Configuring TLS support in federation server for DRDA wrapper

The Db2® database system supports Transport Layer Security (TLS), which means that a Db2 client application that also supports Transport Layer Security (TLS) can connect to a Db2 database using a Transport Layer Security (TLS) socket.

Before you begin

  • Ensure to update DB2COMM registry variable
    db2set -i db2inst1 DB2COMM=SSL
  • Ensure to enable both TCP/IP and TLS communication protocols
    db2set -i db2inst1 DB2COMM=SSL,TCPIP
    Note: Specify different service ports for TLS and TCPIP.
  • Ensure to enable TLS connection on data source side. For more information, see Configuring TLS support in a Db2 instance. Some important configuration parameters are:
    • SSL_SVR_KEYDB
    • SSL_SVR_STASH
    • SSL_SVR_LABEL
    • SSL_SVCENAME
  • If the Db2 federated server is running in STRICT_FIPS mode and TLS 1.2 is used, the DRDA and Web services data sources must support sending and receiving the Extended Master Secret (EMS) TLS extension. If the data sources do not support this extension, the connection to the data sources are rejected.

Procedure

To configure TLS support in a federation server:

  1. Obtain the signer certificate of the server digital certificate on the client. The server certificate can either be a self-signed certificate or a certificate signed by a certificate authority (CA).
    • If your server certificate is a self-signed certificate, you must extract its signer certificate to a file on the server computer and then distribute it to computers running clients that will be establishing TLS connections to that server. See Configuring TLS support in a Db2 instance for information about how to extract the certificate to a file.
    • If your server certificate is signed by a well known CA, your client key database might already contain the CA certificate that signed your server certificate. If it does not, you must obtain the CA certificate, which is usually done by visiting the website of the CA.
    • When Db2 federated server is running in STRICT_FIPS mode, all certificates in the certificate chain must have a signature algorithm of SHA256 or stronger. This includes all intermediate and root certificates.
  2. On the Db2 client system, use the GSKCapiCmd tool to create a key database, of CMS type.
    The GSKCapiCmd tool is a non-Java-based command-line tool (Java™ does not need to be installed on your system to use this tool).

    You invoke GSKCapiCmd using the gskcapicmd command, as described in the GSKCapiCmd User Guide. The path for the command is sqllib/gskit/bin on Linux® and UNIX operating systems, and C:\Program Files\IBM\GSK8\bin on both 32-bit and 64-bit Windows operating systems. (On 64-bit operating systems, the 32-bit IBM Global Security Kit (GSKit) executable files and libraries are also present; in this case, the path for the command is C:\Program Files (x86)\IBM\GSK8\bin.)

    For example, the following command creates a key database called mydbclient.kdb and a stash file called mydbclient.sth: 
    gsk8capicmd_64 -keydb -create -db "mydbclient.kdb" -pw "myClientPassw0rdpw0" 
      -stash

    The -stash option creates a stash file at the same path as the key database, with a file extension of .sth. At connect time, GSKit uses the stash file to obtain the password to the key database.

  3. Add the signer certificate into the client key database
    .
    For example, the following gsk8capicmd command imports the certificate from the file mydbserver.arm into the key database called mydbclient.kdb:
    gsk8capicmd_64 -cert -add -db "mydbclient.kdb" -pw "myClientPassw0rdpw0" 
      -label "dbselfsigned" -file "mydbserver.arm" -format ascii -fips
  4. To connect to the data source by using mydbclient.kdb and mydbclient.sth, perform the following steps
    1. Configure and start the federation server.
    2. Run the CREATE SERVER command. 
      create server SERVERNAME type TYPE version Version_Number wrapper drda authorization "uid" password "password" options(host remote_host, port port, dbname 'database', ssl_keystore '/path_to_keystore/mydbclient.kdb', ssl_keystash '/path_to_keystash/mydbclient.sth', password 'Y', pushdown 'Y'
    3. Run the CREATE USER MAPPING command 
      create user mapping for user server SERVERNAME options(remote_authid 'remote_userid',remote_password 'remote_password')
If everything goes fine, now you are connect to data source using TLS. You can check it on server side by issue command
netstat -anp | grep server_ssl_listen_port
      Connection is established to the data source using TLS. Run the following command to check the connection on the server side.
      netstat -anp | grep server_ssl_listen_port
      If the status of server TLS listen port is 'ESTABLISHED' then it is connected.
  5. To connect to the data source by using the server signer certificate only, run the following command: 
    create server SERVERNAME type TYPE version Version_Number wrapper drda authorization "uid" password "password" options(host remote_host, port port, dbname 'database', ssl_servercertificate '/path_to_keystore/mydbserver.arm', password 'Y', pushdown 'Y'