Secure Sockets Layer (SSL) support
Db2 database uses self signed certificate for SSL communication. You can download the certificate from the web console to trust your clients.
Secure Sockets Layer (SSL) is a security protocol that provides communication privacy. SSL enables client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery. SSL-enabled client applications use standard encryption techniques to help ensure secure communication.
Configuring your applications to connect to the Db2 database with SSL depends on your company policy. Both the standard and the SSL protocols that you can use to connect to the database transmit user names and passwords as encrypted data. If you want to ensure complete end-to-end security, transmit all database information, including sensitive data and metadata, through an SSL connection.
Configuring your Db2 client
- Download the IBM Global Security Kit (GSKit) by selecting the GSKit appropriate for your operating system (OS).
- Install the IBM Global Security Kit (GSKit). See the following links for instructions:
Note: GSKit is required for non-JDBC applications like .NET and embedded SQL (i.e. db2 command line processor). Whereas with JCC/JDBC the configuration of SSL/TLS (i.e. keystore database, keystore password) is done within Java and via JDBC properties/keywords. Note that CLPPlus uses JDBC connectivity as well so no IBM Global Security Kit (GSKit) required.For more details, see IBM Global Security Kit global installation instructions overview.
- Set environment variable paths:
- AIX: LIBPATH
/usr/opt/ibm/gsk8/lib
- Linux: LD_LIBRARY_PATH
/usr/local/ibm/gsk8/lib
- UNIX: LD_LIBRARY_PATH
/opt/ibm/gsk8/lib
- Windows:
PATH
<installation_directory>\gsk8\bin
<installation_directory>\gsk8\lib
(lib64
for IBM Global Security Kit (GSKit) 64-bit)
- AIX: LIBPATH
- Extract the certificate.
Go to
on the web console to download the certificate. The file's namedDigiCertGlobalRootCA.crt
.The certificate is also available at /mnt/blumeta0/db2/ssl_keystore/rootCA.pem inside the database container. You can extract it totmp
with this command:
or access it directly withdocker cp dashDB:/mnt/blumeta0/db2/ssl_keystore/rootCA.pem /tmp
<host volume>/db2/ssl_keystore/rootCA.pem
- Create keystore:
gsk8capicmd_64 -keydb -create -db "mykeystore.kdb" -pw "passw0rd" -stash
Note: You must have the ability to write to the directory or you will get an error. The above command creates two files:mykeystore.kdb
andmykeystore.sth
in the current directory. These files will be used in subsequent steps. - Add SSL certificate to the keystore:
gsk8capicmd_64 -cert -add -db “mykeystore.kdb” -pw “passw0rd” -label ACIBLUDB_SSL -file c:\ssl\ACI_DigiCertGlobalRootCA.crt
- Update the Db2 database manager:
db2 update dbm cfg using SSL_CLNT_KEYDB c:\PROGRA~1\IBM\gsk8\mykeystore.kdb SSL_CLNT_STASH c:\PROGRA~1\IBM\gsk8\mykeystore.sth
Note: On Windows,Program Files
must usePROGRA~1
.
Connecting to your database
- [Optional] If you use Data Studio, you can now connect to the
database by selecting port
50001
andsslConnection=true
. - Catalog the node and
database:
db2 catalog tcpip node ACICLD_S remote <IP_address_of_BLUDB_database_server> server 50001 security SSL
db2 catalog db BLUDB as ACIBLU_S at node ACICLD_S
- Connect to your database with an SSL
connection:
db2 terminate db2 connect to ACIBLU_S user <user_name> using <password>