Encrypting outbound network traffic from Db2 for z/OS to Data Gate
To encrypt network traffic between Db2 for z/OS and a Data Gate instance on IBM Cloud Pak for Data, specific software components are required.
On IBM Cloud Pak for Data, Data Gate defines an OpenShift® route when the service is provisioned. An
OpenShift route exposes a service with an
externally reachable hostname like dg01.apps.dgsvt2.os.fyre.ibm.com. For more
information, see Creating a service instance for Data Gate from the web client.
On z/OS, various components of the z/OS Communications Server must be configured. z/OS uses AT-TLS. In addition, a certificate and an RSA key pair are required.
- Software
- The following software components on the z/OS (LPAR) side must be operational:
- Policy Agent (a component of z/OS Communications Server. Version 1.2 or higher is required.)
- Optional: SYSLOG daemon (SYSLOGD)
- Certificate and keys
-
To encrypt the network traffic between a z/OS LPAR and an accelerator, you need:
- An RSA key pair
- Public key certificate signed by shared certificate authority, type X.509 in PKCS#12 format
The certificate is stored in a key ring on the LPAR. The key ring contains all credentials that are used by the AT/TLS policy configuration. The private RSA key, as well as the certificate from the key ring (in PKCS#12 format), are required on the Data Gate instance on IBM Cloud Pak for Data.
If more than one Data Gate instance is involved: Each Data Gate instance needs a dedicated private key that is signed with a certificate that was issued by the certificate authority (CA). All Data Gate instance attached to a specific LPAR require certificates that were signed by the same CA.