Creating a keystore with GSKit
A keystore is an industry recognized way of securely storing TLS private keys, root certificates, and certificate chains. Db2® supports both the IBM proprietary Certificate Management System (CMS) format and the Public-Key Cryptography Standards #12 (PKCS12) open standard format.
Before you begin
This procedure explains how to use the IBM Global Security Kit (GSKit) to create a keystore for digital certificates and keys that enable secure transmission of data between servers and clients on your Db2 network, by using TLS.Before you attempt to user GSKit, verify that GSKit is installed properly.
About this task
For information about the GSKit tool GSKCapiCmd, see the GSKCapiCmd User's Guide.
Use the GSKCapiCmd tool to create your keystore. The keystore must be of a CMS type (extension
.kdb) or a PKCS12 type (extension .p12).
The GSKCapiCmd is a non-Java-based command-line tool, and Java™ does not need to be installed on your system to use this tool.
You start GSKCapiCmd by running the command,gskcapicmd as described in the GSKCapiCmd User's Guide. The path for the command is sqllib/gskit/bin on Linux® and UNIX operating systems, and C:\Program Files\IBM\GSK8\bin on both 32-bit and 64-bit Windows operating systems. (On 64-bit platforms, the 32-bit GSKit executable files and libraries are also present; in this case, the path for the command is C:\Program Files (x86)\IBM\GSK8\bin.) Ensure PATH (on Windows operating systems) includes the proper GSKit library path, and LIBPATH, SHLIB_PATH, or LD_LIBRARY_PATH (on UNIX or Linux operating systems) include the proper GSKit library path, such as sqllib/lib64/gskit.For example, the following command creates a keystore that is called mykeystore.kdb and a stash file that is called mykeystore.sth:
gsk8capicmd_64 -keydb -create -db "mykeystore.kdb" -pw "myServerPassw0rdpw0" -stash
A stash file is an obfuscated (altered to impair its readability by humans) form of a keystore password. Having a stash file allows Db2 to access a keystore file without user intervention, and prevents the keystore's files from being casually read.The -stash option creates a stash file at the same path as the keystore, with a file extension of .sth. At instance start-up, GSKit uses the stash file to obtain the password to the keystore.Note: Use strong file system protection on the stash file. By default, only the instance owner has access to this file (both read and write access).
- Add a certificate for your server to your keystore.
What to do next
gsk8capicmd_64 -cert -list -db mykeystore.p12 –stashed Certificates found * default, - personal, ! trusted, # secret key ! MyRootCA - Db2Server
- “!” identifies a certificate that is being trusted to sign other certificates. This option should appear only before root and intermediate CA certificates.
- “-” identifies an end-point (or personal) certificate. Only end-point certificates are valid to specify in SSL_SVR_LABEL.
Viewing details about a certificate in your keystore
gsk8capicmd_64 -cert -details -label db2Server -db mydbserver.kdb -stashed