IBM Support

DB2 client SSL configuration experience for DB2 Z/OS connectivity

Technical Blog Post


DB2 client SSL configuration experience for DB2 Z/OS connectivity


Sometimes, a real successful hands on example is more straightforward and can be good supplement to manual documents.
That actually saves our time avoiding trial and errors from some hours to many days.
On this blog, I will mainly introduce an simple example for doing SSL configuration on DB2 client for connecting to DB2 Z/OS. 
This is actually from one of my friend who applied this way to actual business systems.
-Have installed the DB2 Connect validation key directly into the DB2 for z/OS database (ie serve-based licensing) using the db2connectactivate cmd.
So no mid-tier DB2 Connect gateway server.
-On DB2 for z/OS, defined a DRDA secure port for use with AT/TLS.
Server - DB2 V11 database on z/OS.
DB2 Connect Unlimited Edition V11.1.1
Client - DB2 V11.1.1a Runtime Client on Windows 7
<Steps in DB2 runtime client>
-Install GSKit on the DB2 client laptop. 
-Obtain the CA signer certificate <certname>.cer from the mainframe 
 and create a local keystore <kdbname>.kdb with cmds:
gsk8capicmd_64 -keydb -create -db "<kdbpath>\<kdbname>.kdb" -pw <pw> -stash
gsk8capicmd_64 -cert -add -db "<kdbpath>\<kdbname>.kdb" -pw <pw> -label <label> -file <certpath>\<ceretname>.cer –fips
-Catalog the node and database to the client with cmds
db2 catalog tcpip node <node> remote <mfserver> server <secureport> security ssl
db2 catalog db <dbname> as <dbname> at node <node> authentication server
-Identify the keystore and keystash to the client by updating the dbm cfg with the cmds
db2 update dbm cfg using SSL_CLNT_KEYDB <kdbpath>\<kdbname>.kdb
db2 update dbm cfg using SSL_CLNT_STASH <kdbpath>\<kdbname>.sth
-Add the GSKit paths to PATH with cmds
set PATH=C:\Program Files\IBM\gsk8\bin;%PATH%
set PATH=C:\Program Files\IBM\gsk8\lib64;%PATH%
Then ‘db2 connect to <DBNAME> USER <username> using <password>’ works successfully.
We can also refer the similar steps from the following manual link.
Configuring Secure Sockets Layer (SSL) support in non-Java DB2 clients
This manual introduces steps for two kinds of clients.
-'CLP and embedded SQL clients’ 
-‘CLI/ODBC client applications’.
The ‘db2’ command running on 'CLP(Command line processor)' itself is a kind of Embedded SQL.
Therefore 'db2 connect to ~~' is the CLP way attempt.
For this, the above example had to include the steps for updating DBM CFG with 'SSL_CLNT_KEYDB’ and 'SSL_CLNT_STASH'
The definition of CLI is like below :
"The DB2 Call-Level Interface (DB2 CLI) is an IBM standard for the DB2 family of database servers. It is tuned up for C/C++ API programming, and it is used for establishing connections, passing dynamic SQL statements, or calling persistent modules (like stored procedures).
DB2 CLI is based on the ODBC specification and the international standard for SQL/CLI. The DB2 CLI driver acts like a comparable ODBC driver, and it conforms to level 2 of ODBC 2.0 and level 1 of the ODBC 3.0. Some features of ODBC 3.0 level-2 conformance are also supported.”
For the last, let me also introduce one more useful link that has more detail about terms and SSL connectivity configuration.
<Configuring SSL for IBM Data Server Driver for ODBC and CLI>
Thank you and hope this helps for DB2 mates who will have to implement secure encrypted communication between DB2 mainframe Z/OS and Db2 clients.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEPGG","label":"DB2 for Linux, UNIX and Windows"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]