Security in IBM Db2 Event Store Enterprise Edition

IBM® Db2® Event Store Enterprise Edition uses several different security features.

Installation credentials

To install IBM Db2 Event Store, you must have root access and passwordless ssh into the root account.

SSL

IBM Db2 Event Store uses SSL to encrypt communication between the cluster and remote client applications.

If you configure an SMTP service so that IBM Db2 Event Store can email notifications to users and administrators, you can configure IBM Db2 Event Store to use a secure SSL port to communicate with your SMTP server.

HTTPS

If you plan to use your own SSL certificate and private key (both in PEM format) to enable an HTTPS connection to the IBM Db2 Event Store console, you can change the default using the /wdp/utils/change_nginx_cert.sh script.

All HTTPS traffic is encrypted with SSL. This also applies to the REST API.

Inter-node communication

IBM Db2 Event Store supports Transport Layer Security (TLS) to encrypt data in transit, including for client-server communications and to access Cloud Object Storage (COS). In the case of inter-cluster communications, a best practice is to configure the cluster on a private network in order to isolate this traffic for both security and performance.

You can optionally configure additional network-layer security like IPSec. In the case of Db2 Event Store deployments on IBM Cloud Pak for Data, refer to Encrypting traffic between nodes with IPsec in the Red Hat OpenShift documentation for more information.

Note: Applying IPSec can significantly affect performance for Db2 Event Store inter-node communication. Hardware-based crypto offloading is the generally accepted best practice to help mitigate encryption-decryption overhead, but some performance degradation is likely to occur even with that method.

Tokens

IBM Db2 Event Store requires a bearer token to authenticate the user calling the REST APIs. The token lasts for 13 hours.

Authentication

For more information on authentication in IBM Db2 Event Store, refer to Manage users.

Authorization

A IBM Db2 Event Store administrator can give Admin and nonAdmin roles to IBM Db2 Event Store users. (These are the same credentials that IBM Db2 Event Store users can use to authenticate to the cluster from a notebook or remote client application. For more information, see IBM Db2 Event Store ConfigurationReader API guide in the ConfigurationReader API guide.)

A project administrator can assign Viewer, Editor, or Admin permissions to collaborators.

Data

IBM Db2 Event Store stores data on disk in native parquet format.

To ensure that the data that is stored in the IBM Db2 Event Store NFS file system is stored securely, you can encrypt your storage partition. If you use Linux Unified Key Setup-on-disk-format (LUKS) for this purpose, you must enable LUKS and format the partition with XFS prior to installing IBM Db2 Event Store.

To ensure that the data that is stored in your object store is stored securely, you must enable object store encryption.

Network authentication

IBM Db2 Event Store supports remote execution to Kerberos-enabled Spark clusters.

More security tasks

The following is a list of other important security topics: