Secure Sockets Layer (SSL) support

Db2 database uses self signed certificate for SSL communication. You can download the certificate from the web console to trust your clients.

Secure Sockets Layer (SSL) is a security protocol that provides communication privacy. SSL enables client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery. SSL-enabled client applications use standard encryption techniques to help ensure secure communication.

Configuring your applications to connect to the Db2 database with SSL depends on your company policy. Both the standard and the SSL protocols that you can use to connect to the database transmit user names and passwords as encrypted data. If you want to ensure complete end-to-end security, transmit all database information, including sensitive data and metadata, through an SSL connection.

Configuring your Db2 client

  1. Download the IBM Global Security Kit (GSKit) by selecting the GSKit appropriate for your operating system (OS).
  2. Install the GSKit. See the following links for instructions:
    Note: GSKit is required for non-JDBC applications like .NET and embedded SQL (i.e. db2 command line processor). Whereas with JCC/JDBC the configuration of SSL/TLS (i.e. keystore database, keystore password) is done within Java and via JDBC properties/keywords. Note that CLPPlus uses JDBC connectivity as well so no GSKit required.
    For more details, see IBM Global Security Kit global installation instructions overview.
  3. Set environment variable paths:
    • AIX: LIBPATH/usr/opt/ibm/gsk8/lib
    • Linux: LD_LIBRARY_PATH/usr/local/ibm/gsk8/lib
    • UNIX: LD_LIBRARY_PATH/opt/ibm/gsk8/lib
    • Windows: PATH<installation_directory>\gsk8\bin<installation_directory>\gsk8\lib (lib64 for GSKit 64-bit)
  4. Extract the certificate.

    Go to CONNECT > Connection information on the web console to download the certificate. The file's named DigiCertGlobalRootCA.crt.

    The certificate is also available at /mnt/blumeta0/db2/ssl_keystore/rootCA.pem inside the database container. You can extract it to tmp with this command:
    docker cp dashDB:/mnt/blumeta0/db2/ssl_keystore/rootCA.pem /tmp
    or access it directly with 
    <host volume>/db2/ssl_keystore/rootCA.pem
  5. Create keystore: 
    gsk8capicmd_64 -keydb -create -db "mykeystore.kdb" -pw "passw0rd" -stash
    Note: You must have the ability to write to the directory or you will get an error. The above command creates two files: mykeystore.kdb and mykeystore.sth in the current directory. These files will be used in subsequent steps.
  6. Add SSL certificate to the keystore: 
    gsk8capicmd_64 -cert -add -db “mykeystore.kdb” -pw “passw0rd” -label ACIBLUDB_SSL -file c:\ssl\ACI_DigiCertGlobalRootCA.crt
  7. Update the Db2 database manager: 
    db2 update dbm cfg using SSL_CLNT_KEYDB
c:\PROGRA~1\IBM\gsk8\mykeystore.kdb SSL_CLNT_STASH
c:\PROGRA~1\IBM\gsk8\mykeystore.sth
    Note: On Windows, Program Files must use PROGRA~1.

Connecting to your database

  1. [Optional] If you use Data Studio, you can now connect to the database by selecting port 50001 and sslConnection=true.
  2. Catalog the node and database:
    db2 catalog tcpip node ACICLD_S remote <IP_address_of_BLUDB_database_server> server 50001 security SSL
    db2 catalog db BLUDB as ACIBLU_S at node ACICLD_S
  3. Connect to your database with an SSL connection:
    db2 terminate
db2 connect to ACIBLU_S user <user_name> using <password>
For more information, see Configuring Secure Sockets Layer (SSL) support in non-Java Db2 clients.