Hostname validation for Db2 clients
With the release of Db2 11.5.6, Db2 clients can verify the hostname that appears in a Db2 server's Transport Layer Security (TLS, formerly known as SSL) certificate against the server for which they are configured to connect. Using hostname validation, Db2 clients have an added layer of security when negotiating secure connections to Db2 servers during a TLS handshake.
How hostname validation works
When a Db2 client sends a client hello
message to a Db2 server during a
TLS handshake, the server responds with it's own
server hello
message, which includes, among other things, its certificate. It is at
this point that the client authenticates the server using this certificate.
If hostname validation is enabled, the client verifies that the hostname to which it is configured to connect matches one of the hostnames present in the certificate. The server’s identity can be represented using different fields in the certificate. Once the client authenticates the server, both parties perform key exchange and a successful TLS connection is established.
- A Db2
client initiates a connection with a Db2
server:
Hostname=xyz.example.com;Security=SSL;SSLClientHostnameValidation=Basic;Database=….
- The server responds with its
certificate:
Key Size : 2048 Version : X509 V3 Serial : xxx Issuer : CN=Example Enterprise CA Subject : CN=xyz.example.com Not Before : November 26, 2020 4:44:11 PM EST Not After : November 27, 2021 4:44:11 PM EST Extensions subjectAlternativeName dNSName: xyz.example.com Signature Algorithm : SHA1WithRSASignature
- The client performs hostname validation. In this case, it is successful because the certificate contains xyz.example.com as its subject alternate name (SAN).
- The rest of the handshake takes place and a secure connection is established with the server.