Simplify keystore setup using the system keystore

You can simplify access to certificates on Db2 servers and clients by using the Microsoft Certificate Store (MSCS) on Windows. In addition, Db2 clients running on Linux and AIX platforms can simplify certificate setup by interfacing with the system certificate bundle.

Accessing the MSCS on Windows platforms

The MSCS can be used to store both root certificates and endpoint certificates. If Windows servers on your Db2® network are already using MSCS, it can save you the time and effort of creating your own keystores.

The following certificates are included in the MSCS:
  • Personal certificates that are issued to the current user account.
  • Certificates that are assigned to other users on the current server.
  • Intermediate and Root certificate authorities (CAs).
  • Trusted and untrusted publishers of certificates.
  • Certificates present on smart cards.
Important: Entries in the Friendly Name column equal the Label values that are found in a certificate file or keystore. Watch for duplicate Friendly Name values as only the first occurrence is used by the MSCS.

You can import or export certificates and certificate chains by using the Certificate Manager tool certmgr.msc for the current user certificates or certlm.msc for local machine certificates. Alternatively, the PowerShell certificate provider can be used.

Integrating Db2 with the MSCS

To get Db2 to recognize the MSCS as a key database:
  1. Log in to your Db2 server as the Db2 instance owner and set the following DBM CFG configuration parameters:
    SSL_SVR_KEYDB MSCNG
SSL_SVR_STASH  NULL
    Note: Db2 servers work with the certificates that are associated with the Db2 service account. If the Db2 service account is the LocalSystem account, then the Db2 server works with certificates associated with the local machine.
  2. On a Db2 client, set the client keystore value to MSCNG.
    • Do not set either the client keystore password nor the stash file when using the MSCS.
    • If the client is configured using the DBM CFG parameters, set the following DBM CFG parameters:
      SSL_CLNT_KEYDB MSCNG SSL_SVR_STASH NULL
    • If the client is configured by using either the db2cli.ini or a connection string, set the SSLClientKeystoredb keyword and remove the SSLClientKeystoreDBPassword and SSLClientKeystash keywords: 
      SSLClientKeystoredb=MSCNG
    • If the client is configured by using the db2dsdriver.cfg file, set the SSLClientKeystoredb keyword and remove the SSLClientKeystoreDBPassword and SSLClientKeystash keywords: 
      <parameter name="SSLClientKeystoredb" value="MSCNG"/>
Note: Db2 clients work with certificates that are associated with the current user account.
Important: Using GSK_MS_CERTIFICATE_STORE to access the MSCS is deprecated. Starting in Db2 12.1, GSK_MS_CERTIFICATE_STORE no longer supports certificate authentication to Db2 for z/OS®. In addition, GSK_MS_CERTIFICATE_STORE does not support RSA-PSS signatures required for TLS 1.3 or certificates present on smart cards. Use MSCNG if certificate authentication, TLS 1.3, or smart cards are in use.

Integrating the system certificate store on Linux and AIX with IBM Global Security Kit (GSKit)

The Db2 Simplified SSL feature supports certificate bundles. To integrate Simplified SSL with the system certificate bundle, the SSLServerCertificate parameter must be set to one of the following values, depending on the platform.
For Red Hat Enterprise Linux (RHEL) platforms
/etc/pki/tls/certs/ca-bundle.crt
For SUSE Linux Enterprise Server (SLES) platforms
/etc/ssl/ca-bundle.pem
For Ubuntu platforms
/etc/ssl/certs/ca-certificates.crt
For AIX platforms
/var/ssl/certs/tls-ca-bundle.pem
For more information, see SSLServerCertificate IBM data server driver configuration keyword.