Configuring TLS support on a Db2 server

When you have created your keystore and digital certificate, and distributed the certificate to your Db2 client machines, you are ready to configure TLS support on your Db2 server. Configuration is done by adding values to the Database Manager configuration file that you set when you created your self-signed certificate.

Procedure

  1. Set the SSL_SVR_KEYDB and SSL_SVR_STASH database manager configuration parameters to reference the key store and stash file that were created earlier. These must be fully qualified paths.
    db2 update dbm cfg using SSL_SVR_KEYDB /path/to/server.p12
    db2 update dbm cfg using SSL_SVR_STASH /path/to/server.sth
  2. Set the ssl_svr_label configuration parameter to the label of the digital certificate created in the step Create a self-signed certificate.
    db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
  3. Set the SSL_SVCENAME configuration parameter to the port on which Db2 listens for TLS connections.
    If TCP/IP and TLS are both enabled, then the DB2COMM registry variable is set to TCPIP, SSL. In this case, you must set the SSL_SVCENAME value to a different port than the port to which svcename is set. The svcename configuration parameter sets the port on which Db2 listens for TCP/IP connections.
    If you set SSL_SVCENAME to the same port as svcename, neither TCP/IP nor TLS are enabled.
    db2 update dbm cfg using SSL_SVCENAME 25001
  4. Optional: For improved security, set the SSL_VERSIONS parameter to TLSV13 to enforce TLS 1.3. Db2 12.1 enables both TLS 1.2 and 1.3 by default for compatibility with clients that do not support TLS 1.3.
    db2 update dbm cfg using SSL_VERSIONS TLSV13
    Note: Restrictions to the allowed certificate types and key sizes apply when TLS 1.3 is enabled. For more information, see Considerations when enabling TLS 1.3 in Db2.
    Note: If Db2 is running in STRICT_FIPS mode and TLS 1.2 is used, the both client and server must support sending and receiving the Extended Master Secret (EMS) TLS extension. If a client or server does not support this extension, the connection is rejected. This means that under these circumstances, downlevel clients do not connect to 12.1 servers since these clients do not support sending and receiving the EMS TLS extension.
  5. Starting in Db2 11.5.8, support for TLS 1.3 is available. To enable both TLS 1.3 and TLS 1.2 support, set SSL_VERSIONS to TLSV12,TLSV13.
    db2 update dbm cfg using SSL_VERSIONS TLSV12,TLSV13
  6. Optional: Set the SSL_CIPHERSPECS parameter to indicate what cipher suites are to be used. If you leave ssl_cipherspecs as null (unset), IBM Global Security Kit (GSKit) can pick the strongest available cipher suite that is supported by both the client and the server. See Supported cipher suites for information about which cipher suites are available.
  7. Add the value TLS to the DB2COMM registry variable.
    db2set -i db2inst1 DB2COMM=SSL 
    where db2inst1 is the Db2 instance name.
    The database manager can support multiple protocols at the same time.
    For example, to enable both TCP/IP and TLS communication protocols, run the following command:
    db2set -i db2inst1 DB2COMM=SSL,TCPIP
  8. Restart the Db2 instance:
    db2stop db2start 

What to do next

Your Db2 server is now configured for secure communication with supported Db2 clients, using TLS.