Product Lifecycle
Abstract
The IBM® DB2® Driver for JDBC and SQLJ (type 4 connectivity) contains Secure Socket Layer (SSL) support for DB2 for z/OS® as part of DB2 Version 9.1. In DB2 Version 9.1 Fix Pack 2, the DB2 data server also contains the SSL support. The SSL connection will always be in FIPS mode.
Content
Starting with DB2 Version 9.1 Fix Pack 2, SSL is supported on DB2 data servers. The SSL support for DB2 data servers is used to communicate between DB2 data servers and the IBM DB2 Driver for JDBC and SQLJ type 4 connectivity. The SSL communication will always be in FIPS mode. In order to have SSL support for DB2 data servers, the IBM Global Security Kit (GSKit) version 7c must to be installed on the server.
For DB2 data servers to recognize SSL support, the DB2COMM registry variable has to be set to SSL and the SSL configuration file "SSLconfig.ini" must be created in <instance directory>/cfg (UNIX® and Linux® operating systems) or <instance directory> (Windows® operating systems). This file will store the SSL parameters that are used to load and start SSL. Here are the SSL parameters you can set:
Name of SSL parameters | Nullable? | Description |
| DB2_SSL_KEYSTORE_FILE | NO | Fully Qualified file name of KeyStore that stores the Server Certificate |
| DB2_SSL_KEYSTORE_PW | YES | Password of KeyStore that stores the Server Certificate |
| DB2_SSL_KEYSTORE_LABEL | YES | Label of Server Certificate |
| DB2_SSL_LISTENER | NO | Service name/Port number for SSL Listener |
Note:
- On Windows operating systems, the PATH environment variable needs to contain an entry for the GSkit libraries. On UNIX and Linux operating systems, LIBPATH, SHLIB_PATH, or LD_LIBRARY_PATH must contain an entry for the GSkit libraries.
- If a password is not needed for the KeyStore file, the DB2_SSL_KEYSTORE_PW parameter can be omitted.
- The default server certificate will be used if the DB2_SSL_KEYSTORE_LABEL parameter is not defined. If the default server certificate does not exist, SSL setup will fail.
- The service name of the DB2_SSL_LISTENER parameter cannot be the same as the service name in the database manager configuration file. SQL5043N will be returned and both SSL and TCP/IP communication protocols will not be started.
- It is recommended to set the file permission for SSLconfig.ini to limited access only (that is to say, only SYSADM can read or update it) as the file may contain sensitive data like the password of KeyStore.
After setting the SSL parameters in the configuration file, the database instance must be restarted so that the DB2 data server will pick up those changes. With the SSL protocol configured between the client and server, data communication connections will be secured in FIPS mode.
Following is an example (UNIX-specific) of how the DB2 data server defines the SSL parameters in SSLconfig.ini:
(test1@db2server1) /home/test1/sqllib/cfg $ cat SSLconfig.ini
DB2_SSL_KEYSTORE_FILE=/home/test1/GSKit/Keystore/key.kdb
DB2_SSL_LISTENER=20397
DB2_SSL_KEYSTORE_PW=aaa111
You also need to set the DB2COMM registry variable to SSL:
(test1@db2server1) /home/test1$ db2set
DB2COMM=SSL
Note:
- DB2 data servers can support multiple communication protocols at the same time. For instance: setting the DB2COMM registry variable to 'TCPIP,SSL' will enable both TCP/IP and SSL communication protocols. Conversely, to force the use of SSL support without the TCP/IP protocol, database administrators can set the DB2COMM registry variable to 'SSL'.
Following is a list of restrictions for SSL support:
- SSL support will only be implemented on DB2 data servers with DB2 Version 9.1 Fix Pack 2 or later. Other clients that do not use IBM DB2 Driver for JDBC and SQLJ type 4 connectivity (for instance the CLP or CLI ) might have SSL support in the future.
- If DB2 Concentrator is on, SSL support will not be enabled.
- It is recommended to set the DB2COMM registry variable to SSL at the instance level. Instance update and migration will retain the DB2COMM setting. By setting DB2COMM registry variable at the global level, it has to be manually set after the instance is migrated or updated to another installation path since the instance update from another installation path or instance migration will not keep the global level profile setting.
- For DB2 Version 9.1 Fix Pack 2, SSL support is not available in gateway scenarios between the gateway and the host system, but it is available in those scenarios between a IBM DB2 Driver for JDBC and SQLJ type 4 connectivity client and the gateway machine.
- Dropping the instance in UNIX or Linux operating systems will cause the SSL config file to be lost. Save the SSL config file before dropping the instance if the file must be kept.
Following is a list of platforms that contain SSL support for the data server using DB2 9 Fix Pack 2:
- AIX® 64 bit
- HP-UX IA64
- Solaris SPARC 64 bit
- Linux x86 and x86-64
- Linux for zSeries® 64 bit
- Linux for POWER™ 64 bit
- Linux IA64
- Windows x86 and x86-64
- Windows IA64
Global Security Kit
The latest version of the Global Security Kit (GSKit) tool package can be downloaded from IBM software download site:
The download site also contains:
- Global Security Kit Install Guide
- Secure Socket Layer Introduction and iKeyman User's Guide
Note: For Window 64 bit platforms, GSKit was not bundled into DB2 Fix Pack 2. It must be installed separately.
Troubleshooting
DB2 uses GSKit to secure the data through the SSL protocol. If there are issues with APIs from GSKit, GSKit trace can be turned on as follows:
export GSK_TRACE_FILE=/tmp/gsktrace
Notes:
- The DB2 instance owner must have write access to the directory that stores the GSKit trace output.
- The export command has to be executed before the DB2 instance is started.
- The trace is in binary format and it has to be sent to DB2 support for analysis.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21249656