Configuring hostname validation for encrypted communication between primary and standby hosts in an HADR environment
Transport Layer Security can be used to encrypt communication between the primary and standby hosts in a non-pureScale environment. You enable hostname validation for this communication, using the HADR_SSL_HOST_VAL database configuration parameter.
The HADR_SSL_HOST_VAL database configuration keyword
The HADR_SSL_HOST_VAL database configuration keyword specifies whether hostname validation for Transport Layer Security (TLS, formerly SSL) connections between primary and standby hosts is enabled.
The HADR_SSL_HOST_VAL keyword is currently supported on environments that do not use IBM® Db2 pureScale®. If you upgrade from Enterprise Server Edition (ESE) to Db2 pureScale while the HADR_SSL_HOST_VAL is set, db2checkSD returns the error DBT5038N. Users should set the value to OFF before trying to upgrade to Db2 pureScale.
Changes to this parameter do not affect HADR connections that are already established. Change takes effect for new connections between primary and standby servers.
Hostname validation is enabled for SSL communication between
the primary and standby hosts and it failed because the specified
hostname does not match any of the hostname fields in the
certificate returned by this host. Details about this certificate
have been logged to the db2diag.log file.
- Using a separate certificate for the primary host and each standby host
- Using a common certificate for all hosts
Using a separate certificate for the primary host and each standby host
When using a separate certificate for each host in an two-site multiple standby HADR cluster, each host must include its the fully qualified hostname in the certificate it returns to its peer during the TLS handshake.
primary.db2.example.com - Primary
standby1.db2.example.com - Standby 1
standby2.db2.example.com - Standby 2
The
following example shows how the certificate on the primary host needs to be configured for hostname
validation to be successful when it communicates with the standby hosts. Note that the SAN contains
the fully qualified host name of the primary server, primary.db2.example.com,
in the Extensions
section.Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=Example Enterprise CA
Subject : CN=none
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: primary.db2.example.com
Signature Algorithm : SHA1WithRSASignature
As
with the primary host, each standby host must contains its fully qualified hostname in its
certificate. Extensions
section
:Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=Example Enterprise CA
Subject : CN=none
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: standby1.db2.example.com
Signature Algorithm : SHA1WithRSASignature
Using a common certificate for all hosts
When using a common certificate for all hosts in a two-site multiple standby HADR cluster, the certificate you create must include representations for the hostnames of each host in the SAN.
- Using multiple hostnames
- Using a wildcard hostname
Using multiple hostnames in the SAN
When using multiple hostname entries in the SAN, use the fully qualified hostname of each host.
Extensions
section:Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=ExampleCA
Subject : CN=none
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: primary.db2.example.com
dNSName: standby1.db2.example.com
dNSName: standby2.db2.example.com
Signature Algorithm : SHA1WithRSASignature
Using a wildcard hostname
One drawback of using multiple hostnames in the SAN is that every time a host is either added to, or removed from, the cluster the certificate has to be recreated. If all of the hosts in the cluster are part of the same sub-domain, a single wildcard hostname in the SAN can be used to represent all the hosts in the cluster.
Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=Example Enterprise CA
Subject : CN=none
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: *.db2.example.com
Signature Algorithm : SHA1WithRSASignature
Using hostname validation between HADR hosts in a NAT environment
Network Address Translation (NAT) is designed for IP address conservation. In certain HADR configurations, the primary host is located inside a NAT environment, along with a subset of the standby hosts. The remainder of the standby hosts are located outside of the NAT environment. In this configuration, the primary host is known by different names to the different subsets of the standby hosts. For hostname validation to work in a NAT environment, the certificate for the primary host must contain the different hostnames that it is known by to the rest of the cluster. In addition, any of the standby hosts behind the NAT that could potentially take over as the primary host must also contain all the different hostnames that they could be identified as in their certificates.
nat.router.com/primary.xyz.com - Primary
standby1.xyz.com - Standby 1
standby2.abc.com - Standby 2
- The primary host and standby 1 are inside a NAT environment.
- standby 2 is outside of the NAT environment.
- primary is known as nat.router.com to standby2.abc.com.
- primary is known as primary.xyz.com to standby1.xyz.com.
- the NAT router is exposed to the outside world as nat.router.com.
Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=Example Enterprise CA
Subject : CN=none
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: nat.router.com
dNSName: primary.xyz.com
Signature Algorithm : SHA1WithRSASignature
In addition, certificates on each of the standby hosts that are inside the NAT environment must contain the NAT router hostname in their certificates. This enables these standby hosts to take over as primary in the future, and ensures that hostname validation is successful after the transition.
Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=Example Enterprise CA
Subject : CN=none
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: nat.router.com
dNSName: standby1.xyz.com
Signature Algorithm : SHA1WithRSASignature