Creating a keystore with GSKit

A keystore is an industry recognized way of securely storing TLS private keys, root certificates, and certificate chains. Db2® supports both the IBM proprietary Certificate Management System (CMS) format and the Public-Key Cryptography Standards #12 (PKCS12) open standard format.

Before you begin

This procedure explains how to use the IBM Global Security Kit (GSKit) to create a keystore for digital certificates and keys that enable secure transmission of data between servers and clients on your Db2 network, by using TLS.

Before you attempt to use GSKit, verify that GSKit is installed properly.

About this task

For information about the GSKit tool GSKCapiCmd, see the GSKCapiCmd User Guide.

Procedure

  1. Use the GSKCapiCmd tool to create your keystore. The keystore must be of a CMS type (extension .kdb) or a PKCS12 type (extension .p12).
    The GSKCapiCmd is a non-Java-based command-line tool, and Java™ does not need to be installed on your system to use this tool.

    You start GSKCapiCmd by running the command,gskcapicmd as described in the GSKCapiCmd User's Guide. The path for the command is sqllib/gskit/bin on Linux® and UNIX operating systems, and C:\Program Files\IBM\GSK8\bin on both 32-bit and 64-bit Windows operating systems. (On 64-bit platforms, the 32-bit GSKit executable files and libraries are also present; in this case, the path for the command is C:\Program Files (x86)\IBM\GSK8\bin.) Ensure PATH (on Windows operating systems) includes the proper GSKit library path, and LIBPATH, SHLIB_PATH, or LD_LIBRARY_PATH (on UNIX or Linux operating systems) include the proper GSKit library path, such as sqllib/lib64/gskit.

    For example, the following command creates a keystore that is called mykeystore.kdb and a stash file that is called mykeystore.sth: 
    gsk8capicmd_64 -keydb -create -db "mykeystore.kdb" -pw "myServerPassw0rdpw0" 
      -stash

    A stash file is an obfuscated (altered to impair its readability by humans) form of a keystore password. Having a stash file allows Db2 to access a keystore file without user intervention, and prevents the keystore's files from being casually read.

    The -stash option creates a stash file at the same path as the keystore, with a file extension of .sth. At instance start-up, GSKit uses the stash file to obtain the password to the keystore.
    Note: Use strong file system protection on the stash file. By default, only the instance owner has access to this file (both read and write access).
  2. Configure TLS support for your Db2 environment. See TLS configuration of Db2.

What to do next

Viewing the contents of your keystore
To view the contents of your keystore, run the GSKit command gsk8capicmd_64 with the -cert -list options. For example, the following command lists the contents of the keystore mydbserver.kdb:
gsk8capicmd_64 -cert -list -db mykeystore.p12 –stashed
Certificates found
* default, - personal, ! trusted, # secret key
!  MyRootCA
-  Db2Server
Where
  • "!" identifies a certificate that is being trusted to sign other certificates. This option should appear only before root and intermediate CA certificates.
  • "-" identifies an end-point (or personal) certificate. Only end-point certificates are valid to specify in SSL_SVR_LABEL.

Viewing details about a certificate in your keystore

To view details about a certificate in your keystore file, such as the key size and CA information, run the GSKit command gsk8capicmd_64 with the -cert -details options. For example, the following command shows the details of the certificate db2Server from the keystore file mydbserver.kdb:
gsk8capicmd_64 -cert -details -label db2Server -db mydbserver.kdb -stashed