IBM Support

Secure Socket Layer (SSL) Configuration for Data Server Manager (DSM)

Question & Answer


Question

How to configure Secure Socket Layer (SSL) for Data Server Manager (DSM)?

Answer

1. What is Secure Socket Layer (SSL)?

Secure Sockets Layer (SSL) is a protocol that lets services communicate over a network without compromising security. It creates a secure connection between a client and a server.


2. What is a Certificate Authority (CA)?
A certificate authority (CA) is a trusted entity that issues electronic documents that verify a digital entity’s identity on the Internet. The electronic documents, which are called digital certificates, are an essential part of secure communication and play an important part in the public key infrastructure (PKI). Certificates typically include the owner's public key, the expiration date of the certificate, the owner's name and other information about the public key owner.
Certification authority (CA) certificates are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two CAs. A certificate that is issued by a CA to itself is referred to as a trusted root certificate, because it is intended to establish a point of ultimate trust for a CA hierarchy. Once the trusted root has been established, it can be used to authorize subordinate CAs to issue certificates on its behalf. Operating systems (OSes) and browsers maintain lists of trusted CA root certificates to verify certificates that a CA has issued and signed.


3. Common Certificate types
You can request a certificate from a third party signer, such as GeoTrusts. You can receive the certificate in different ways. Most of the certificates mainly contains:
a) public key of your site, e.g. your_cert.crt
b) private key of your site, e,g, your_cert.key
c) public key of root CA, e.g. ca_cert.crt

Most certificates are of type of X.509 which follows ITU-T X509 of Public Key Infrastructure (PKI).
The certificates can include other types of files, for different encodings or based on different OS. (Example *.cer, *.pem, *.der, etc.)
These files will contain information about public or private keys that pertain to encoding like "Base64-encoded ASCII data".
For example:
    -----BEGIN CERTIFICATE-----
      XXXXXXXXX
    -----END CERTIFICATE-----
and
    -----BEGIN RSA PRIVATE KEY-----
      XXXXXXXXX
    -----END RSA PRIVATE KEY-----
You may need to paste these encoding sections into the three files (.crt .key) mentioned above.

Note: If you had forgotten your request information, you can use ikeyman or keytools to view detail information of certificate files and get information about requestor and signer (like CN=common name O=organization OU=organization unit L=locality ST=state C=country).

You may also get a key store file. Examples of key store files are:
a. *.jks (Java Key Store),
b. *.jck (JCEKS Java Cryptography Extension Key Store),
c. *.p12 (PKCS12 PKCS12S2 The Public-Key Cryptography Standards)
d. or PFX.

These files contain all the public and private key information and the certificate.
Note: You can use ikeyman.exe (IBM Key Management) to view and extract public keys. ikeyman and keytool are in the <DSM install directory>/java/jre/bin directory.


4. How are CAs implemented for DSM?
Basically, a certificate, created on either the data source server; in the DSM server, called a self-signed certificate; or purchased from Certificate Authorities (CA) are shared with the client (DSM) to secure the connection between DSM and the server. There is also enabling of the DSM Web UI needed to specify the secure port. (see Figure 1.)



5. Enable HTTPS for the Data Server Manager Console
After you run the setup script, you can optionally enable HTTPS for accessing the web browser. You can enable HTTPS with or without configuring SSL communication for DB2. To enable HTTPS, add two settings in <DSM install directory>/Config/dswebserver.properties:
    cookie.secureOnly=true
    port=-1


6. Configure SSL on the DSM server
DSM needs a key store file to configure SSL. Below are the steps to configure SSL both in Windows and Linux.

6.1. Import the signed certificate
    Step 1: Download the certificate files into a staging directory in the machine where Data Server Manager is running.

    Step 2: Stop Data Server Manager.
    In Windows, go to the <DSM install directory>\bin directory, and execute stop.bat.
    In Linux, go to the <DSM install directory>/bin directory, and execute stop.sh.

6.2. Create a trusted keystore or truststore
    If what you downloaded is already a keystore then you can skip these steps. Otherwise, you will need to transform the keys and certificates into a keystore.
    As mentioned earlier, DSM needs a key store file to configure CA. We transform certificate files into a key store file using the openSSL command.
    In Linux, OpenSSL is usually already installed. If not, you can obtain it from this site:
    https://www.openssl.org/.
    In Windows, you can download OpenSSL for Windows from this site:
    http://gnuwin32.sourceforge.net/packages/openssl.htm.
    There is also a light-weight version here: https://slproweb.com/products/Win32OpenSSL.html. Download the Win32 OpenSSL v1.1.0b Light file.

    Step 3: Transform the certificate files to keystores
    Copy your_cert.crt, your_cert.key and ca_cert.crt into the openssl/bin directory and run the command:
    openssl pkcs12 -export -chain -in your_cert.crt -inkey your_cert.key -out your_keystore.p12 [-name xxx] -CAfile ca_cert.crt [-caname xxxxx] [-passout pass:your_pass]
    If you don’t specify a password, you will be prompted for one. The above command generates a key store file: your_keystore.p12.
    Note: You may get a message like: Error unable to get issuer certificate getting chain.
    In this case, you need to add all the public keys.
    In Linux, the publc keys are in /etc/ssl/certs/ca-certificates.crt.
    In Windows, public keys may be found in a CA folder under C:\Users\. So for example, the IBMCA certificates are in C:\Users\IBM-ADMIN\.ibmca\client_certs.
    Use either an editor or openssl to concatenate the public keys into ca_cert.crt.
6.3. Configure keystore in DSM
    Step 4: Copy the key store file
    Copy your_keystore.pk12 file into the folder: <DSM_install_dir>\wlp\usr\servers\dsweb\resources\security

    Step 5: Edit and save SSLConfig.xml file
    Edit the <DSM_install_dir>\wlp\usr\servers\dsweb\SSLConfig.xml file and add the following lines:
    <keyStore id="defaultKeyStore" location="[your_location]\ibm-datasrvrmgr\wlp\usr\servers\dsweb\resources\security\your_keystore.p12" password="[your_pass]" type="PKCS12"/>

    Step 6: Edit your hosts file
    When you access your DSM site with https, you must make sure that your domain name is consistent with the "Common Name" field in your certificate.
    Use the keytool utility available with DSM to verify the “Common Name (CN)”.

    Once you have verified it, go to your hosts file and add this name. For example, if your DSM server is in localhost, it is given an IP addr of 127.0.0.1. Assign this IP to the common name, e.g. dsm.ibm.com.
    # localhost name resolution is handled within DNS itself.
      127.0.0.1 localhost
      127.0.0.1 dsm.ibm.com
    In Linux, the hosts file is in /etc/hosts; in Windows, the hosts file is in C:\Windows\System32\drivers\etc

    Step 7: Restart DSM
    In Windows, go to the <DSM install directory>\bin directory, and execute start.bat.
    In Linux, go to the <DSM install directory>/bin directory, and execute start.sh.


    Step 8: Open the DSM Web Console using the secure port and new domain server name.

7. Configuring SSL connectivity from DSM to managed databases
If you want to secure the connection from DSM to this database, first, follow the steps in Sections 1-6 to import and configure the server certificate in DSM. Next, you will need to create a certificate in the managed database and import the certificate to DB2.
There is a technote: How to enable SSL connectivity from Data Server Manager to managed databases (LUW), which discusses in details how to create a certificate in the DB2 database server and use it in DSM.

7.1. Set up SSL on the Database Server (managed database or DSM repository)
    To connect securely from DSM to the managed database or DSM repository, you need to create the certificate in the server, export it to a file and then use the steps in Sections 1-6 to import the certificate to DSM.
    Step 1: Create a key database
    gsk8capicmd_64 -keydb -create -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -stash
    NOTE: The -stash option creates a stash file at the same path as the key database, with a file extension of .sth. At instance start-up, GSKit uses the stash file to obtain the password to the key database.
    For Window 64 bit platforms, the Global Security Kit (GSKit) is not bundled with DB2.
    It must be installed separately. The latest version of the Global Security Kit (GSKit) tool package can be downloaded from the IBM software download site.

    Step 2: Add a certificate to your server to your key database
    gsk8capicmd_64 -cert -create -db "mydbserver.kdb" -pw "myServerPassw0rdpw0"
    -label "myselfsigned" -dn "CN=myhost.mycompany.com,O=myOrganization, OU=myOrganizationUnit,L=myLocation,ST=ON,C=CA“

    Step 3: Extract the certificate into a file
    gsk8capicmd_64 -cert -extract -db "mydbserver.kdb" -pw "myServerPassw0rdpw0"
    -label "myselfsigned" -target "mydbserver.arm" -format ascii –fip

    Step 4: Update the following database configuration parameters
    db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/sqllib/security/keystore/mydbserver.kdb
    db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/sqllib/security/keystore/mydbserver.sth
    db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
    db2 update dbm cfg using SSL_SVCENAME 50002


    Step 5: Add SSL to DB2COMM environment variable
    db2set -i db2inst1 DB2COMM=SSL
    OR
    db2set -i db2inst1 DB2COMM=SSL,TCPIP

    Step 6: Stop and Start DB2
    db2stop
    db2start

7.2. Create a managed connection
    Step 7: In DSM, create a new database connection to the database (or edit one if you already have it).

    Step 8: In the JDBC Security pull-down list, select SSL Connectivity. The Truststore1 location and password input fields will be shown.

    Step 9: Specify the SSL_SVCENAME port (see next section for more details), Truststore location and password.


    Step 10: Click Test Connection. If the connection is successful, click OK.

Resources
1. How to enable SSL connectivity from Data Server Manager to managed databases (LUW)

2. Secure Sockets Layer (SSL) support in DB2 for Linux, UNIX, and Windows

3. Configuring the Java Runtime Environment to use SSL

4. Configuring Secure Sockets Layer (SSL) support in non-Java DB2 clients

5. DB2 technical tip: Set up Secure Sockets Layer (SSL) for DB2 on Windows

6. Connect DSM to dashDB Using SSL

7. Most common Java keytool keystore commands

8. GSKCapiCmd User’s Guide

9. OpenSSL Cookbook, with links to OpenSSL Manpages

[{"Product":{"code":"SS5Q8A","label":"IBM Data Server Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"}],"Version":"2.1.2","Edition":"All Editions","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21997164