Configuring Db2 for Secure Sockets Layer (SSL)

Using Secure Sockets Layer (SSL) with Db2 means your data can be sent securely over the network.

About this task

Db2 must have a trust store with a certificate other applications can use as a reference to establish trust. The steps below describes how to create a trust store and certificate using IBM Global Security Kit, the same could be accomplished with the Java Keytool.

To configuring Db2 for SSL:

Procedure

  1. Open a Db2 command window in the directory where you want to put the trust store. For example, <Db2_instance>/SSL.
  2. Create the server keystore using the following command:
    gsk8capicmd_64 -keydb -create -db "key.p12" -pw "<password>" -stash -type pkcs12
  3. create the server certificate using the following command:
    gsk8capicmd_64 -cert -create -db "key.p12" -pw "<password>" -label "<certificate_name>" 
    -dn "CN=<common_name>,O=<organization>,OU=<organizational_unit>,L=<locality>,ST=<state>,C=<country>"
  4. Extract the certificate to a file using the following command:
     gsk8capicmd_64 -cert -extract -db "key.p12" -pw "<password>" -label "<certificate_name>" -target "key.arm" -format ascii -fips
  5. To configure the Db2 properties, log in to the Db2 server instance as an administrator, and run the following commands:
    db2 update dbm cfg using SSL_SVR_KEYDB <path_to_truststore_directory>/key.p12
    db2 update dbm cfg using SSL_SVR_STASH <path_to_truststore_directory>/key.sth
    db2 update dbm cfg using SSL_SCR_LABEL <certificate_name>
    db2 update dbm cfg using SSL_SVCENAME <some_open_port_number>
    db2set DB2COMM=SSL,TCPIP
    Note:
    • Alternatively, you can set this to only SSL if you don't want TCPIP connections by running the following command:
      db2 update dbm cfg using DIAGLEVEL 4
    • When configuring Db2 with SSL for containers, ensure that you configure Db2 with TLS version 1.2 by running the following command:
      db2 update dbm cfg using SSL_VERSIONS TLSV12

      In general, it is recommended that you configure TLS v1.2 for Db2 with SSL setup.

  6. Stop and start Db2.

Results

Check in the db2diag.log file for the following messages:
  • MESSAGE: DIA3000I "SSL" protocol support was successfully started.
  • MESSAGE: SSL is setup properly.