Enabling TLS 1.3 in a Db2 environment where TLS is already in use

You can enable TLS 1.3 support in a Db2 environment that already uses TLS.

Before you begin

Note: To enable TLS in a new environment, see these topics:

Ensure that the certificate that is chosen for the Db2 database manager SSL_SVR_LABEL configuration parameter uses an SHA-256, SHA-384, or SHA-512 signature algorithm.
If the certificate uses an RSA public key, ensure the key size is 2048 bits or greater. Run the gsk8capicmd_64 command with the -cert -details option to determine the certificate details.
If the certificate does not meet these restrictions, it must be recreated before continuing.
If HADR is in use and the HADR_SSL_LABEL database configuration parameter is set, the certificate referenced by HADR_SSL_LABEL must not use a SHA-224 signature algorithm. If the certificate referenced by HADR_SSL_LABEL uses a SHA-224 signature algorithm, it must be recreated before continuing.
Note: For backward compatibility, HADR allows the use of SHA-1 certificates and RSA key sizes less than 2048 bits for HADR when TLS 1.3 is enabled. Support for SHA-1 and RSA key sizes less than 2048 bit is deprecated and may not be available in a future release.
Review the page First steps in enabling TLS in Db2 servers and clients to learn about the restrictions and changes that apply when enabling TLS 1.3.

Procedure

When you are sure that your Db2 instance meets all of the prerequisite conditions, complete the following steps to enable TLS 1.3 on a Db2 server.

Update the Db2 server to version 11.5.8 or greater.
Update the SSL_VERSIONS database manager configuration to TLSV13:
```
db2 update dbm cfg using SSL_VERSIONS TLSV13
```
In an environment with clients that do not support TLS 1.3, multiple TLS versions can be specified:
```
db2 update dbm cfg using SSL_VERSIONS TLSV13,TLSV12
```
Optional: Review the list of cipherspecs supported with TLS 1.3 and update the SSL_CIPHERSPECS database manager configuration parameter.

Example

In the following example, we see that the certificate uses a SHA-256 signature algorithm, an RSA public key, and the key size is 2048:

$ db2 get dbm cfg

          Database Manager Configuration
...
 SSL server certificate label            (SSL_SVR_LABEL) = myselfsigned

$ db2 get db cfg for test

       Database Configuration for Database test
...
 HADR SSL certificate label             (HADR_SSL_LABEL) =


$ gsk8capicmd_64 -cert -details -db /home/db2inst1/ssl.p12 -stashed -label myselfsigned
Label : myselfsigned
Key Size : 2048
   ...
Public Key Type : RSA (1.2.840.113549.1.1.1)
   ...
Signature Algorithm : SHA256WithRSASignature (1.2.840.113549.1.1.11)

What to do next

Update you non-Java and Java-based clients to Db2 11.5.8 or later, as these clients support TLS 1.3 automatically.
Enforce TLS 1.3 by setting the TLSVersion parameter in the db2cli.ini, db2dsdriver.cfg, or connection string to TLSV13.
```
<parameter name="TLSVersion" value="TLSV13"/>
```
Enforce the TLS version for a specific cataloged database by adding an entry to the db2dsdriver.cfg configuration file, with a matching database name, host, and port number. See Enforcing TLS for databases present in the system catalogs.
Enforce the TLS version for all databases (both in the system catalogs and in the db2dsdriver.cfg) by setting the TLSVersion in the global parameters section. See Enforcing TLS for databases present in the system catalogs.