Question & Answer
Question
How to configure Secure Socket Layer (SSL) for Data Server Manager (DSM)?
Answer
1. What is Secure Socket Layer (SSL)? |
2. What is a Certificate Authority (CA)? |
Certification authority (CA) certificates are issued by a CA to itself or to a second CA for the purpose of creating a defined relationship between the two CAs. A certificate that is issued by a CA to itself is referred to as a trusted root certificate, because it is intended to establish a point of ultimate trust for a CA hierarchy. Once the trusted root has been established, it can be used to authorize subordinate CAs to issue certificates on its behalf. Operating systems (OSes) and browsers maintain lists of trusted CA root certificates to verify certificates that a CA has issued and signed.
3. Common Certificate types |
a) public key of your site, e.g. your_cert.crt
b) private key of your site, e,g, your_cert.key
c) public key of root CA, e.g. ca_cert.crt
Most certificates are of type of X.509 which follows ITU-T X509 of Public Key Infrastructure (PKI).
The certificates can include other types of files, for different encodings or based on different OS. (Example *.cer, *.pem, *.der, etc.)
These files will contain information about public or private keys that pertain to encoding like "Base64-encoded ASCII data".
For example:
- -----BEGIN CERTIFICATE-----
- XXXXXXXXX
- -----BEGIN RSA PRIVATE KEY-----
- XXXXXXXXX
Note: If you had forgotten your request information, you can use ikeyman or keytools to view detail information of certificate files and get information about requestor and signer (like CN=common name O=organization OU=organization unit L=locality ST=state C=country).
You may also get a key store file. Examples of key store files are:
a. *.jks (Java Key Store),
b. *.jck (JCEKS Java Cryptography Extension Key Store),
c. *.p12 (PKCS12 PKCS12S2 The Public-Key Cryptography Standards)
d. or PFX.
These files contain all the public and private key information and the certificate.
Note: You can use ikeyman.exe (IBM Key Management) to view and extract public keys. ikeyman and keytool are in the <DSM install directory>/java/jre/bin directory.
4. How are CAs implemented for DSM? |
5. Enable HTTPS for the Data Server Manager Console |
- cookie.secureOnly=true
port=-1
6. Configure SSL on the DSM server |
6.1. Import the signed certificate
- Step 1: Download the certificate files into a staging directory in the machine where Data Server Manager is running.
Step 2: Stop Data Server Manager.
In Windows, go to the <DSM install directory>\bin directory, and execute stop.bat.
In Linux, go to the <DSM install directory>/bin directory, and execute stop.sh.
6.2. Create a trusted keystore or truststore
- If what you downloaded is already a keystore then you can skip these steps. Otherwise, you will need to transform the keys and certificates into a keystore.
As mentioned earlier, DSM needs a key store file to configure CA. We transform certificate files into a key store file using the openSSL command.
In Linux, OpenSSL is usually already installed. If not, you can obtain it from this site:
https://www.openssl.org/.
In Windows, you can download OpenSSL for Windows from this site:
http://gnuwin32.sourceforge.net/packages/openssl.htm.
There is also a light-weight version here: https://slproweb.com/products/Win32OpenSSL.html. Download the Win32 OpenSSL v1.1.0b Light file.
Step 3: Transform the certificate files to keystores
Copy your_cert.crt, your_cert.key and ca_cert.crt into the openssl/bin directory and run the command:
openssl pkcs12 -export -chain -in your_cert.crt -inkey your_cert.key -out your_keystore.p12 [-name xxx] -CAfile ca_cert.crt [-caname xxxxx] [-passout pass:your_pass]
If you don’t specify a password, you will be prompted for one. The above command generates a key store file: your_keystore.p12.
Note: You may get a message like: Error unable to get issuer certificate getting chain.
In this case, you need to add all the public keys.
In Linux, the publc keys are in /etc/ssl/certs/ca-certificates.crt.
In Windows, public keys may be found in a CA folder under C:\Users\. So for example, the IBMCA certificates are in C:\Users\IBM-ADMIN\.ibmca\client_certs.
Use either an editor or openssl to concatenate the public keys into ca_cert.crt.
- Step 4: Copy the key store file
Copy your_keystore.pk12 file into the folder: <DSM_install_dir>\wlp\usr\servers\dsweb\resources\security
Step 5: Edit and save SSLConfig.xml file
Edit the <DSM_install_dir>\wlp\usr\servers\dsweb\SSLConfig.xml file and add the following lines:
<keyStore id="defaultKeyStore" location="[your_location]\ibm-datasrvrmgr\wlp\usr\servers\dsweb\resources\security\your_keystore.p12" password="[your_pass]" type="PKCS12"/>
Step 6: Edit your hosts file
When you access your DSM site with https, you must make sure that your domain name is consistent with the "Common Name" field in your certificate.
Use the keytool utility available with DSM to verify the “Common Name (CN)”.
Once you have verified it, go to your hosts file and add this name. For example, if your DSM server is in localhost, it is given an IP addr of 127.0.0.1. Assign this IP to the common name, e.g. dsm.ibm.com.
# localhost name resolution is handled within DNS itself.
- 127.0.0.1 localhost
127.0.0.1 dsm.ibm.com
Step 7: Restart DSM
In Windows, go to the <DSM install directory>\bin directory, and execute start.bat.
In Linux, go to the <DSM install directory>/bin directory, and execute start.sh.
Step 8: Open the DSM Web Console using the secure port and new domain server name.
7. Configuring SSL connectivity from DSM to managed databases |
There is a technote: How to enable SSL connectivity from Data Server Manager to managed databases (LUW), which discusses in details how to create a certificate in the DB2 database server and use it in DSM.
7.1. Set up SSL on the Database Server (managed database or DSM repository)
- To connect securely from DSM to the managed database or DSM repository, you need to create the certificate in the server, export it to a file and then use the steps in Sections 1-6 to import the certificate to DSM.
Step 1: Create a key database
gsk8capicmd_64 -keydb -create -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -stash
NOTE: The -stash option creates a stash file at the same path as the key database, with a file extension of .sth. At instance start-up, GSKit uses the stash file to obtain the password to the key database.
For Window 64 bit platforms, the Global Security Kit (GSKit) is not bundled with DB2.
It must be installed separately. The latest version of the Global Security Kit (GSKit) tool package can be downloaded from the IBM software download site.
Step 2: Add a certificate to your server to your key database
gsk8capicmd_64 -cert -create -db "mydbserver.kdb" -pw "myServerPassw0rdpw0"
-label "myselfsigned" -dn "CN=myhost.mycompany.com,O=myOrganization, OU=myOrganizationUnit,L=myLocation,ST=ON,C=CA“
Step 3: Extract the certificate into a file
gsk8capicmd_64 -cert -extract -db "mydbserver.kdb" -pw "myServerPassw0rdpw0"
-label "myselfsigned" -target "mydbserver.arm" -format ascii –fip
Step 4: Update the following database configuration parameters
db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/sqllib/security/keystore/mydbserver.kdb
db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/sqllib/security/keystore/mydbserver.sth
db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
db2 update dbm cfg using SSL_SVCENAME 50002
Step 5: Add SSL to DB2COMM environment variable
db2set -i db2inst1 DB2COMM=SSL
OR
db2set -i db2inst1 DB2COMM=SSL,TCPIP
Step 6: Stop and Start DB2
db2stop
db2start
- Step 7: In DSM, create a new database connection to the database (or edit one if you already have it).
Step 8: In the JDBC Security pull-down list, select SSL Connectivity. The Truststore1 location and password input fields will be shown.
Step 9: Specify the SSL_SVCENAME port (see next section for more details), Truststore location and password.
Step 10: Click Test Connection. If the connection is successful, click OK.
Resources |
2. Secure Sockets Layer (SSL) support in DB2 for Linux, UNIX, and Windows
3. Configuring the Java Runtime Environment to use SSL
4. Configuring Secure Sockets Layer (SSL) support in non-Java DB2 clients
5. DB2 technical tip: Set up Secure Sockets Layer (SSL) for DB2 on Windows
6. Connect DSM to dashDB Using SSL
7. Most common Java keytool keystore commands
8. GSKCapiCmd User’s Guide
9. OpenSSL Cookbook, with links to OpenSSL Manpages
[{"Product":{"code":"SS5Q8A","label":"IBM Data Server Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"},{"code":"PF002","label":"AIX"}],"Version":"2.1.2","Edition":"All Editions","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21997164