Securing IBM Db2 for LUW database connections

Introduction

The IBM Db2® for LUW (Linux, UNIX, and Windows) database system supports the use of the Transport Layer Security (TLS) protocol, to enable a client to validate the certificate of a Db2 server, and to provide private communication between the client and server by use of encryption. For more information, see the TLS configuration of Db2 section from IBM Db2 11.5 documentation.

The TLS protocol is a client or server cryptographic protocol. It is based on the earlier Secure Sockets Layer (SSL) specifications that are developed by Netscape Corporation for securing communications that use Transmission Control Protocol/Internet Protocol (TCP/IP) sockets. The TLS and SSL protocols are designed to run at the application level. Therefore, an application must be designed and coded to use TLS/SSL protection.

Prerequisites

Make sure that IBM Global Security Kit (GSKit) is correctly installed. For more information, see GSKit V8 - Install Instructions.
Make sure that the IBM Global Security Kit version matches your IBM Db2 for LUW version. In case that you encounter any error, see:
Common GSKit errors.
Make sure that a certificate authority issues a signed certificate (.crt), a non-encrypted private key for the certificate (.key), and the keystore file that needs to have one of the following extensions: .jks, .keystore, .pfx, .p12, or .ks. These files are required when configuring Hypertext transfer protocol secure (HTTPS) as a default connection protocol in IBM AD Configuration Server. For more information, see Configuring Security Settings.

Configure IBM Db2 for LUW with TLS support for IBM AD

By default, IBM Db2 for LUW runs in non-secured mode. To configure IBM Db2 for LUW with TLS support, you need to perform the following major steps:

Generate a .kdb keystore for Db2 server instance.
Secure the Db2 instance with .kdb keystore and a new certificate.
Create the Audit database.
Configure Hypertext transfer protocol secure (HTTPS) as a default connection protocol in IBM AD Conﬁguration Server
Add an IBM Db2 relational database server in IBM AD Conﬁguration Server
Configure the Database names
Configure IBM AD Build to use a Db2 server instance.
(Optionally) Set the special variables for IBM AD Build Client when it is installed on a different machine than IBM AD Configuration Server and Db2 for LUW is configured with TLS

Generate a .kdb keystore for Db2 server instance

Note: The .kdb keystore and the .sth password stash files are an IBM proprietary keystore format.

Procedure:

Open a command prompt or a terminal window and add gsk8 to the system PATH variables.

set PATH="C:\Program Files\ibm\gsk8\bin";%PATH%
set PATH="C:\Program Files\ibm\gsk8\lib64";%PATH%

Create a keystore and a stash files.

gsk8capicmd_64 -keydb -create -db "<KEYSTORE_FILENAME>.kdb" -pw "<KEYSTORE_PASSWORD>" -stash

Example:

mkdir c:\certificates
cd c:\certificates
gsk8capicmd_64 -keydb -create -db "db2.kdb" -pw "password" -stash

Make sure that the .kdb, .crl, .rdb, and .sth files are present in the output folder.

Create a new certificate in the keystore.

gsk8capicmd_64 -cert -create -db “db2.kdb” -pw “password” -label “ibm_ad_db2” -dn “CN=IBM” -size 2048 -sigalg SHA256_WITH_RSA

Extract the certificate in a file as it will be used later to generate a client .kdb keystore for IBM AD Build Client.

gsk8capicmd_64 -cert -extract -db “db2.kdb” -pw “password” -label “ibm_ad_db2” -target “db2.arm” -format ascii -fips

Secure the Db2 instance with .kdb keystore and a new certificate

Procedure:

Go to Start Menu > IBM DB2 (instance name) > DB2 Command Window - Administrator.
Get the name of your Db2 instance by executing:
```
db2 get instance
```
Output:

The current database manager instance is: DB2
Edit C:\Windows\System32\drivers\etc\services and add db2c_<INSTANCE_NAME>_ssl <SSL_PORT>/tcp. Example:
```
db2c_DB2_ssl 50001/tcp
```

Execute the following commands after adjusting the path to the keystore.

db2 update dbm cfg using SSL_SVR_KEYDB "<KEYSTORE_FILE_PATH>" 
db2 update dbm cfg using SSL_SVR_STASH "<STASH_FILE_PATH>"
db2 update dbm cfg using SSL_SVCENAME <SSL_SERVICE_NAME>
db2 update dbm cfg using SSL_SVR_LABEL <CERTIFICATE_LABEL>
db2 update dbm cfg using SSL_VERSIONS TLSV12

Example:

db2 update dbm cfg using SSL_SVR_KEYDB "c:\certificates\db2.kdb" 
db2 update dbm cfg using SSL_SVR_STASH "c:\certificates\db2.sth"
db2 update dbm cfg using SSL_SVCENAME db2c_DB2_ssl
db2 update dbm cfg using SSL_SVR_LABEL ibm_ad_db2
db2 update dbm cfg using SSL_VERSIONS TLSV12

Check if the Db2 configuration has been updated correctly.
```
db2 get dbm cfg
```
Configure Db2 to SSL only or in mixed mode.
1. To run in SSL only execute:
```
db2set -i DB2 DB2COMM=SSL
```
2. To run in mixed mode - SSL and TCP execute:
```
db2set -i DB2 DB2COMM=SSL,TCPIP
```
Check if the communication mode has been applied.
```
db2set -all
```
Restart Db2.
```
db2stop
db2start
```

Create the Audit database

You must manually create the Audit database before you run the IBM AD Configuration Wizard. To create the Audit database you can use the Db2 database client or you can start the Db2 command window and execute the following clause:

db2 create database EZAUDIT using codeset UTF-8 territory en PAGESIZE 16384

Configure Hypertext transfer protocol secure (HTTPS) as a default connection protocol in IBM AD Conﬁguration Server

Procedure:

Open a command prompt or a terminal window and navigate to the folder where the Db2 for LUW certificates have been generated.

Example: cd c:\certificates

Import the db2.arm exported certificate into the already generated .jks file for both the server and the client certificate packages by using the following command:

keytool -import -trustcacerts -alias <ALIAS> -file <DB2_EXPORTED_CERT> -keystore <JAVA_KEYSTORE> -storepass <KEYSTORE_PASSWORD>

Examples:

keytool -import -trustcacerts -alias ibm_ad_db2 -file db2.arm -keystore server.jks -storepass password

keytool -import -trustcacerts -alias ibm_ad_db2 -file db2.arm -keystore client.jks -storepass password

Go to the Configuring Security Settings section and follow the steps to upload all the security files in IBM AD Configuration Server.

Add an IBM Db2 relational database server in IBM AD Conﬁguration Server

By adding an IBM Db2 relational database, you correctly configure the connection between IBM® AD and IBM Db2 for LUW with TLS.

Procedure:

Access Start Menu > IBM Application Discovery and Delivery Intelligence > Launch IBM Application Discovery Configuration Service Admin, and go to Configure > Environments > "Your environment" > Servers and security > Relational database server. The Relational Database Server settings page is displayed.
To add an IBM Db2 relational database server, click the Add button. The Add Relational Database Server page is displayed.
Enter an appropriate name (alias) for the IBM Db2 relational database server.
Make sure that IBM Db2 is selected as a database server type.
Enter the host name or the IP of the computer where the IBM Db2 database server is installed.
Enter the port for IBM Db2 for LUW with TLS.
Make sure that the Use TLS checkbox is checked to enable Transport Layer Security (TLS) communication with Db2 for LUW.
(Optionally) Enter the name of any database on the selected server. The database name that will be used to test connection.
Enter the username and password of the IBM Db2 for LUW server instance.
By clicking Test Connection, you can test the connection to your database. If the test connection succeeds, click Save..

Configure the Database names

Access Start Menu > IBM Application Discovery and Delivery Intelligence > Launch IBM Application Discovery Configuration Service Admin, and go to Configure > Environments > "Your environment" > Servers and security > Database names. The Database Names settings page is displayed.
Associate the Db2 for LUW database server that was already defined under the Managing a Relational Database Server section.
Enter the Audit Database name that was defined in the Create the Audit database step.
Click Save.

Configure IBM AD Build to use a Db2 server instance

Procedure

Open a command prompt or a terminal window and navigate to the folder where the db2.arm certificate is located.

Create a new .kdb empty keystore file.

gsk8capicmd_64 -keydb -create -db "db2client.kdb" -pw "password" -stash

Import the db2.arm certificate into the db2client.kdb keystore.

gsk8capicmd_64 -cert -add -db "db2client.kdb" -pw "password" -label "ibm_ad_db2" -file "db2.arm" -format ascii

If the Db2 server instance is not on the same machine with IBM AD Build Client, make sure to follow the steps that are present in the IBM Db2 for LUW Server Configurations topic.

Point the Db2 client instance to the db2client files.

db2 update dbm cfg using SSL_CLNT_KEYDB C:\certificates\db2client.kdb SSL_CLNT_STASH C:\certificates\db2client.sth

Restart Db2.
```
db2stop
db2start
```

(Optionally) Set the special variables for IBM AD Build Client when it is installed on a different machine than IBM AD Configuration Server and Db2 for LUW is configured with TLS

Important: The following steps are required only when the following two conditions are met:

IBM AD Build Client is installed on a different machine than IBM AD Configuration Server.
IBM Db2 for LUW is configured with TLS.

Procedure:

On the machine where IBM AD Configuration Server is installed, go to c:\certificates and make sure that the server.jks file is present. Copy the server.jks file on the machine where IBM AD Build Client is installed.
Manually perform the following steps:
1. On the machine where IBM AD Build Client is installed, go to <IBM ADDI Installation Folder>\IBM Application Discovery Build Client\Bin\Release\conf folder.
2. Open the jvm.options file by using a text editor.
3. Add the following lines:
```
javax.net.ssl.keyStore=<path of the server.jks file>
javax.net.ssl.keyStorePassword=<encrypted password>
javax.net.ssl.trustStore=<path of the server.jks file>
javax.net.ssl.trustStorePassword=<encrypted password>
```
  Where:
  - javax.net.ssl.keyStore - expects the location on the disk where the keystore was stored.
  - javax.net.ssl.keyStorePassword - expects the password of the keystore that was used when setting Hypertext transfer protocol secure (HTTPS) as a default connection protocol in IBM AD Configuration Server. For more information, see Configuring Security Settings.
    Note: The password of the keystore is already stored in the jvmargs.txt file on the machine where Hypertext transfer protocol secure (HTTPS) was set as a default connection protocol in IBM AD Configuration Server.
  - javax.net.ssl.trustStore - expects the location on the disk where the truststore was stored.
  - javax.net.ssl.trustStorePassword - expects the password of the truststore that was used when setting Hypertext transfer protocol secure (HTTPS) as a default connection protocol in IBM AD Configuration Server. For more information, see Configuring Security Settings.
    Note: The password of the truststore is already stored in the jvmargs.txt file on the machine where Hypertext transfer protocol secure (HTTPS) was set as a default connection protocol in IBM AD Configuration Server.