Technical Blog Post
75 ways to demystify DB2 #66: Best practices for SSL connection with IBM DB2 JDBC Driver(db2jcc)
As of now, many of our customers are using IBM DB2 JDBC Driver(db2jcc.jar/db2jcc4.jar) to connect to DB2 server and configured SSL & normal database connectivity with end products such as WAS, OPM, Cloud and DataStudio etc. There are also a lot of you who are continuing to use SSL connection of JDBC for accessing your database server. Some of the tips in this blog will help to simplify the SSL connectivity with DB2 server.
SSL Simplification: Many of you who prefer to configure the CA certificate instead of self signed certificate. If DB2 instance is configured with CA signed certificate the JDBC driver can establish SSL connection to DB2 server without configuring server's certificate within it and it is more simplified manner of validating SSL connections by eliminating the configuration step of server certificate.
Configurable property for SSL certificate with JCC driver: In cloud environments, It is desired that a more convenient and simplified manner of specifying a trusted certificate be made available so that the number of steps that an application needs to perform to go from having a trusted certificate to using it for SSL connections with JCC are reduced. For this, JDBC driver provided a property “sslCertLocation” that an application can configure to specify the location of a trusted certificate file. This shall remove the need to import the certificate into a Java truststore database and related driver configurations that are needed presently.
Client Certificate Authentication without Userid and Password: In cyberSecurity era, customers don't want to take the risk to send sensitive data such as userId and password over network(secure as as well as non-secure) to access database server. JDBC driver can create secure connection with data server without flowing userID and password over network. It has been achieved by client certificate authentication with no userId/password. Database server provides the access by validating only client certificate. it helps to not share the sensitive information such as user id and password.
SSL certificates in PKI Card and z/OS racf keystore: Cyber crime is now a fact of life for the modern enterprise. Sometimes, many of you may suffer a serious security situation and embarrassment. To enhance security and protect the company and its customers from internal and external hacks, JDBC driver recommends to put the certificates in more secure environment such as PKI Card and z/OS RACF keystore in place of having certificates in java keystore on filesystem.
Configure FIPS mode: If you plan to use the IBM Data Server Driver for JDBC and SQLJ in FIPS-compliant mode, you must setup SSL port on DB2 server, configure certificates on DB2 server/client app and the com.ibm.jsse2.JSSEFIPS Java system property: -Dcom.ibm.jsse2.JSSEFIPS=true.
Setting up an app with jcc driver to run in SP800-131a mode: National Institute of Standards and Technology (NIST) originated SP800-131a requirement to meet its compliance . SP800-131a can be run in two modes, transition and strict. For transition mode, it is required to execute JCC application with TLS1.2 supported Jre so that application can connect to server successfully using SSL and its predecessor TLS protocol. If you plan to use the IBM Data Server Driver for JDBC and SQLJ in transition mode, you must enable the TLSv1.2 protocol on DB2 server and execute JCC application with TLS1.2 protocol supported Jre. And If you plan to use the IBM Data Server Driver for JDBC and SQLJ in strict mode, you must set the com.ibm.jsse2.sp800-131 Java system property: -Dcom.ibm.jsse2.sp800-131=strict
Winning SSL property: The SSL properties is JDBC driver are configure-able in various locations. The order of precedence among various locations from highest to lowest are (override value e.g. db2.jcc.override.sslConnection), (Value at connection level e.g. value by property object in connection argument), (Value at data Source e.g. value set in data Source object), (Property value e.g. .db2.jcc.sslConnection) and default Value. The precedence order plays very important role to win and apply the final SSL value on connection.
- Co-Author: Anuruddha Pandey.
- Any feedback/questions, please reach out to Anuruddha Pandey(email@example.com)