Introduction to Global Security Kit installation

Db2® uses the cryptographic and SSL/TLS capabilities of the IBM® Global Security Kit (GSKit) for encrypting both data at rest (native encryption) and data in transit. The GSKit is used to implement the SSL and TLS protocols that enable protected Db2 communications over the network.

When you install the 64-bit version of the Db2 database server, the 32-bit GSKit libraries are automatically included in the installation.

GSKit consists of sub-components each contained in a separate package:
  • GSKit Crypt: This package contains the cryptographic algorithms that GSKit SSL depends on. GSKit Crypt is a prerequisite for a GSKit SSL installation on all operating systems.
  • GSKit SSL: This package contains the basic runtime support to enable security calls, the use of the TLS protocol, and the capicmd keystore management tool.
    Note: The gsk8capicmd tool is used to manage keys, certificates, and certificate requests within a keystore. The FIPS option ( -fips) makes the command line tool run in Federal Information Processing Standards (FIPS) mode. In FIPS mode, the gsk8capicmd tool initializes the underlying cryptographic provider in FIPS mode so that it only uses algorithms that have been FIPS 140-2 validated. For the sake of brevity, the FIPS option has been left out of example code.

You need to install the GSKit Crypt package and then the GSKit SSL package.

The following dependencies exist for SSL support between Db2 clients and servers:
  • Your applications must be ANSI C compliant.
  • You must use a reliable communication protocol that supports a client server environment, such as TCP/IP.