Configuring TLS support in a Db2 instance

The Db2 database system supports Transport Layer Security (TLS), which means that a Db2 client application that also supports TLS can connect to a Db2 database by using a TLS socket. CLI, CLP, and .Net Data Provider client applications and applications that use the IBM® Data Server Driver for JDBC and SQLJ (type 4 connections) support TLS.

Before you begin

This procedure helps you to configure client applications to communicate with Db2 by using TLS.

Before you configure TLS support, complete the following prerequisite steps:
  • Ensure that the connection concentrator is not activated. TLS support is not enabled in the Db2 instance when the connection concentrator is running.

    Determine whether the connection concentrator is activated by running the GET DATABASE MANAGER CONFIGURATION command. If the configuration parameter max_connections is set to a value greater than the value of max_coordagents, connection concentrator is activated.

    Note: If enabling this feature on AIX, review the following for performance considerations: Additional installation considerations (AIX).
Note: You can configure Db2 11.5.6 and newer clients to validate the hostname of Db2 instances to which they are connecting, during a TLS handshake. For more information, see Configuring Db2 instances for hostname validation.

About this task

The TLS communication is always in FIPS mode.

TLS support for Db2 Connect
If you are using Db2 Connect for System i®, Db2 Connect for System z®, or Db2 Enterprise Server Edition on an intermediate server computer to connect Db2 clients to a host or System i database, TLS support is available in any of the following configurations:
  • Between the client and the Db2 Connect server
  • Between the Db2 Connect server and the server
  • Between both the client and the Db2 Connect server and the Db2 Connect server and the server
Note: For TLS support to be enabled on all paths in the configuration, each client or server must fulfill all requirements for TLS support. For example, if the Db2 Connect connection concentrator is on, the inbound request to the Db2 Connect server cannot use TLS. However, the outbound request to the target server can use TLS.

Procedure

Log in to your Db2 server as the Db2 instance owner and set the following configuration parameters and the DB2COMM registry variable.
  • Set the ssl_svr_keydb configuration parameter to the fully qualified path of your keystore For more information, see Creating a keystore with GSKit.
    For example,
    db2 update dbm cfg using SSL_SVR_KEYDB /home/test/sqllib/security/keystore/key.kdb

    If ssl_svr_keydb is null (unset), TLS support is not enabled.

  • Set the ssl_svr_stash configuration parameter to the fully qualified path of the stash file.
    For example,
    db2 update dbm cfg using SSL_SVR_STASH 
        /home/test/sqllib/security/keystore/mydbserver.sth

    If ssl_svr_stash is null (unset), TLS support is not enabled.

  • Set the ssl_svr_label configuration parameter to the label of the digital certificate of the server. If ssl_svr_label is not set, the default certificate in the key database is used. If there is no default certificate in the key database, TLS is not enabled.

    For example, db2 update dbm cfg using SSL_SVR_LABEL myselfsigned where myselfsigned is a sample label.

  • Set the ssl_svcename configuration parameter to the port that the Db2 database system should listen on for TLS connections.

    If TCP/IP and TLS are both enabled (the DB2COMM registry variable is set to 'TCPIP, SSL'), you must set ssl_svcename to a different port than the port to which svcename is set. The svcename configuration parameter sets the port that the Db2 database system listens on for TCP/IP connections. If you set ssl_svcename to the same port as svcename, neither TCP/IP or TLS are enabled.

    If ssl_svcename is null (unset), TLS support is not enabled.
    Note: To avoid potential collisions with HTTPS, do not use port 443 for ssl_svcename.
    Note: In HADR environments, do not set hadr_local_svc on the primary or standby database system to the same value as you set for ssl_svcename. Also, do not set hadr_local_svc to the same value as svcename, or svcename plus one.
    Note: When the DB2COMM registry variable is set to 'TCPIP,SSL' and TCPIP support is not properly enabled, the error SQL5043N is returned and TLS support is not enabled. For example, if the svcename configuration parameter is set to null, TCP/IP is not properly enabled.
  • (Optional) If you want to specify which cipher suites the server can use, set the ssl_cipherspecs configuration parameter.

    If you leave ssl_cipherspecs as null (unset), GSKit can pick the strongest available cipher suite that is supported by both the client and the server.

  • Add the value TLS to the DB2COMM registry variable.
    For example,
    db2set -i db2inst1 DB2COMM=SSL
    where db2inst1 is the Db2 instance name.
    The database manager can support multiple protocols at the same time. For example, to enable both TCP/IP and TLS communication protocols:
    db2set -i db2inst1 DB2COMM=SSL,TCPIP
  • Restart the Db2 instance.
    For example,
    db2stop
db2start