Configuring TLS Support in a non-Java Db2 client using a keystore
You can configure Db2 database clients, such as CLI, CLP, and .Net Data Provider clients, to support Transport Layer Security (TLS) for communication with the Db2 server.
About this task
This task shows you how to configure TLS support in a non-Java Db2® client by using the signing certificate only. For information on how to configure TLS support using the certificate file only, see Configuring TLS Support in a non-Java Db2 client using a certificate file.
Procedure
Example
catalog TCPIP NODE mynode REMOTE 127.0.0.1 SERVER 50001 SECURITY SSL
catalog DATABASE sample AS myssldb AT NODE mynode
db2 update dbm cfg using SSL_CLNT_KEYDB /home/db2inst1/client.p12 SSL_CLNT_STASH /home/db2inst1/client.sth
If either the ssl_clnt_keydb or ssl_clnt_stash configuration parameter is null (unset), the connection fails and returns error SQL10013N with token GSKit Error: GSKit_return_code.
db2 connect to myssldb user user1 using password
You can also use the
following statement to connect from an embedded SQL application:
Strcpy(dbAlias,"myssldb"); EXEC SQL CONNECT TO :dbAlias USER :user USING :pswd;
Example 2: Connecting to a database from a CLI/ODBC application, using a connection string:
"Database=sampledb; Protocol=tcpip; Hostname= myhost; Servicename=50001;
Security=ssl; SSLClientKeystoredb=/home/db2inst1/client.p12;
SSLClientKeystash=/home/db2inst1/client.sth;"
Example 3: Connecting to a database from a CLI/ODBC application, using a db2cli.ini configuration file:
[sampledb]
Database=sampledb
Protocol=tcpip
Hostname=myhost
Servicename=50001
Security=ssl
SSLClientKeystoredb=/home/db2inst1/client.p12
SSLClientKeystash=/home/db2inst1/client.sth
Example 4: Connecting to a database from a CLI/ODBC application, using the SQLDriverConnect function (CLI):
Use the FileDSN CLI/ODBC keyword to identify a DSN file from which a connection string is built for connecting to the Db2 server. You specify the value of FileDSN in the connection string of the SQLDriverConnect function.
[ODBC]
DRIVER=IBM DB2 ODBC DRIVER – DB2COPY1
UID=user1
AUTHENTICATION=SERVER
PORT=50001
HOSTNAME=myhost
PROTOCOL=TCPIP
DATABASE=SAMPLEDB
SECURITY=SSL
SSLClientKeystoredb=/home/db2inst1/client.p12
SSLClientKeystash=/home/db2inst1/client.sth
Example 5: Connecting to a database from a CLI/ODBC application or embedded SQL application, using the db2dsdriver.cfg configuration file.
If you are running Db2 11.5.7 or later, you can include the SSLServerCertificate keyword in the db2dsdriver.cfg configuration file to connect from an embedded SQL application.
<dsn alias="sample" host="myhost.ibm.com" name="sample" port="50001">
<parameter name="SSLClientKeystoredb" value="/home/db2inst1/client.p12"/>
<parameter name="SSLClientKeystash" value="/home/db2inst1/client.sth"/>
<parameter name="SecurityTransportMode" value="SSL"/>
</dsn>