Start of change

Security guidelines

This section highlights the recommended best practices for deploying your Db2® Mirror environment securely.

Browser connection to GUI application

It is recommended to configure the Db2 Mirror GUI for HTTPS. To configure TLS, use the IBM® Web Administration for i GUI to manage the ADMIN3 Application server and click Configure TLS from the left navigation pane to launch the Configure TLS wizard.

If TLS is not configured, non-encrypted connections are used.

By default, all users have authority to log in to the Db2 Mirror GUI. The user must provide a user ID and password to log in to the application on the GUI node.

Connections between GUI node & Db2 Mirror nodes

It is recommended to configure IBM i Host Servers for TLS on the mirrored nodes. See Setting up IBM i to use TLS for information about configuring IBM i Host Servers for TLS.

When a user adds an existing Db2 Mirror pair to their GUI dashboard, the user can choose to use non-secure or secure connections. Secure connections can only be made if IBM i Host Servers on the mirrored nodes have been configured for TLS.

When configuring a new Db2 Mirror pair, only non-encrypted connections are used between IBM i nodes.

The credentials of the user logged into the GUI node are used to connect to the Db2 Mirror nodes. If the user is not authorized to perform a specific task or function on the mirrored node, then the request will fail.

Connections between Db2 Mirror nodes

Db2 Mirror uses the Remote Direct Memory Access (RDMA) protocol to communicate between the Db2 Mirror nodes to replicate and resynchronize objects and data. Adapters that support RDMA must be installed in both nodes.

By default, Db2 Mirror enforces an encrypted RDMA protocol to be used. However, not all adapters support encryption. To allow the use of non-encrypted RDMA, a user with *SECADM special authority can change the encrypted RDMA setting to not required.

Non-encrypted RDMA links should use some form of protection to ensure the data is transferred between the nodes securely, such as physically restricting access to the servers, adapters, and cables.

Storing passwords

You must configure and load cryptographic services master key 1 on the GUI node and Db2 Mirror nodes for Db2 Mirror to store your HMC, storage, and other passwords. See Cryptographic services key management for information about loading and setting master keys.

For additional information about security and auditing, see Security and auditing

End of change