Setting up SSL on the database server (Db2)

You can configure a secure connection between the OpenPages® database on IBM® Db2® and the OpenPages application servers. You can also set up a secure connection between the OpenPages database and Cognos®. First, you need to set up SSL on Db2.

Note: If you already have a keystore for SSL, skip this task. Go to Configuring application and reporting servers to use a secure connection to the database (Db2).

Procedure

  1. Stop all application servers and all reporting servers.
  2. Stop the OpenPages database.
    1. Log on to the database server as the OpenPages database instance owner (by default db2inst1 on Linux® or db2admin on Windows).
    2. Run the following commands: 
      db2 deactivate db <op_database_name>
db2stop

      Replace <op_database_name> with the name of the OpenPages database, for example opx.

  3. Enable SSL (TLS) on the database server.

    Do these steps as the OpenPages database instance owner.

    1. Create or choose a keystore directory to store the database key.
      For example: /home/db2inst1/sqllib/security/keystore/
    2. Go to the Db2 gskit/bin directory. This is the directory where the gsk8capicmd_64 utility is stored.
      For example: /opt/ibm/db2/V11.5/gskit/bin/ or /home/db2inst1/sqllib/gskit/bin/.
      Tip: The PATH environment variable might already include the gskit/bin directory.
    3. Run the following command: 
      gsk8capicmd_64 -keydb -create -db <keystore_directory>/<db_key_name>.p12 -pw "<db_key_password>" -type pkcs12 -stash
      • Replace <keystore_directory> with the directory in step 3.a.
      • Replace <db_key_name> with the name of the keystore file (.p12).
      • Replace <db_key_password> with the password of the keystore.
      On Linux for example:
      ./gsk8capicmd_64 -keydb -create -db /home/db2inst1/sqllib/security/keystore/opx_db.p12 -pw "mypassword" -type pkcs12 -stash
    4. Run the following command: 
      gsk8capicmd_64 -cert -create -db "<keystore_directory>/<db_key_name>.p12" -pw "<db_key_password>" -stashed -label "<certificate_name>" -dn "CN=<host_name>, O=<company>, L=<city>, ST=<state>, C=<country>" -size 2048 -sigalg SHA256withRSA
      On Linux for example:
      ./gsk8capicmd_64 -cert -create -db "/home/db2inst1/sqllib/security/keystore/opx_db.p12" -pw "mypassword" -stashed -label "opx_selfsigned_cert" -dn "CN=mydbserver,O=IBM Corp,L=Boston,ST=MA,C=US" -size 2048 -sigalg SHA256withRSA
    You now have a self-signed certificate for the OpenPages database.
  4. Update Db2 configuration parameters.
    1. Run the following commands in the following sequence. Wait for each command to complete before you run the next command: 
      db2 update dbm cfg using SSL_SVR_KEYDB <keystore_directory>/<db_key_name>.p12
db2 update dbm cfg using SSL_SVR_STASH <keystore_directory>/<db_key_name>.sth
db2 update dbm cfg using SSL_SVR_LABEL <certificate_name>
db2 update dbm cfg using SSL_SVCENAME <db2_ssl_port>
db2set -i <db_user_name> DB2COMM=SSL,TCPIP
      For example:
      db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/sqllib/security/keystore/opx_db.p12
db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/sqllib/security/keystore/opx_db.sth
db2 update dbm cfg using SSL_SVR_LABEL opx_selfsigned_cert
db2 update dbm cfg using SSL_SVCENAME 50051
db2set -i db2inst1 DB2COMM=SSL,TCPIP
    2. If you have another database server, repeat these steps on the other database server.
  5. Start the OpenPages database.
    1. Log on to the database server as the OpenPages database instance owner (by default db2inst1 on Linux or db2admin on Windows).
    2. Run the following commands: 
      db2start
db2 activate db <op_database_name>
  6. Configure your firewall to allow connections to the SSL port for Db2.

What to do next

Configure WebSphere Liberty to connect to Db2 by using the secure connection. For more information, see Configuring application and reporting servers to use a secure connection to the database (Db2).