DB2 10.5 for Linux, UNIX, and Windows

Secure Sockets Layer (SSL)

The DB2® database system supports the use of Secure Sockets Layer (SSL) and it's successor, Transport Layer Security (TLS), to enable a client to authenticate a server, and to provide private communication between the client and server by use of encryption. Authentication is performed by the exchange of digital certificates.

Note: When this topic mentions SSL, the same information applies to TLS, unless otherwise noted.

Without encryption, packets of information travel through networks in full view of anyone who has access. You can use SSL to protect data in transit on all networks that use TCP/IP (you can think of an SSL connection as a secured TCP/IP connection).

A client and server establish a secure SSL connection by performing an "SSL handshake".

Overview of the SSL handshake

During an SSL handshake, a public-key algorithm, usually RSA, is used to securely exchange digital signatures and encryption keys between a client and a server. This identity and key information is used to establish a secure connection for the session between the client and the server. After the secure session is established, data transmission between the client and server is encrypted using a symmetric algorithm, such as AES.

The client and server perform the following steps during the SSL handshake:
  1. The client requests an SSL connection and lists its supported cipher suites.
  2. The server responds with a selected cipher suite.
  3. The server sends its digital certificate to the client.
  4. The client verifies the validity of the server certificate, for authentication purposes. It can do this by checking with the trusted certificate authority that issued the server certificate or by checking in its own key database.
  5. The client and server securely negotiate a session key and a message authentication code (MAC).
  6. The client and server securely exchange information using the key and MAC selected.
Note: The DB2 database system does not support the (optional) authentication of the client during the SSL handshake.

Using SSL encryption with DB2 authentication

You can use SSL encryption in conjunction with all existing DB2 authentication methods, such as KERBEROS or SERVER. You do this as usual by setting the authentication type for the instance in the DBM configuration parameters to the authentication method of your choice.