Configuring Db2 clients for hostname validation when negotiating a TLS connection

You can configure Db2 clients to validate the hostname of a Db2 instance when negotiating a Transport Layer Security (TLS, formerly SSL) connection. While this feature can be used when connecting to any supported Db2 server, it is only available in Db2 11.5.6 and later clients.

Attention: TLS was developed in 1999 as the successor to the popular encryption protocol Secure Socket Layer (SSL). Because of the popularity of SSL, the acronym is now synonymous with encryption technology and by association, TLS. As a result, some Db2® commands and database objects that are related to TLS encryption still contain 'ssl' in their names. However, Db2 does not use the SSL protocol for data encryption. Any references to SSL in this guide can be interpreted as TLS.

Hostname validation can be enabled for the following client interfaces.

CLI/ODBC
Embedded SQL
JDBC

For CLI, ODBC or embedded SQL, the SSLClientHostnameValidation parameter needs to be set to Basic in the connection string, db2cli.ini, or db2dsdriver.cfg.

For Java applications, the db2.jcc.sslClientHostnameValidation property needs to be set to BASIC. For more information, see the description for the db2.jcc.sslClientHostnameValidation configuration property in IBM Data Server Driver for JDBC and SQLJ configuration properties.