Configuring TLS support in a Db2 instance
The Db2 database system supports TLS (Transport Layer Security), which means that a Db2 client application that also supports TLS can connect to a Db2 database by using a TLS socket. CLI, CLP, and .Net Data Provider client applications and applications that use the IBM® Data Server Driver for JDBC and SQLJ (type 4 connections) support TLS.
Before you begin
This procedure helps you to configure client applications to communicate with Db2 by using TLS.
Before you configure TLS support, complete the following prerequisite steps:- Ensure that the connection concentrator is not activated. TLS support is not
enabled in the Db2 instance when the connection concentrator is running.
Determine whether the connection concentrator is activated by running the GET DATABASE MANAGER CONFIGURATION command. If the configuration parameter max_connections is set to a value greater than the value of max_coordagents, connection concentrator is activated.
About this task
The TLS communication is always in FIPS mode.
- TLS support for Db2 Connect
- If you are using Db2 Connect for System i®, Db2 Connect for System z®, or Db2 Enterprise Server
Edition on an intermediate server computer to connect Db2 clients to a host or
System i database, TLS support is available
in any of the following configurations:
- Between the client and the Db2 Connect server
- Between the Db2 Connect server and the server
- Between both the client and the Db2 Connect server and the Db2 Connect server and the server
Note: For TLS support to be enabled on all paths in the configuration, each client or server must fulfill all requirements for TLS support. For example, if the Db2 Connect connection concentrator is on, the inbound request to the Db2 Connect server cannot use TLS. However, the outbound request to the target server can use TLS.
Procedure
- Set the ssl_svr_keydb configuration parameter to the fully qualified path
of your keystore (see Creating a keystore with GSKit. For example,
db2 update dbm cfg using SSL_SVR_KEYDB /home/test/sqllib/security/keystore/key.kdb
If ssl_svr_keydb is null (unset), TLS support is not enabled.
- Set the ssl_svr_stash configuration parameter to the fully qualified path
of the stash file. For example,
db2 update dbm cfg using SSL_SVR_STASH /home/test/sqllib/security/keystore/mydbserver.sth
If ssl_svr_stash is null (unset), TLS support is not enabled.
- Set the ssl_svr_label configuration parameter to the label of the digital
certificate of the server. If ssl_svr_label is not set, the default certificate
in the key database is used. If there is no default certificate in the key database, TLS is not enabled.
For example,
db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
where myselfsigned is a sample label. - Set the ssl_svcename configuration parameter to the port that the Db2 database system
should listen on for TLS connections.
If TCP/IP and TLS are both enabled (the DB2COMM registry variable is set to 'TCPIP, SSL'), you must set ssl_svcename to a different port than the port to which svcename is set. The svcename configuration parameter sets the port that the Db2 database system listens on for TCP/IP connections. If you set ssl_svcename to the same port as svcename, neither TCP/IP or TLS are enabled.
If ssl_svcename is null (unset), TLS support is not enabled.Note: To avoid potential collisions with HTTPS, do not use port 443 for ssl_svcename.Note: In HADR environments, do not set hadr_local_svc on the primary or standby database system to the same value as you set for ssl_svcename. Also, do not set hadr_local_svc to the same value as svcename, or svcename plus one.Note: When the DB2COMM registry variable is set to 'TCPIP,SSL' and TCPIP support is not properly enabled, the error SQL5043N is returned and TLS support is not enabled. For example, if the svcename configuration parameter is set to null, TCP/IP is not properly enabled. - (Optional) If you want to specify which cipher suites the server can use, set the
ssl_cipherspecs configuration parameter.
If you leave ssl_cipherspecs as null (unset), GSKit can pick the strongest available cipher suite that is supported by both the client and the server. See Supported cipher suites for information about which cipher suites are available.
- Add the value TLS to the
DB2COMM registry variable.For example,
where db2inst1 is the Db2 instance name.db2set -i db2inst1 DB2COMM=SSL
The database manager can support multiple protocols at the same time. For example, to enable both TCP/IP and TLS communication protocols:db2set -i db2inst1 DB2COMM=SSL,TCPIP
- Restart the Db2 instance.For example,
db2stop db2start