Configuring TLS between a Db2 instance and a centralized KMIP key manager (ISKLM)

To store master keys in a centralized keystore with Db2 native encryption, you need to set up TLS (Transport Layer Security) communication between the Db2 instance and the centralized KMIP key manager.

Before you begin

On the Db2 server, create a local keystore to store TLS certificates.

About this task

On the Db2 server, the gsk8capicmd_64 command is used to create, extract, and add TLS certificates to the local keystore. For detailed information about the command, see: GSKCapiCmd Users Guide .
Some examples below show self-signed certificates. Self-signed certificates are suitable for test environments, but for production environments certificates that are signed by third party certificate authorities are more appropriate.
Some information about using the IBM® Security Key Lifecycle Manager web interface and command line interface is included below. For more complete information, see: Setup for SSL handshake between IBM Security Key Lifecycle Manager server and client device .

Procedure

On the Db2 server: create an TLS signer certificate.

Create the certificate by issuing the gsk8capicmd_64 command.

Example


gsk8capicmd_64 -cert -create -db "clientkeydb.p12"
    -label "DB2_signer_certificate"
    -dn "CN=weblinux.Raleigh.ibm.com,O=ibm,OU=IBM HTTP Server,L=RTP,ST=NC,C=US"
    -sig_alg SHA256_WITH_RSA -size 2048

Extract the certificate to a file by issuing the gsk8capicmd_64 command.

Example


gsk8capicmd_64 -cert -extract -db "clientkeydb.p12"
    -label "DB2_signer_certificate"
    -target "/path/to/DB2_certificate_file.pem"
    -format ascii -fips

Securely transmit the Db2 server certificate file to the centralized key manager.

On the centralized key manager: add the Db2 server certificate to the keystore.

The following substeps describe how to add a certificate to IBM Security Key Lifecycle Manager using the web console.
1. Create a device group :
  1. Select "Create" in the "Device Group" list of the "Advanced Configuration" tab.
  2. Select the device family "General Parallel File System (GPFS)" and then enter "DB2" as the new device group name.
  3. Leave the "Enable machine affinity" check box unselected.
2. Import the DB2 server certificate file :
  1. On the "Welcome" tab select your new group, "DB2".
  2. From the "Go to" list, select "Manage Keys and Devices". This will bring you to the Advanced Configuration tab.
  3. Select "Certificates" from the "Add" list.
  4. Specify the certificate name and the file path when prompted.
  5. In the "Advanced Configuration" window, select "Import" from the "Client Device Communication Certificates" menu.
On the centralized key manager: create an TLS signer certificate.

The following substeps describe how to create a certificate and then extract it to a file using the IBM Security Key Lifecycle Manager web console and command-line interface.
1. Create a self-signed certificate or obtain a certificate from a certificate authority .
2. Extract the certificate to a file using the command-line interface :
  1. Enable the Jython scripting language.
    Example
    
    ./wsadmin.sh -username "<admin-user>" -password "<password>" -lang jython
  2. Export the certificate using the tklmCertExport command.
    Example
    
    print AdminTask.tklmCertExport ('[-uuid CERTIFICATE-61f8e7ca-62aa-47d5-a915–8adbfbdca9de -format DER -fileName d:\\ISKLM_certificate_file.pem]')
3. Securely transmit the centralized key manager certificate file to the Db2 server.
On the Db2 server: add the centralized key manager certificate to the local keystore.
1. Add the certificate by issuing the gsk8capicmd_64 command.
  Example
  gsk8capicmd_64 -cert -add -db "clientkeydb.p12" -label "ISKLM_signer_certificate" -file "/path/to/ISKLM_certificate_file.pem"

Results

When the Db2 database manager connects to the centralized key manager, TLS communication will be used.

What to do next

Configuring a Db2 instance to use a keystore