Configuring TLS between a Db2 instance and a centralized KMIP key manager (KeySecure)

To store master keys in a centralized KMIP keystore with Db2 native encryption, you need to set up TLS communication between the Db2 instance and the centralized key manager.

Before you begin

On the Db2 server, create a local keystore to store TLS certificates.

About this task

  • On the Db2 server, the gsk8capicmd_64 command is used to create, extract, and add TLS certificates to the local keystore. For detailed information about the command, see the GSKCapiCmd User Guide.

Procedure

On KeySecure, create a CA and add it to the Trusted CA list:

  1. Verify that a CA certificate is created or installed. Make sure that the CA is added to the trusted CA list.
  2. Make sure that a server certificate request is created and signed with the CA certificate.
  3. Check that a Cryptographic Key Server is created. Also, verify that the appropriate authentication settings are configured.
    1. Ensure the appropriate Cryptographic Key Server Properties:
      • Protocol: Select KMIP.
      • IP: Select ALL or a specific IP address.
      • Port: Select a port number. The standard KMIP port number is 5696. In the centralized keystore configuration file, the value for the MASTER_SERVER_KMIP_PORT or CLONE_SERVER_KMIP_PORT parameter must be configured according to the value specified for the port number.
      • Use TLS: Select True
      • Server Certificate: Select the label of the server certificate.
    2. Ensure the appropriate Authentication Settings:
      • Password Authentication: Select Not Used.
      • Client Certification Authentication: Select Used for TLS session and username.
      • Trusted CA list Profile: Select the profile that contains the Trusted CA list to which the CA was added.
      • User name Field in Client Certificate: Select either the CN or OU value from the dropdown list.
      • Require Client Certificate to Contain Source IP: Leave unticked.
    3. Create a Local User whose user name matches the User name field in Client Certificate field in the client certificate.
  4. Download the CA certificate to the client keystore.

On the Db2 server, add the CA certificate and create a client certificate request:

  1. Add the CA certificate that was previously downloaded to the local keystore. 
    gsk8capicmd_64 -cert -add -db "clientkeydb.p12" -stashed -label "trustedCA" -file "trustedCA.crt"
  2. Create a client certificate request. 
    gsk8capicmd_64 -certreq -create -db "clientkeydb.p12" -stashed -label "clientCert" 
    -dn "CN=db2KeySecureUser,O=IBM,OU=DB2,L=Toronto,ST=Ontario,C=CA" -target "client_cert_request.arm"

At your CA, sign the client certificate request:

  1. Sign the client certificate request with the CA certificate, and then download the signed certificate.

On the Db2 server, add the signed client certificate:

  1. Add the signed client certificate to the local keystore. 
    gsk8capicmd_64 -cert -receive -db "clientkeydb.p12" -stashed 
    -file "client_cert_signed.arm"

Results

When the Db2 database manager connects to the centralized KMIP key manager, TLS communication is used.

What to do next

Configure the Db2 instance to use the centralized keystore