The TLS handshake

During a TLS handshake, a public-key algorithm is used to securely exchange digital signatures and encryption keys between a client and a server. This identity and key information is used to establish a secure connection for the session between the client and the server. After the secure session is established, data transmission between the client and server is encrypted using a symmetric algorithm, such as AES.

The client and server perform the following steps during the TLS handshake:

The client requests a TLS connection and lists the default set of supported cipher suites.
Note: While the set of cipher suites used by the Db2® server can be altered, The client always uses the default set.
The server responds with a selected cipher suite.
The server sends its digital certificate to the client.
The client verifies the validity of the server certificate ('Was this cert signed by someone I've been told to trust?') by comparing a decrypted hash of the certificate against a similar one in its keystore.
If hostname validation is enabled, the client then checks that the hostname to which it is configured to connect matches what is present in the certificate. This option is available in Db2 11.5.6 and later clients.
If the server's certificate is trusted by the client, the client uses the server's public key to encrypt a random number and send it to the server. The server then uses it's private key to decrypt the number, which becomes the session key.
Note: Values assigned to the dbm cfg parameter SSL_CIPHERSPECS influence the size of the session key.
The client and server securely exchange information using the negotiated session key.

Attention: The Db2 database system supports the (optional) authentication of the client during the TLS handshake only when connecting to a Db2 for z/OS server.