Security modes in Db2

Db2 provides three levels of security to help you comply with the government standards such as NIST SP800-131A and FIPS 140-2.

NOFIPS mode:
This mode is the least restrictive of the three security modes provided by Db2 and does not use GSKit's FIPS-certified ICC. All Db2 security features are available and the latest available ICC is always used. To enable this mode, set the DB2AUTH registry variable to NOFIPS:
db2set DB2AUTH=NOFIPS
In an environment without a Db2 registry, such as the Data Server Driver, the DB2AUTH registry variable can be set in the environment:
Unix/Linux: export DB2AUTH=NOFIPS

Windows: setx DB2AUTH NOFIPS /m
If the LDAP authentication plugins are in use, the FIPS_MODE parameter can be set to NOFIPS in the IBMLDAPSecurity.ini:
FIPS_MODE=NOFIPS
If the asnmail utility is used, the TLS_FIPS_MODE environment variable can be used:
Unix/Linux: export TLS_FIPS_MODE=NOFIPS

Windows: setx DB2AUTH NOFIPS /m
FIPS compatibility mode (default):
This is the default security mode in Db2, and the FIPS-certified ICC is used with the non-FIPS ICC as a fallback. Features not present in the FIPS ICC will use the the non-FIPS ICC. This mode provides a balance between security and usability. To use this mode, ensure the DB2AUTH registry variable contains neither STRICT_FIPS nor NOFIPS. The following restrictions are in place in this mode:
  • TLS 1.2 ciphers that use RSA key exchange (TLS_RSA_*) are disabled and are not used, even if set using SSL_CIPHERSPECS in the DBM cfg. If there are no remaining ciphers in the SSL_CIPHERSPECS DBM CFG parameter, the SSL enviornment fails to initialize. For instances using RSA certificates, the SSL_CIPHERSPECS DBM CFG parameter must be configured to use TLS_ECDHE_RSA ciphers for no certificate changes to be required.
Note: FIPS compatibility mode is not available in MacOS and 32-bit platforms. Db2 defaults to NOFIPS mode on these platforms.
STRICT_FIPS mode
This mode uses the FIPS-certified ICC and is the most restrictive of the three modes. This mode aims for strict compliance with the FIPS standard. To enable this mode, set the DB2AUTH registry variable to STRICT_FIPS:
db2set DB2AUTH=STRICT_FIPS
In an environment without a Db2 registry, such as the Data Server Driver, the DB2AUTH registry variable can be set in the environment:
Unix/Linux: export DB2AUTH=STRICT_FIPS

Windows: setx DB2AUTH STRICT_FIPS /m
If the LDAP authentication plugins are in use, the FIPS_MODE parameter can be set to STRICT in the IBMLDAPSecurity.ini:
FIPS_MODE=STRICT
If the asnmail utility is used, the TLS_FIPS_MODE environment variable can be used:
Unix/Linux: export TLS_FIPS_MODE=STRICT_FIPS

Windows: setx DB2AUTH STRICT_FIPS /m

In addition to the restrictions in FIPS compatibility mode, the following restrictions are in place:

  • All certificates used for TLS communications, including any intermediate and root certificates, must use a signature algorithm of SHA256 or stronger. If using TLS 1.3, you may configure what signature algorithms are allowed using the SSL_CIPHERSPECS parameter in the DBM cfg. This applies to the following functionality:
    • Client/server communications
    • HADR communications between Primary and Standby
    • Communication with KMIP servers
    • DRDA and Web Services Federation data sources
    • Communication with SMTP servers via the asnmail utility
  • If a TLS 1.2 is used and the peer does not indicate support for the Extended Master Secret (EMS), the connection is rejected. This applies to the following functionality:
    • Client/server communications
    • HADR communications between Primary and Standby
    • Communication with KMIP servers
    • DRDA and Web Services Federation data sources
    • Communication with SMTP servers via the asnmail utility
  • Use of the SERVER_ENCRYPT authentication type is not supported. SERVER_ENCRYPT is not FIPS-compliant. Using SERVER authentication with TLS is recommended.
  • Use of the ENCRYPT scalar function is not supported. the ENCRYPT scalar function is insecure and not FIPS-compliant. The DECRYPT scalar function is available.
  • ChaCha+Poly1305 cipher and X25519 and X2448 key exchange algorithms are not used as they are not FIPS-certified. These algorithms are disabled by default and are ignored if set with SSL_CIPHERSPECS in the DBM cfg.
Note: STRICT_FIPS mode is not available in MacOS and 32-bit platforms. Db2 defaults to NOFIPS mode on these platforms.