First steps in enabling TLS in Db2 servers and clients

Db2 11.5.8 servers and clients support Transport Layer Security (TLS) 1.3. Before enabling TLS 1.3, ensure you are aware of the specific changes that affect certificate use, as well as best practices for supporting older clients.

Certificate use and TLS 1.3

Certain restrictions apply when enabling TLS 1.3 on Db2 servers and supported clients:
  • When TLS 1.3 support is enabled in a Db2 server, the certificate chosen must use a SHA-2 hash algorithm such as SHA256, SHA384, or SHA512. SHA-1 and SHA-224 are not supported. In addition, RSA certificates must use a 2048-bit or larger key size.
  • Starting in 11.5.8, non-Java Db2 clients enable TLS 1.3 by default. For improved compatibility with existing installations, non-Java clients allow RSA key sizes less than 2048 bits, and SHA-1 certificates when falling back to TLS 1.2 or 1.1. For improved security, set the following values:
    • Set the TLSVersion client configuration keyword to TLSV13, to enforce the TLS 1.3 protocol.
    • Set the RSA key size to a minimum of 2048 bits.
    • Use SHA-256 or better certificates.
  • Due to the enablement of TLS 1.3, non-Java clients cannot connect to Db2 servers using SHA-224 certificates. To allow connections to Db2 servers using SHA-224 certificates, re-generate the server certificate using SHA-256 or better, or explicitly restrict the client to TLS 1.2 or lower, using the TLSVersion configuration keyword.
  • For backward compatibility, SHA1 certificates can be used for the connection between a primary database and standby database in an HADR environment. Support for SHA-1 certificates with TLS is deprecated and might not be supported in a future release.

Supporting older clients

If TLS 1.3 is enabled as the only protocol, older clients that do not support TLS 1.3 cannot connect to Db2. If your environment contains clients that do not support TLS 1.3, enable both TLS 1.3 and TLS 1.2. This can be done by setting the SSL_VERSIONS database manager configuration parameter to TLSV12,TLSV13.

TLS 1.3 is not support by the following clients:
  • All versions of Db2 9.7, 10.1, 10.5, and 11.1 clients
  • Db2 11.5.7 and earlier clients
  • IBM Java releases earlier than 8.0.6.25
When TLS 1.3 support is enabled, non-Java clients that only support TLS 1.1 cannot connect to Db2, even if the TLS 1.1 protocol is enabled. If your Db2 environment uses any of the following Db2 clients, upgrade those clients:
  • Db2 9.7 FP8 and earlier 9.7 clients
  • Db2 10.1 FP3 and earlier 10.1 clients
  • Db2 10.5 FP2 and earlier 10.5 clients
The following clients support TLS 1.2:
  • Db2 9.7 FP9 and later 9.7 clients
  • Db2 10.1 FP4 and later 10.1 clients
  • Db2 10.5 FP3 and later 10.5 clients
  • All 11.1 and 11.5 clients
Java clients using a runtime environment that does not support TLS 1.3 must ensure that the SSL socket factory provided by the JRE does not use an SSLv2 compatible client hello. This can be achieved by prepending jdk.tls.disabledAlgorithms with "SSLv2Hello" in the java.security configuration file.
 jdk.tls.disabledAlgorithms=SSLv2Hello, ...
The configuration file is typically found under jre/lib/security/java.security