Connecting to Db2 through SSL

To secure data in transit, Db2 Warehouse supports Secure Sockets Layer (SSL).

About this task

Db2 uses port 50001 for SSL connections, and port 50000 for non-SSL connections. Both connection types are accepted in the default configuration, but you can enforce the use of SSL by enabling Enforce database connections with SSL on the SETTINGS > System Settings page of the web console. The certificates that are required for SSL connections can be managed in two ways. You can use the default certificate authority (CA) or specify your own certificate.

Procedure

  1. Decide whether to use the default CA or specify your own server certificate in one of the following ways.
    • By default, during a fresh deployment of or during the first update to version v11.5.4.0-CN2 or later, a new CA is generated. This certificate is used to sign the certificate of the Db2 server.
    • Alternatively, from version v11.5.4.0-CN2, you can specify your own server certificate, key, and CA to be used instead. To specify your own server certificate, from version v11.5.4.0-CN2, use the configuration options for the SSL_* environment variable. For information, see Configuring Db2 Warehouse and Configuration options.
    If the certificate authority expires within 180 days, you get the message Root CA certificate will expire on expiration date.
    • If you use default self-signed certificates, the certificate authority is automatically re-created during the startup if it expires within 30 days. You get the message New root CA generated. Download the new certificate to trust when using SSL connections to the database.

      Self-signed certificates are valid for 1024 days. The certificate of the Db2 server is valid for 512 days, but is re-created every time that the container starts.

    • If you use your own certificates, you must update them before they expire.
  2. Extract the certificate authority.

    The certificate authority is copied to the host volume/db2/ssl_keystore/rootCA.pem directory. (From inside the container, the name of the directory is /mnt/blumeta0/db2/ssl_keystore/rootCA.pem.)

    You can copy the file to the /tmp directory or download it from the web console in one of the following ways:

    • Copy the file directly from the host volume directory or use the docker/podman cp command.
      For example:
      docker cp dashDB:/mnt/blumeta0/db2/ssl_keystore/rootCA.pem /tmp
      podman cp dashDB:/mnt/blumeta0/db2/ssl_keystore/rootCA.pem /tmp
    • From the web console, select CONNECT > Connection information page > Download SSL certificate.
    Note: The name of the file for the current CA in use is always the same, whether it is self-generated or specified by yourself.
  3. Trust the CA certificate.
    For more information, see Configuring TLS support in Db2 clients and Secure Sockets Layer (SSL).