How to setup SSL Self Signed Certificate in Db2 Server

How To

Summary

This technote provides steps and a script to set up SSL in Db2 by using a Self-Signed Certificate on Linux and AIX.

Environment

Db2 11.1 and Db2 11.5 on Linux and AIX.

Steps

You can set up SSL on Db2 by using a Self-Signed Certificate by executing steps on Db2 Server.

1. Create Server Key Database
2. Create and Add Certificate to Server Key Database
3. Extract Certificate to file
4. Set up database manager parameter on Server
5. Create Client Key Database and Add Server Certificate
6. Set up database manager parameter on Client

You can use script to implement steps in Db2 Server.

#
# Script to setup SSL in Db2 using Self Signed certificate

# Usage: ssl_setup.sh
#

# Server parameter setting

LOCALDIR=`pwd`
PASSWORD=mypass
SERVER_KEYSTORE=keyserver.kdb
SERVER_STASH=keyserver.sth
SERVER_LABEL=serverLabel
SERVER_CERTIFICATE=keyserver.arm
SSL_PORT=51000

db2set DB2COMM=TCPIP,SSL

# Client parameter setting

CLIENT_KEYSTORE=keyclient.kdb
CLIENT_LABEL=clientLabel
CLIENT_STASH=keyclient.sth

HOSTNAME=`hostname`
NODENAME=sslnode
DBNAME=sample
DBALIAS=sampssl

# Db2 server side

# Create Server key database
gsk8capicmd_64 -keydb -create -db $SERVER_KEYSTORE -pw $PASSWORD -stash

# Add certificate to server key database
gsk8capicmd_64 -cert -create -db $SERVER_KEYSTORE -pw $PASSWORD -label $SERVER_LABEL -dn "CN=myhost.ibm.com,O=IBM,OU=myOrg, L=Paris,ST=IDF,C=France" -default_cert yes

# Extract certificate to a file
gsk8capicmd_64 -cert -extract -db $SERVER_KEYSTORE -pw $PASSWORD -label $SERVER_LABEL -target $SERVER_CERTIFICATE -format ascii -fips

# note: verify that server files were created: keyserver.arm keyserver.crl keyserver.kdb keyserver.rdb keyserver.sth

# Set Server dbm parameters
db2 update dbm cfg using SSL_SVR_KEYDB $LOCALDIR/$SERVER_KEYSTORE
db2 update dbm cfg using SSL_SVR_STASH $LOCALDIR/$SERVER_STASH
db2 update dbm cfg using SSL_SVR_LABEL $SERVER_LABEL
db2 update dbm cfg using SSL_SVCENAME $SSL_PORT

# Db2 client side

# Create the client key database
gsk8capicmd_64 -keydb -create -db $CLIENT_KEYSTORE -pw $PASSWORD -stash

# Add the self signed certificate to the client key database
gsk8capicmd_64 -cert -add -db $CLIENT_KEYSTORE -pw $PASSWORD -label $CLIENT_LABEL -file $SERVER_CERTIFICATE -format ascii -fips

# note: verify that client files were created: keyclient.crl keyclient.kdb keyclient.rdb keyclient.sth

# Set Client dbm parameters
db2 update dbm cfg using SSL_CLNT_KEYDB $LOCALDIR/$CLIENT_KEYSTORE
db2 update dbm cfg using SSL_CLNT_STASH $LOCALDIR/$CLIENT_STASH

# Catalog the server with SSL port and SECURITY SSL

db2 catalog tcpip node $NODENAME remote $HOSTNAME server $SSL_PORT security ssl
db2 catalog db $DBNAME as $DBALIAS at node $NODENAME
db2 terminate

# recycle instance for change to take effect
echo Recycle instance for change to take effect
db2stop force; db2start

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSAUS7","label":"DB2 Universal Database Enterprise Edition"},"ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Tips

How to setup SSL Self Signed Certificate in Db2 Server

How To

Summary

Environment

Steps

Document Location

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?