When you have created your keystore and digital certificate,
and distributed the certificate to your Db2 client machines, you are ready to configure TLS support
on your Db2 server. Configuration is done by adding values to the Database Manager configuration
file that you set when you created your self-signed certificate.
Procedure
-
Set the SSL_SVR_KEYDB and SSL_SVR_STASH database manager configuration parameters to reference
the key store and stash file that were created earlier. These must be fully qualified paths.
db2 update dbm cfg using SSL_SVR_KEYDB /path/to/server.p12
db2 update dbm cfg using SSL_SVR_STASH /path/to/server.sth
- Set the ssl_svr_label configuration parameter to the label of the digital certificate
created in the step Create a self-signed certificate.
db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
- Set the SSL_SVCENAME configuration parameter to the port on which
Db2 listens for TLS connections.
If TCP/IP and TLS are both enabled, then the
DB2COMM registry variable is set to TCPIP, SSL. In this case,
you must set the SSL_SVCENAME value to a different port than the port to which
svcename is set. The svcename configuration parameter sets
the port on which Db2 listens for TCP/IP connections.
If you set
SSL_SVCENAME to the same port as svcename, neither TCP/IP
nor TLS are enabled.
db2 update dbm cfg using SSL_SVCENAME 25001
- Optional: For improved security, set the SSL_VERSIONS parameter to
TLSV13 to enforce TLS 1.3. Db2 12.1 enables both TLS 1.2 and 1.3 by default for
compatibility with clients that do not support TLS 1.3.
db2 update dbm cfg using SSL_VERSIONS TLSV13
Note: If Db2 is running in STRICT_FIPS
mode and TLS 1.2 is used, the both client
and server must support sending and receiving the Extended Master Secret (EMS) TLS extension. If a
client or server does not support this extension, the connection is rejected. This means that under
these circumstances, downlevel clients do not connect to 12.1 servers since these clients do not
support sending and receiving the EMS TLS extension.
- Starting in Db2 11.5.8, support for TLS 1.3 is available. To enable both TLS 1.3 and TLS
1.2 support, set SSL_VERSIONS to TLSV12,TLSV13.
db2 update dbm cfg using SSL_VERSIONS TLSV12,TLSV13
- Optional: Set the SSL_CIPHERSPECS parameter to indicate
what cipher suites are to be used. If you leave ssl_cipherspecs as null
(unset), IBM Global Security Kit (GSKit) can pick the strongest available cipher suite that is supported by both the client
and the server. See Supported cipher suites for information about which cipher suites are available.
- Add the value TLS to the DB2COMM registry variable.
db2set -i db2inst1 DB2COMM=SSL
where
db2inst1
is
the Db2 instance name.
The database manager can support multiple protocols at the same
time.
For example, to enable both TCP/IP and TLS communication protocols, run the
following command:
db2set -i db2inst1 DB2COMM=SSL,TCPIP
- Restart the Db2 instance:
What to do next
Your Db2 server is now configured for secure communication
with supported Db2 clients, using TLS.