, and a secure connection is not established with the remote server. DDF issues a message, and the connection is closed.
If the IOCTL returns a policy status of TTLS_POL_ENABLED, a matching policy rule is found, and SSL is enabled for the connection.
Procedure
To specify a secure connection to DB2®, use one of the following approaches:
What to do next
Some Db2 applications might require SSL protection and accept the performance cost for this level of security. However, some applications might be satisfied with unprotected connections. This flexibility can be accomplished by the use of the LOCATION ALIAS name feature.
Consider a Db2 server that is configured to support both non-secure and secure connections. At the Db2 requester, you can define two rows in the SYSIBM.LOCATIONS table: one row that specifies the location name and the non-secure DRDA port of the server and another row that specifies a different location name and the secure DRDA port of the server and SECURE='Y'. At the Db2 server, you can define a LOCATION ALIAS name to provide alternative names for any Db2 requesters that need to access the server by using the SSL protocol.