Configuring hostname validation for TLS connections to alternate servers, federated servers, and other topologies
You can configure the Db2® 11.5.6 client to validate hostnames of servers listed in returned certificates when negotiating TLS connections to various Db2 instances. This topic discussed configuring hostname validation for connections to alternate Db2 servers, federated data sources and other network topologies.
Connections to alternate servers
UPDATE ALTERNATE SERVER FOR DATABASE USING <HOSTNAME> PORT <PORT NUMBER>
Use a fully qualified hostname when running this command.Connections to z/OS servers
In a sysplex environment, a Db2 client must connect to the Db2 for z/OS server using the hostname that maps to the distributor’s IP address. When setting up certificates on the server, use a common certificate across all the members containing this hostname.
For example, if a Db2 client attempts to connect to xyz.db2.example.com with a connection string that includes the hostname, the returned certificate must include xyz.db2.example.com in the SAN or the Common Name for hostname validation to be successful. This is regardless of where the connections gets routed to by the distributor.
Hostname=xyz.db2.example.com;Security=SSL;SSLClientHostnameValidation=Basic;Database=…
The
following example shows how the certificate should appear for hostname validation to be successful.
Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=Example Enterprise CA
Subject : CN=none
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: xyz.db2.example.com
Signature Algorithm : SHA1WithRSASignature
Connections to federated data sources
When a federated data source is configured on a Db2 server, the server is acting as an application requestor when communicating with this data source. TLS is supported for these outbound connections and the following federated DRDA wrapper server option controls the hostname validation behavior.
SSL_HOSTNAMEVALIDATION = 'Basic' | 'OFF'
where- Basic = Hostname validation is enabled
- OFF = Hostname validation is disabled. This is the default value.
Note: TLS needs to be enabled when setting SSL_HOSTNAMEVALIDATION to OFF.This server option is restricted currently to the DRDA wrapper, and it can only be set when TLS is enabled. When TLS is not enabled, setting SSL_HOSTNAMEVALIDATION to 'Basic' or 'OFF' for the federation server generates the SQL1881N error. Use the following server options to enable TLS:
- SSL_KEYSTORE
- SSL_KEYSTASH
- SSL_SERVERCERTIFICATE
For more information, see Hostname validation for Db2 clients.
Connections to Db2 Connect gateways
When Db2 is acting as a gateway server, as is the case for a Db2 Connect server, hostname validation can be enabled for inbound TLS connections.
You enable hostname validation for inbound connections by setting the SSLHostnameValidation DS Driver parameter to Basic on the client. Hostname validation is not available for outbound TLS connections from the Gateway server.
Connection to KMIP servers
If you set the SSL_KMIP_CLIENT_HOSTNAME_VALIDATION keyword in your keystore configuration file to BASIC, Db2 validates that the hostname of the KMIP server is contained within the certificate used by the KMIP server when establishing the TLS connection. For more information, see Creating a KMIP keystore configuration file
Connections to multi-homed servers
A multi-homed server can be known by more than one hostname. This means that a Db2 client can connect to the same database server using multiple hostnames. The server’s certificate must contain all of the hostnames that the clients use to connect to the database.
For example, if a Db2 server is known by the hostnames xyz.db2.example1.com, abc.db2.example2.com, and pqr.db2.example3.com, you must include these hostnames, separated by commas, in the SAN statement of the IBM Global Security Kit (GSKit) command:
Extensions
section of the returned
certificate:Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=ExampleCA
Subject : CN=none
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: xyz.db2.example1.com
dNSName: abc.db2.example2.com
dNSName: pqr.db2.example3.com
Signature Algorithm : SHA1WithRSASignature
Connections using CNAME and DNAME DNS record names
In a DNS server, CNAME and DNAME records can be used to create aliases to a Db2 server’s hostname. If a client connects to the database using an alias hostname, the server certificate must contain this alias in the SAN statement or common name statement for hostname validation to be successful.
For example, if a client connects to xyz.db2.example.com, whose CNAME record in the DNS server points to abc.db2.example.com, the server’s certificate needs to contain the alias in the SAN for hostname validation to be successful.
Extensions
section of the returned
certificate:Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=Example Enterprise CA
Subject : CN=none
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: xyz.db2.example.com
Signature Algorithm : SHA1WithRSASignature
Connections to multiple A records for IP addresses
Recommendations from the multi-homed servers section apply here as well. In short, if there are multiple A records in the DNS for a given Db2 server, the certificate setup on the server should contain all of the hostnames that the clients use to connect to the server.
Connections to distributors or load balancers
When a Db2 client connects to a distributor or a load balancer, the network traffic from the client is redirected to an actual database server. The certificate returned by the target database server must contain the hostname of the distributor or the load balancer in the SAN or Common Name for hostname validation to be successful.
For example, if the client connects to xyz.balancer.com which is the hostname of a load balancer that forwards traffic to the real target server, abc.db2.example.com, then the certificate returned by the server must contain xyz.balancer.com as its SAN value.
Extensions
section of the returned
certificate:Key Size : 2048
Version : X509 V3
Serial : xxx
Issuer : CN=ExampleCA
Subject : CN=none
Not Before : November 26, 2020 4:44:11 PM EST
Not After : November 27, 2021 4:44:11 PM EST
Extensions
subjectAlternativeName
dNSName: xyz.balancer.com
Signature Algorithm : SHA1WithRSASignature