Configuring TLS support on a Db2 server

When you have created your keystore and digital certificate, and distributed the certificate to your Db2 client machines, you are ready to configure TLS support on your Db2 server. Configuration is done by adding values to the Database Manager configuration file that you set when you created your self-signed certificate.

Procedure

  1. Set the SSL_SVR_KEYDB and SSL_SVR_STASH database manager configuration parameters to reference the key store and stash file that were created earlier. These must be fully qualified paths. 
    db2 update dbm cfg using SSL_SVR_KEYDB /path/to/server.p12
db2 update dbm cfg using SSL_SVR_STASH /path/to/server.sth
  2. Set the ssl_svr_label configuration parameter to the label of the digital certificate created in the step Create a self-signed certificate. 
    db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
  3. Set the SSL_SVCENAME configuration parameter to the port on which Db2 listens for TLS connections.
    If TCP/IP and TLS are both enabled, then the DB2COMM registry variable is set to TCPIP, SSL. In this case, you must set the SSL_SVCENAME value to a different port than the port to which svcename is set. The svcename configuration parameter sets the port on which Db2 listens for TCP/IP connections.
    If you set SSL_SVCENAME to the same port as svcename, neither TCP/IP nor TLS are enabled.     
    db2 update dbm cfg using SSL_SVCENAME 25001
  4. Set the SSL_VERSIONS parameter to TLSV12. The default TLS version in Db2 11.5 is TLS 1.1, which is deprecated. 
    db2 update dbm cfg using SSL_VERSIONS TLSV12
  5. Starting in Db2 11.5.8, support for TLS 1.3 is available. To enable both TLS 1.3 and TLS 1.2 support, set SSL_VERSIONS to TLSV12,TLSV13. 
    db2 update dbm cfg using SSL_VERSIONS TLSV12,TLSV13
    Note: Restrictions to the allowed certificate types and key sizes apply when TLS 1.3 is enabled. For more information, see First steps in enabling TLS in Db2 servers and clients.
  6. Optional: Set the SSL_CIPHERSPECS parameter to indicate what cipher suites are to be used. If you leave ssl_cipherspecs as null (unset), IBM Global Security Kit (GSKit) can pick the strongest available cipher suite that is supported by both the client and the server. See Supported cipher suites for information about which cipher suites are available.
  7. Add the value TLS to the DB2COMM registry variable. 
    db2set -i db2inst1 DB2COMM=SSL
    where db2inst1 is the Db2 instance name.
    The database manager can support multiple protocols at the same time.
    For example, to enable both TCP/IP and TLS communication protocols, run the following command: 
    db2set -i db2inst1 DB2COMM=SSL,TCPIP
  8. Restart the Db2 instance: 
    db2stop db2start

What to do next

Your Db2 server is now configured for secure communication with supported Db2 clients, using TLS.