Configuring TLS between a Db2 instance and a centralized KMIP key manager (ISKLM)

To store master keys in a centralized keystore with Db2 native encryption, you need to set up TLS communication between the Db2 instance and the centralized KMIP key manager.

1. On the Db2 server: create an TLS signer certificate.
   1. Create the certificate by issuing the gsk8capicmd_64 command.

      Example

      
      gsk8capicmd_64 -cert -create -db "clientkeydb.p12"
          -label "DB2_signer_certificate"
          -dn "CN=weblinux.Raleigh.ibm.com,O=ibm,OU=IBM HTTP Server,L=RTP,ST=NC,C=US"
          -sig_alg SHA256_WITH_RSA -size 2048

   2. Extract the certificate to a file by issuing the gsk8capicmd_64 command.

      Example

      
      gsk8capicmd_64 -cert -extract -db "clientkeydb.p12"
          -label "DB2_signer_certificate"
          -target "/path/to/DB2_certificate_file.pem"
          -format ascii 

   3. Securely transmit the Db2 server certificate file to the centralized key manager.
2. On the centralized key manager: add the Db2 server certificate to the keystore.

   The following substeps describe how to add a certificate to IBM Security Key Lifecycle Manager using the web console.

   1. Create a device group :
      1. On the Advanced Configuration tab page, select Create from the Device group list.
      2. Select the device family Many devices to many keys with access via certificate and then enter DB2 as the new device group name.
      3. Leave the Enable machine affinity check box unselected.
   2. Import the DB2 server certificate file :
      1. On the Welcome tab page, select your new group, DB2.
      2. From the Go to list, select Manage Keys and Devices. You are taken to the Advanced Configuration tab page.
      3. From the Add list, select Certificates.
      4. When prompted, specify the certificate name and the file path.
      5. From the menu in the Advanced Configuration window, select Client Device Communication Certificates > Import.
3. On the centralized key manager: create an TLS signer certificate.

   The following substeps describe how to create a certificate and then extract it to a file using the IBM Security Key Lifecycle Manager web console and command-line interface.

   1. Create a self-signed certificate or obtain a certificate from a certificate authority .
   2. Extract the certificate to a file using the command-line interface :
      1. Enable the Jython scripting language.

         Example

         
         ./wsadmin.sh -username "<admin-user>"
             -password "<password>" -lang jython
         

      2. Export the certificate using the tklmCertExport command.

         Example

         
         print AdminTask.tklmCertExport
             ('[-uuid CERTIFICATE-61f8e7ca-62aa-47d5-a915–8adbfbdca9de 
             -format DER
             -fileName d:\\ISKLM_certificate_file.pem]') 
         

   3. Securely transmit the centralized key manager certificate file to the Db2 server.
4. On the Db2 server: add the centralized key manager certificate to the local keystore.
   1. Add the certificate by issuing the gsk8capicmd_64 command.

      Example

      
      gsk8capicmd_64 -cert -add -db "clientkeydb.p12"
          -label "ISKLM_signer_certificate"
          -file "/path/to/ISKLM_certificate_file.pem"