When you have created your keystore and digital certificate,
and distributed the certificate to your Db2 client machines, you are ready to configure TLS support
on your Db2 server. Configuration is done by adding values to the Database Manager configuration
file that you set when you created your self-signed certificate.
Procedure
-
Set the SSL_SVR_KEYDB and SSL_SVR_STASH database manager configuration parameters to reference
the key store and stash file that were created earlier. These must be fully qualified paths.
db2 update dbm cfg using SSL_SVR_KEYDB /path/to/server.p12
db2 update dbm cfg using SSL_SVR_STASH /path/to/server.sth
- Set the ssl_svr_label configuration parameter to the label of the digital certificate
created in the step Create a self-signed certificate.
db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
- Set the SSL_SVCENAME configuration parameter to the port on which
Db2 listens for TLS connections.
If TCP/IP and TLS are both enabled, then the
DB2COMM registry variable is set to TCPIP, SSL. In this case,
you must set the SSL_SVCENAME value to a different port than the port to which
svcename is set. The svcename configuration parameter sets
the port on which Db2 listens for TCP/IP connections.
If you set
SSL_SVCENAME to the same port as svcename, neither TCP/IP
nor TLS are enabled.
db2 update dbm cfg using SSL_SVCENAME 25001
- Set the SSL_VERSIONS parameter to TLSV12. The
default TLS version in Db2 11.5 is TLS 1.1, which is deprecated.
db2 update dbm cfg using SSL_VERSIONS TLSV12
- Starting in Db2 11.5.8, support for TLS 1.3 is available. To enable both TLS 1.3 and TLS
1.2 support, set SSL_VERSIONS to TLSV12,TLSV13.
db2 update dbm cfg using SSL_VERSIONS TLSV12,TLSV13
- Optional: Set the SSL_CIPHERSPECS parameter to indicate
what cipher suites are to be used. If you leave ssl_cipherspecs as null
(unset), IBM Global Security Kit (GSKit) can pick the strongest available cipher suite that is supported by both the client
and the server. See Supported cipher suites for information about which cipher suites are available.
- Add the value TLS to the DB2COMM registry variable.
db2set -i db2inst1 DB2COMM=SSL
where
db2inst1
is
the Db2 instance name.
The database manager can support multiple protocols at the same
time.
For example, to enable both TCP/IP and TLS communication protocols, run the
following command:
db2set -i db2inst1 DB2COMM=SSL,TCPIP
- Restart the Db2 instance:
What to do next
Your Db2 server is now configured for secure communication
with supported Db2 clients, using TLS.