Enabling TLS connections for a Db2 database
Use this procedure to enable TLS communication with Db2 databases.
Before you begin
Procedure
- Set up the Db2 server with TLS v1.2.
- Install Db2 server v11.5 and upgrade to v11.5.7.0 version.
Install the Db2 server base version v11.5 and then upgrade it to the v11.5.7.0 version.
- Install the Global Security Kit.
Install the Global Security Kit which will be used to create the keystore and certificate.
See IBM Global Security Kit global installation instructions overview
- Create a keystore with GSKit.
From a terminal window, run the following command to create a keystore:
gsk8capicmd_64 -keydb -create -db server.p12 -pw myServerPassw0rdpw0 -stashFor parameter descriptions, see Creating a keystore with GSKit
- Create a self-signed certificate with GSKit.
Open GSKit and run the following command:
gsk8capicmd_64 -cert -create -db server.p12 -stashed -label myselfsigned -dn "CN=myserver.mycomFor parameter descriptions, see Creating a self-signed certificate with GSKit
- Extract the self-signed certificate from the keystore.
Extract your self-signed certificate by running the following GSKit command:
gsk8capicmd_64 -cert -extract -db server.p12 -stashed -label <myselfsigned> -target <myselfsigned.crt> -format asciiFor parameter descriptions, see Distributing a self-signed certificate to your Db2 clients
- Configure TLS support on your Db2 server.
Set the
SSL_SVR_KEYDBand SSL_SVR_STASH database manager configuration parameters to reference the key store and stash file that were created earlier. These must be fully qualified paths:db2 update dbm cfg using SSL_SVR_KEYDB /path/to/server.p12 db2 update dbm cfg using SSL_SVR_STASH /path/to/server.sthSet the
ssl_svr_labelconfiguration parameter to the label of the digital certificate created earlier.db2 update dbm cfg using SSL_SVR_LABEL myselfsignedSet the
SSL_SVCENAMEconfiguration parameter to the port on which Db2 listens for TLS connections.db2 update dbm cfg using SSL_SVCENAME 25001Set the
SSL_VERSIONSparameter to TLSV12.db2 update dbm cfg using SSL_VERSIONS TLSV12Add the value
TLSto the DB2COMM registry variable.db2set -i db2inst1 DB2COMM=SSLWhere:
db2inst1is the Db2 instance name.The database manager can support multiple protocols at the same time. For example, to enable both TCP/IP and TLS communication protocols, run the following command:
db2set -i db2inst1 DB2COMM=SSL,TCPIPSee Configuring TLS support on a Db2 server
The following example shows database manager configurations for TLS v1.2:
SSL server keydb file (SSL_SVR_KEYDB) = /home/db2inst1/db2/server.p12 SSL server stash file (SSL_SVR_STASH) = /home/db2inst1/db2/server.sth SSL server certificate label (SSL_SVR_LABEL) = myselfsigned SSL service name (SSL_SVCENAME) = 25001 SSL cipher specs (SSL_CIPHERSPECS) = SSL versions (SSL_VERSIONS) = TLSV12 SSL client keydb file (SSL_CLNT_KEYDB) = SSL client stash file (SSL_CLNT_STASH) = - Restart the Db2 instance.
- db2stop - db2start
- Install Db2 server v11.5 and upgrade to v11.5.7.0 version.
- Set up the Impact server connecting on TLS v1.2 with the Db2 server.
- Enable the SSL on the Impact server by running the configImpactSSL.sh script. The default SSL is TLS v1.2.
- Import the myselfsigned.crt generated above to the Impact
truststore:
/opt/IBM/tivoli/impact/sdk/jre/bin/keytool -import -alias db2certmyselfsigned -file myselfsigned.crt -keystore trust.jks - Restart the Impact server.
- Set up the Db2 server with TLS v1.3.
- Install Db2 server v11.5 and upgrade to v11.5.8.0 version.
Install the Db2 server base version v11.5 and then upgrade it to the v11.5.8.0 version.
- Enable TLS v1.3 support in the new Db2 environment where TLS v1.2 was not already in
use.
To enable TLS v1.3 in a new environment, see the following topics:
IBM Global Security Kit global installation instructions overview
Creating a keystore with GSKit
Creating a self-signed certificate with GSKit
- Enable TLS v1.3 in a Db2 environment where TLS v1.2 is already in use.
Update the
SSL_VERSIONSdatabase manager configuration to TLSV13:db2 update dbm cfg using SSL_VERSIONS TLSV13See Enabling TLS 1.3 in a Db2 environment where TLS is already in use
The following example shows database manager configurations for TLS v1.3:
SSL server keydb file (SSL_SVR_KEYDB) = /home/db2inst1/db2/server.p12 SSL server stash file (SSL_SVR_STASH) = /home/db2inst1/db2/server.sth SSL server certificate label (SSL_SVR_LABEL) = myselfsigned SSL service name (SSL_SVCENAME) = 25001 SSL cipher specs (SSL_CIPHERSPECS) = SSL versions (SSL_VERSIONS) = TLSV13 SSL client keydb file (SSL_CLNT_KEYDB) = SSL client stash file (SSL_CLNT_STASH) = - Restart the Db2 instance.
- db2stop - db2start
- Install Db2 server v11.5 and upgrade to v11.5.8.0 version.
- Set up the Impact server connecting on TLS v1.3 with Db2 server.
- Enable the SSL on the Impact server by running the configImpactSSL.sh script. The default SSL is TLS v1.2.
- Enable the SSL with TLS v1.3 on Impact server by running the configImpactTLSv13.sh script.
- Import the myselfsigned.crt generated above to the Impact server
truststore:
/opt/IBM/tivoli/impact/sdk/jre/bin/keytool -import -alias db2certmyselfsigned -file myselfsigned.crt -keystore trust.jks - Set the Db2 driver props file to use SSL version TLS v1.3.
For example, in the file $IMPACT_HOME/etc/NCI_com.ibm.db2.jcc.DB2Driver_myDB2ds.props, add the following property:
sslVersion=TLSv1.3Where:
NCIin the Db2 driver props file is the name of the Impact server.myDB2dsin the Db2 driver props file is the name of your Db2 data source name. - Restart the Impact server. Note: To establish secured TLS connection between DB2 and Impact, both DB2 and Impact should be at the same TLS level.