Configuring hostname validation for TLS connections to pureScale clusters
You can configure your Db2® clients to complete hostname validation during Transport Layer Security (TLS, formerly SSL) connections to Db2 pureScale® clusters.
- Members that are responsible for processing transactions.
- A shared disk that all members can access.
- One or more cluster caching facilities (CFs) that coordinate data access in the cluster.
- Cluster services that oversee heartbeat failure detection and automatic recovery.
Using a separate certificate per member
The first way is to have a separate certificate per member in the cluster. In this configuration, each member has its fully qualified hostname in its certificate.
cf1.db2.example.com - CF 1
cf2.db2.example.com - CF 2
h1.db2.example.com - Member 1
h2.db2.example.com - Member 2
h3.db2.example.com - Member 3
h4.db2.example.com - Member 4
If a client connects to h1.db2.example.com
with a connection string that looks
like
Hostname=h1.db2.example.com;Security=SSL;SSLClientHostnameValidation=Basic;Database=…
,
the certificate that is returned by this host must have h1.db2.example.com
in the
SAN or Common Name for hostname validation to be successful.
Extensions
section of the returned
certificate:Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=Example Enterprise CA
Subject : CN=h1.db2.example.com
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: h1.db2.example.com
Signature Algorithm : SHA1WithRSASignature
In most scenarios, this certificate setup is effective. However, if a member is identified by
multiple hostnames in the DNS, and the server-side /etc/nsswitch.conf
file
prioritizes dns
over files
for the hosts
database, these hostnames might need to be included in the certificate for hostname validation to
succeed during automatic client reroute (ACR) or workload balancing (WLB).
For example, if Member 2 can be reached using h2.db2.example.com
and
anothername.db2.example.com
, with both hostnames resolving to the same IP address,
it is possible for the latter hostname to be returned to the client as part of a server list. If
that is the case, during client reroute or workload balancing, the client uses
anothername.db2.example.com
to complete hostname validation. If this hostname is
not found in the member’s certificate, then validation fails.
Extensions
section of the returned
certificate:Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=Example Enterprise CA
Subject : CN=h2.db2.example.com
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: h2.db2.example.com
dNSName: anothername.db2.example.com
Signature Algorithm : SHA1WithRSASignature
Using a common certificate with multiple SANs
When using a common certificate for all hosts in the cluster, include multiple SAN entries with fully qualified hostnames for each member in the cluster. This ensures that hostname validation is successful since the returned certificate contains the member’s hostname, regardless of the member to which the client connects. In addition, if a connection is routed to another member in the cluster due to workload balancing or ACR, hostname validation is successful for the new connection, since the certificate returned by this member contains the hostname that was originally configured on the client.
Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=Example Enterprise CA
Subject : CN=none
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: h1.db2.example.com
dNSName: h2.db2.example.com
dNSName: h3.db2.example.com
dNSName: h4.db2.example.com
Signature Algorithm : SHA1WithRSASignature
Using a common certificate with a wildcard hostname
When using a common certificate for all hosts in the cluster, rather than including multiple hostnames, you can have a single SAN entry with a wildcard hostname that represents all of the hosts in the cluster. When validating the hostname, the client acknowledges the wildcard hostname as representing all members in the cluster. This ensures that, regardless of the member to which the client connects, hostname validation is successful.
In addition, if a connection is routed to another member in the cluster due to workload balancing or ACR, hostname validation is successful for this new connection since the certificate returned by this member matches the hostname to which the client was originally configured.
Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=Example Enterprise CA
Subject : CN=none
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: h*.db2.example.com
Signature Algorithm : SHA1WithRSASignature
It is possible to include both wildcard and non-wildcard hostnames in the SANs of a certificate.
Adding and removing a member from a pureScale cluster
When adding a new member to the cluster, one or more of the server certificate might have to be updated depending on how they’re set up. Please note that server certificates can be updated online: the instance doesn’t have to be brought down to make this change.
If a separate certificate is used for each member in a cluster, the new member needs to have its fully qualified hostname in its certificate. Since a separate certificate is used per member, the other members in the cluster don’t need to be updated.
If a common certificate is used for all members in a cluster, the common certificate has to be recreated to contain an additional SAN entry for this new member and all of the members in the cluster need to be updated to use this newly created certificate if they’re not using a shared keystore.
If a common certificate containing a wildcard hostname is used for all members in a cluster, no updates are needed given that the wildcard hostname in the common certificate can match the new hostname. This certificate configuration might be preferable if new members are frequently added to the cluster since it removes the need to keep creating new certificates.
When removing a member from the cluster, no changes to the certificate used by the cluster are required for hostname validation to be successful.
IP addresses used in the nicbinding.cfg file
If the nicbinding.cfg file is configured to bind each member of a cluster to the IP address of a network interface card (NIC), the server list returned to the client contains IP addresses instead of hostnames for these members. This means that during client reroute or workload balancing, the IP address of the corresponding member is what gets used for the connection and, by extension, hostname validation.
When referencing NIC addresses using the nicbinding.cfg file, use a common certificate for all members in the cluster. The client validates the hostname in the certificate against the hostname to which it was originally configured to connect, which is successful when using a common certificate.
The other option is to have a separate certificate per member, but include the member’s IP address in its certificate. This configuration should be avoided.