How To
Summary
GSkit creates a self-signed certificate, which expires in 365 days by default.
The following steps illustrate on how to renew the self-signed certificate before it expires.
Objective
Users have to renew a certificate that used by TLS connections before it expires.
Otherwise, database applications cannot establish secure connection, and report SQL30081 or -4499.
The following db2diag.log entry indicates the certificate already expired, then report GSK_ERROR_BAD_DATE (401).
2023-01-05-04.46.34.264734+540 E2014587166A1241 LEVEL: Error
PID : 21168548 TID : 1763776 PROC : db2sysc 0
INSTANCE: db2inst1 NODE : 000
APPHDL : 0-213
HOSTNAME: db2server
EDUID : 100004 EDUNAME: db2agent () 0
FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30
MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the
return code "401" in "sqlccSSLSocketSetup".
Environment
Db2 9.7 or later.
Steps
Before you begin
For this example, you configured the Db2 instance with a key database and a password stored in a stash file. We refer to this keystore as $HOME/server.p12 in this example.
Procedure
- Identify the expiring certificate and label by running:
$ gsk8capicmd_64 -cert -list -db server.p12 -stashed Certificates found * default, - personal, ! trusted, # secret key - myselfsigned <----- $ gsk8capicmd_64 -cert -details -label "myselfsigned" -db server.p12 -stashed Label : myselfsigned Key Size : 2048 Version : X509 V3 Serial : 78745cffd54be128 Issuer : "CN=db2srv.example.com,O=example,ST=Tokyo,C=JP" Subject : "CN=db2srv.example.com,O=example,ST=Tokyo,C=JP" Not Before : May 24, 2022 11:45:24 PM JST Not After : May 25, 2023 11:45:24 PM JST <----- - Create new self-signed certificate and extract it to distribute it to clients.
$ gsk8capicmd_64 -cert -create -db $HOME/server.p12 -stashed -label "myselfsigned2" -dn "CN=db2srv.example.com,O=example,ST=Tokyo,C=JP" $ gsk8capicmd_64 -cert -extract -db $HOME/server.p12 -stashed -label "myselfsigned2" -target $HOME/server.pem -format ascii -fips - Verify new self-signed certificate.
$ gsk8capicmd_64 -cert -details -label "myselfsigned2" -db server.p12 -stashed Label : myselfsigned2 Key Size : 2048 Version : X509 V3 Serial : 97965cefd64cf064 Issuer : "CN=db2srv.example.com,O=example,ST=Tokyo,C=JP" Subject : "CN=db2srv.example.com,O=example,ST=Tokyo,C=JP" Not Before : Jan 24, 2023 10:20:31 PM JST Not After : Jan 25, 2024 10:20:31 PM JST <----- - Refresh the SSL certificate.
$ db2 attach to <instance_name> $ db2 update dbm cfg using SSL_SVR_LABEL myselfsigned2 - Restart the instance for the new certificate to take effect.
NOTE: If you use Db2 11.5.2 or later, you do not need to restart the instance.$ db2stop force $ db2start - (Clients) Add new certificate (server.pem) to the clients.
See the following manual pages for details.
Configuring TLS support in Db2 clients
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"ARM Category":[{"code":"a8m500000008Pl7AAE","label":"Connectivity-\u003ETCP\/IP"},{"code":"a8m500000008PkuAAE","label":"Security and Plug-Ins"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]
Was this topic helpful?
Document Information
Modified date:
06 January 2023
UID
ibm16852681