Security guidelines

It is recommended to configure the Db2® Mirror GUI for HTTPS. To configure TLS, use the IBM® Web Administration for i GUI to manage the ADMIN3 application server and click Configure TLS from the left navigation pane to launch the Configure TLS wizard.

If TLS is not configured, non-encrypted connections are used.

By default, all users have authority to log in to the Db2 Mirror GUI. The user must provide a user ID and password to log in to the application on the GUI node.

The credentials of the user logged into the Db2 Mirror GUI are used to connect to the source and copy nodes. If the user profile used to connect to a node is not authorized to perform a specific task or function, then the request will fail.

During the system migration stage, only non-secure IBM i host server connections can be used between the GUI node and source/copy nodes.

During the data synchronization and cutover stages, the IBM i host servers on the source and copy nodes can be configured for TLS and then secure connections between the GUI node and source/copy nodes can be used. See Setting up IBM i to use TLS for information about configuring IBM i host servers for TLS. Use the TLS Connection tab in the GUI Preferences panel in the Db2 Mirror GUI to enable and test secure connections to each node.

The SSH protocol is used by Migrate While Active to securely transfer data during the system migration stage. Automatic data transfer can occur at several points during system migration, depending on the migration pattern chosen. If automatically transferring the install media, then SSH is used to transfer it from the source node to the NFS server. If automatically transferring the user data, then SSH is used to transfer it from the source node to the copy node. Migrate While Active requires you to provide a user ID and SSH key during the system migration if automatic transfer is chosen.

The RDMA over TCP/IP protocol is used by Migrate While Active to transfer data from the source node to the copy node during the data synchronization stage. This protocol is not encrypted and cannot be secured using TLS. An alternative form of protection or encryption must be used instead, such as physically restricting access to the servers, adapters, and cables or using a virtual private network (VPN) between the nodes. For information about VPN solutions for IBM Power® Virtual Server, see https://cloud.ibm.com/docs/power-iaas?topic=power-iaas-VPN-connections.

By default, Db2 Mirror enforces an encrypted RDMA protocol to be used. However, the RDMA over TCP/IP protocol does not support encryption. To allow the use of non-encrypted RDMA for migration, a user with *SECADM special authority must change the encrypted RDMA setting to not required.

You must configure and load cryptographic services master key 1 on the GUI node and the source node for Migrate While Active to store the passwords used during migration. See Cryptographic services key management for information about loading and setting master keys.

Object ownership differences can occur during the migration of IBM i system libraries. To fully understand the topic and how it can be managed, see Managing object ownership differences in IBM i system libraries.