Enabling TLS 1.3 in a Db2 environment where TLS is already in use
You can enable TLS 1.3 support in a Db2 environment that already uses TLS.
Before you begin
Note: To enable TLS in a new environment, see these topics:
- Ensure that the certificate that is chosen for the Db2 database manager SSL_SVR_LABEL configuration parameter uses an SHA-256, SHA-384, or SHA-512 signature algorithm.
- If the certificate uses an RSA public key, ensure the key size is 2048 bits or greater. Run the gsk8capicmd_64 command with the -cert -details option to determine the certificate details.
- If the certificate does not meet these restrictions, it must be recreated before continuing.
- If HADR is in use and the HADR_SSL_LABEL database configuration parameter is set, the
certificate referenced by HADR_SSL_LABEL must not use a SHA-224 signature algorithm. If the
certificate referenced by HADR_SSL_LABEL uses a SHA-224 signature algorithm, it must be recreated
before continuing. Note: For backward compatibility, HADR allows the use of SHA-1 certificates and RSA key sizes less than 2048 bits for HADR when TLS 1.3 is enabled. Support for SHA-1 and RSA key sizes less than 2048 bit is deprecated and may not be available in a future release.
- Review the page First steps in enabling TLS in Db2 servers and clients to learn about the restrictions and changes that apply when enabling TLS 1.3.
Procedure
When you are sure that your Db2 instance meets all of the prerequisite conditions, complete the following steps to enable TLS 1.3 on a Db2 server.
Example
$ db2 get dbm cfg
Database Manager Configuration
...
SSL server certificate label (SSL_SVR_LABEL) = myselfsigned
$ db2 get db cfg for test
Database Configuration for Database test
...
HADR SSL certificate label (HADR_SSL_LABEL) =
$ gsk8capicmd_64 -cert -details -db /home/db2inst1/ssl.p12 -stashed -label myselfsigned
Label : myselfsigned
Key Size : 2048
...
Public Key Type : RSA (1.2.840.113549.1.1.1)
...
Signature Algorithm : SHA256WithRSASignature (1.2.840.113549.1.1.11)
What to do next
- Update you non-Java and Java-based clients to Db2 11.5.8 or later, as these clients support TLS 1.3 automatically.
- Enforce TLS 1.3 by setting the TLSVersion parameter
in the db2cli.ini, db2dsdriver.cfg, or connection string
to
TLSV13.
<parameter name="TLSVersion" value="TLSV13"/>
- Enforce the TLS version for a specific cataloged database by adding an entry to the db2dsdriver.cfg configuration file, with a matching database name, host, and port number. See Enforcing TLS for databases present in the system catalogs.
- Enforce the TLS version for all databases (both in the system catalogs and in the db2dsdriver.cfg) by setting the TLSVersion in the global parameters section. See Enforcing TLS for databases present in the system catalogs.