Configuring external DB2 for TLS v1.2

For external DB2 instances, you must customize SSL certificates and then configure DB2 for TLSv1.2.

1. Log in to the external DB2 database.
2. Customize SSL certificates: For the SSL/TLS communication with DB2, you must manage digital certificates for the database server. These certificates and encryption keys are used to establish the SSL connections. By default, the certificates are added with label dbserver to the key database at /home/db2inst1/ssl_server/dbserver.kdb, where /home/db2inst1 is the DB2 installation directory on the database server.
   1. Create directory /home/db2inst1/ssl_server if not present.
   2. Copy dbserver.kdb and dbserver.sth from primary IBM® Cloud Orchestrator location, <ICO_installer_path>/data/orchestrator-chef-repo/chef-repo/cookbooks/db2/files/default/, to /home/db2inst1/ssl_server/.
      Note: If keystores (dbserver.kdb and dbserver.sth) exists in /home/db2inst1/ssl_server, then no need to replace.
   3. Modify the owner and group to db2inst1:db2iadm1 for the following directory and files:
      • ssl_server Directory
      • dbserver.kdb File
      • dbserver.sth File
3. Configure DB2 for TLSv1.2:
   1. Check the DB2 configuration parameters to ensure that the connection concentrator is not active on that instance. If the connection concentrator is running, then the SSL support is not enabled on the DB2 instance. To check whether the connection concentrator is active, run the following commands as an instance owner:

      su - db2inst1 db2 GET DATABASE MANAGER CONFIGURATION | grep MAX_CONNECTIONS

      If the max_connections configuration parameter is set to a value greater than the value of the max_coordagents parameter, then the connection concentrator is activated.

   2. Set up your DB2 server for SSL support:
      1. Log in as the DB2 instance owner.
      2. Set the following configuration parameters and the DB2COMM registry variable:
         1. Set the SSL_SVR_KEYDB configuration parameter to the fully qualified path of the key database file. For example:

            db2 update dbm cfg using SSL_SVR_KEYDB  /home/db2inst1/ssl_server/dbserver.kdb

         2. Set the SSL_SVR_STASH configuration parameter to the fully qualified path of the stash file. For example:

            db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/ssl_server/dbserver.sth

         3. Set the SSL_SVR_LABEL configuration parameter to the label of the digital certificate of the server. If SSL_SVR_LABEL is not set, then the default certificate in the key database is used. In the absence of a default certificate in the key database, SSL is not enabled.

            db2 update dbm cfg using SSL_SVR_LABEL dbserver

         4. Set the SSL_SVCENAME configuration parameter to port 50001, which the DB2 uses for SSL connections:

            db2 update dbm cfg using SSL_SVCENAME 50001

            If TCP/IP and SSL are both enabled (the DB2COMM registry variable is set to 'TCPIP, SSL'), you must set SSL_SVCENAME to a different port than the port to which SVCENAME is set. The SVCENAME configuration parameter specifies the port that the DB2 database system listens to for TCP/IP connections. If you set SSL_SVCENAME to the same port as SVCENAME, then neither TCP/IP nor SSL is enabled. If SSL_SVCENAME is not set, then the SSL support is not enabled.

         5. Set the SSL_VERSIONS configuration parameter to indicate that DB2 must use TLS v1.2 protocol:

            db2 update dbm cfg using SSL_VERSIONS TLSV12

         6. Add the SSL value to the DB2COMM registry variable. For example,

            db2set -i db2inst1 DB2COMM=SSL,TCPIP

         7. Check that all the configuration parameters are set correctly by running the following command:

            db2 get dbm cfg | grep SSL

         8. Restart the DB2 instance:

            db2stop force
            db2start