In DB2® Version 9.7,
enhanced support for Secure Sockets Layer (SSL) and its successor,
Transport Layer Security (TLS), improves the security of data communication
by making it easier to configure your server. Additionally, support
is expanded to all non-Java DB2 clients,
such as CLI/ODBC, .Net Data Provider, embedded SQL, and CLP.
Note: In this topic, references to SSL also apply to TLS.
TLS version 1.0 (RFC2246) and TLS version 1.1 (RFC4346) are supported.
Configuration enhancements
You no longer
need to use separate configuration files to set up SSL support. The
parameters that you used to set in the
SSLconfig.ini and
SSLClientconfig.ini files
are now replaced by database manager configuration parameters and
connection string keywords.
- There are six new server-side configuration parameters:
- ssl_svr_keydb specifies the fully qualified
path of the key database file.
- ssl_svr_stash specifies the fully qualified
path of the stash file that holds the encrypted password to the key
database.
- ssl_svr_label specifies the label of the
digital certificate of the server in the key database.
- ssl_svcename specifies the port that the
database server uses to await communications from remote clients using
the SSL protocol.
- ssl_cipherspecs (optional) specifies the
cipher suites that the server supports.
- ssl_versions (optional) specifies the SSL
and TLS versions that the server supports.
- There are two new client-side database manager configuration parameters:
- ssl_clnt_keydb specifies the fully qualified
path of the key database file on the client.
- ssl_clnt_stash specifies the fully qualified
path of the stash file on the client.
- There are two new connection string keywords for CLI/ODBC applications:
- SSLClientKeystoredb - Set SSLClientKeystoredb to
the fully-qualified key database file name.
- SSLClientKeystash - Set SSLClientKeystash to
the fully-qualified stash file name.
- There are three new connection string keywords for DB2 .Net Data Provider applications:
- SSLClientKeystoredb - Set SSLClientKeystoredb to
the fully-qualified key database file name.
- SSLClientKeystash - Set SSLClientKeystash to
the fully-qualified stash file name.
- security - Set security to SSL.
Setting up SSL connections for CLI/ODBC applications
If you are using the IBM® Data
Server Driver for ODBC and CLI to connect to a database using SSL,
you use the connection string parameters SSLClientKeystoredb,
and SSLClientKeystash to set the path for the
client key database and for the stash file, and the connection string
parameter security to set the protocol to SSL.
If
you are using the IBM Data Server
Client or IBM Data Server Runtime
Client to connect to a database using SSL, you use the connection
string parameter security to set the protocol
to SSL, and you can use either the connection string parameters SSLClientKeystoredb and SSLClientKeystash,
or the client-side database manager configuration parameters ssl_clnt_keydb and ssl_clnt_stash,
to set the path for the client key database and for the stash file.
Setting up SSL connections for .Net Data Provider
applications
For .Net Data Provider applications,
you use the connection string parameters SSLClientKeystoredb and SSLClientKeystash to
set the path for the client key database and for the stash file, and
the connection string parameter security to set
the protocol to SSL
Setting up SSL connections for CLP clients and embedded
SQL clients
The SSL keyword has been added to the CATALOG
TCPIP NODE command SECURITY parameter. CLP clients and embedded SQL
clients can use this keyword and the client-side database manager
configuration parameters ssl_clnt_keydb, and ssl_clnt_stash to
connect to a database using SSL.