Using Secure Sockets Layer (SSL) with Db2 means your data can be sent securely over the
network.
Db2 must have a trust store with a certificate other applications can use as a reference to
establish trust. The steps below describes how to create a trust store and certificate using IBM
Global Security Kit, the same could be accomplished with the Java Keytool.
To configuring Db2 for SSL:
-
Open a Db2 command window in the directory where you want to put the trust store. For example,
<Db2_instance>/SSL.
-
Create the server keystore using the following command:
gsk8capicmd_64 -keydb -create -db "key.p12" -pw "<password>" -stash -type pkcs12
-
create the server certificate using the following command:
gsk8capicmd_64 -cert -create -db "key.p12" -pw "<password>" -label "<certificate_name>"
-dn "CN=<common_name>,O=<organization>,OU=<organizational_unit>,L=<locality>,ST=<state>,C=<country>"
-
Extract the certificate to a file using the following command:
gsk8capicmd_64 -cert -extract -db "key.p12" -pw "<password>" -label "<certificate_name>" -target "key.arm" -format ascii -fips
-
To configure the Db2 properties, log in to the Db2 server instance as an administrator, and run
the following commands:
db2 update dbm cfg using SSL_SVR_KEYDB <path_to_truststore_directory>/key.p12
db2 update dbm cfg using SSL_SVR_STASH <path_to_truststore_directory>/key.sth
db2 update dbm cfg using SSL_SCR_LABEL <certificate_name>
db2 update dbm cfg using SSL_SVCENAME <some_open_port_number>
db2set DB2COMM=SSL,TCPIP
Note:
- Alternatively, you can set this to only SSL if you don't want TCPIP connections by running the
following command:
db2 update dbm cfg using DIAGLEVEL 4
- When configuring Db2 with SSL for containers, ensure that you configure Db2 with TLS version 1.2
by running the following command:
db2 update dbm cfg using SSL_VERSIONS
TLSV12
In general, it is recommended that you configure TLS v1.2 for Db2 with SSL
setup.
-
Stop and start Db2.
Check in the db2diag.log
file for the following messages:
- MESSAGE: DIA3000I "SSL" protocol support was successfully started.
- MESSAGE: SSL is setup properly.