TLS configuration of Db2
The Db2 database system supports the use of the Transport Layer Security (TLS) protocol, to enable a client to validate the certificate of a Db2 server, and to provide private communication between the client and server by use of encryption.
Important:
This section provided detailed instruction on how to configure Db2® environments for
secure data transfer using TLS.In response to CVE-2023-32342, Db2 releases with KI DT223175 use the non-FIPS IBM Crypto for C (ICC) for TLS ciphers that use RSA key exchange, as the FIPS certified IBM Crypto for C (ICC) is vulnerable to CVE-2023-32342.
Customers with a requirement to use only FIPS 140 certified cryptographic modules must enable Strict FIPS mode. In strict FIPS mode, Db2 releases with KI DT223175 disable all TLS ciphers and versions that are vulnerable to CVE-2023-32342.
The following restrictions apply to TLS when strict mode is enabled in Db2 releases that contain
KI DT223175:
- TLS 1.0 and 1.1 are disabled in strict mode regardless of the SSL_VERSIONS setting, as the only supported ciphers use RSA key exchange. If the SSL_VERSIONS DBM CFG parameter is unset, or is set to TLSV1, TLS 1.2 is enabled in its place.
- TLS 1.2 ciphers that use RSA key exchange (TLS_RSA_*) are disabled. If there are no remaining ciphers in the SSL_CIPHERSPECS DBM CFG parameter, all supported ECDHE ciphers are enabled. For instances using RSA certificates, Db2 automatically prefers TLS_ECDHE_RSA ciphers for TLS 1.2 and no certificate change is required.
- TLS 1.3 is unaffected by CVE-2023-32342, and behavior does not change in strict FIPS mode.
Note: You can configure
Db2 clients
to validate the hostname of Db2 instances to which
they are connecting, during a TLS handshake. For more
information, see Hostname validation for Db2
clients.
Note: If enabling this feature on AIX, review the following performance considerations.