Security CLI/ODBC and IBM data server driver configuration keyword

Specifies whether the Secure Socket Layer (SSL) protocol is used for a connection to the database server.

db2cli.ini keyword syntax:
Security = SSL
IBM® data server driver configuration file (db2dsdriver.cfg) syntax:
<parameter name="Security" value="SSL"/>
Attention: The IBM data server driver configuration file (db2dsdriver.cfg) syntax is available in Db2 11.5.4 and later.
Default setting:
None.
Usage notes:
The Security keyword specifies whether the TCP/IP with SSL protocols are used in connection to the database server. The security keyword can be used only with the following communication protocols:
  • TCPIP
  • TCPIP4
  • TCPIP6
The Security keyword can be set in the [Data Source] section of the db2cli.ini file, or in a connection string.

When the Security keyword is set to SSL, you can specify the keystore database with the SSLClientKeystoredb keyword. The keystore database that is specified with the SSLClientKeystoredb keyword can be access using either the password that is set with the SSLClientKeystoreDBPassword keyword or the stash file that is set with the SSLClientKeystash keyword.

If you have not set the SSLClientKeystoredb keyword with the SSLClientKeystoreDBPassword or SSLClientKeyStash keyword, the CLI driver internally generates a unique default keystore database name and a corresponding keystore database password when application allocates the first environment handle. The unique default keystore database name is based on the process ID of the application that consists of the client_<PID>.kdb format. The keystore database is not created at the time of first environment handle allocation and only the default unique keystore database name is generated.

The default keystore database is created for each application process ID in the cfg subpath when the following functions are called if you set the Security CLI keyword to SSL:
  • SQLDriverConnect()
  • SQLConnect()
  • SQLBrowseConnect()

For the IBM Data Server Client, IBM Data Server Runtime Client, and IBM database server products, the default keystore database is located in the <instance_path>/cfg/ directory.

For the IBM Data Server Driver Package and IBM Data Server Driver for ODBC and CLI products, the default keystore database is located in the <install_path>/cfg/ directory.

For the DashDB and SQLDB products from v11 onwards, the DigiCert Global Root CA Certificate, DigiCertGlobalRootCA.arm, is used for SSL connections. The TCP/IP with SSL connections will use this to proceed to IBM DashDB and SQLDB services. If you specify the keystore database through the SSLClientKeystoredb keyword, the CA Certificate will not be added to the keystore database and hence the CA Certificate will not be used. The connection will only be attempted using the certificates present in the keystore database you specify. The Db2® CLI will package the DigiCert certificate under the <instance_path>/cfg/ directory for instance based clients and <install_path>/cfg/ for non-instance based clients. With this certificate, all CLI applications allow you to simply specify Security=SSL in the connection string or SecurityTransportMode=SSL in the db2dsdriver.cfg to connect to database server over TCP/IP with SSL. Applications do not have to specify the certificate through the SSLServerCertificate keyword.

The default keystore database is removed once the application process ID no longer exists on the system. If an abnormal termination of the application process occurs, you must delete the default keystore database to prevent unnecessary disk usage.

In Db2 10.5.0.5 and later fix packs, you do not have to obtain the IBM Global Security Kit (GSKit) product separately for establishing SSL connections to a Db2 database server. However, for the certificate-based authentication, you must still download and configure the GSKit product.