IBM Support

How to use DB2 Transport Layer Security (TLS) 1.2 with Identity Insight

Question & Answer


Question

How do I use DB2 Transport Layer Security (TLS) 1.2 with Identity Insight?

Cause

The default port used with the eWAS component of Identity Insight is not SSL.

Answer

eWAS<--TLSv1.2-->DB2:

Start eWAS:
~/<identity_insight_directory>/startEAS.sh
Start wsadmin:
~/<identity_insight_directory>/ewas/bin/wsadmin.sh
Modify the eWAS ssl configuration using the following wsadmin commands:
$AdminTask modifySSLConfig {-alias NodeDefaultSSLSettings -scopeName (cell):DefaultCell:(node):DefaultNode -clientAuthentication false -securityLevel HIGH -clientAuthenticationSupported true -sslProtocol SSL_TLSv2 }
$AdminConfig save
Update the com.ibm.ssl.protocol value in the <identity_insight_directory>/ewas/pro/ssl/client.props file:
Modify the line containing com.ibm.ssl.protocol=SSL_TLS to com.ibm.ssl.protocol=TLSv1.2


Pipeline <--TLSv1.2-->DB2
Follow these instructions: (based upon info from http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0025241.html)
**NOTE: These instructions are for a self-signed certificate, if a CA-signed certificate is required for your server, see the Example section in http://www.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0025241.html)**
Set paths:
export LD_LIBRARY_PATH=/opt/<db2_instance_dir>/sqllib/lib/gskit:$LD_LIBRARY_PATH
export PATH=/opt/<db2_instance_dir>/sqllib/gskit/bin:$PATH
Create a key database and set up your digital certificates, where, key.kdb is the key database to be created, password is the key database access password, hostname is the DNS name of your server which is necessary for an SSL client to validate the certificate::
cd /opt/<db2_instance_dir>/server_ssl
gsk8capicmd_64 -keydb -create -db "key.kdb" -pw "password" -stash
gsk8capicmd_64 -cert -create -db "key.kdb" -pw "password" -label "SSLLabel" -dn "CN=myhostname,O=myorganization>,OU=organizationunit>,L=location,ST=state,C=country"
**NOTE: you must edit the parameter values set by -dn to reflect your own values**
gsk8capicmd_64 -cert -extract -db "key.kdb" -pw "password" -label "SSLLabel" -target "key.arm" -format ascii -fips
Set up your DB2 server for SSL support, log in as the DB2 instance owner and run the following commands:
db2 update dbm cfg using SSL_SVR_KEYDB /opt/<db2_instance_dir>/server_ssl/key.kdb
db2 update dbm cfg using SSL_SVR_STASH /opt/<db2_instance_dir>/server_ssl/key.sth
db2 update dbm cfg using SSL_SVR_LABEL SSLLabel
db2 update dbm cfg using ssl_svcename 60006 <--where
db2 "get dbm cfg" | grep -i svce
Add the value SSL to the DB2COMM registry variable:
db2set -i db2i105 DB2COMM=TCPIP,SSL
Set the ssl_versions parameter in DB2 to the value TLSv12
db2 update dbm cfg using ssl_versions TLSv12

[{"Product":{"code":"SS2HSB","label":"InfoSphere Identity Insight"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"8.1","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21993801

Page Feedback