DB2 10.5 for Linux, UNIX, and Windows

NIST SP 800-131A compliance in a DB2 instance

The DB2® Cancun Release adds NIST SP 800-131A compliance. A DB2 instance is not configured by default to comply with NIST SP 800-131A. If you are required to comply with NIST SP 800-131A, you must configure your database instance.

A DB2 instance is strictly compliant with NIST SP 800-131A and encrypts data in-transit when:
  • The database manager configuration parameter SSL_VERSIONS is set to TLSV12, which is recommended, TLS11, or TLS10.
    Note: If the SSL_VERSIONS parameter is set to TLSV12 and TLSV1, you can take advantage of TVL 1.2 support and fall back on TLS 1.1 or TLS 1.0 support. In this scenario, the database instance is not strictly compliant with NIST SP 800-131A.
  • The database manager configuration parameter SSL_CIPHERSPECS is set to a symmetric algorithm key length that is greater than or equal to 112.
    Note: The following list of cipher suites meet this key length requirement.
    • TLS_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_RSA_WITH_AES_256_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_256_CBC_SHA
    • TLS_RSA_WITH_AES_128_GCM_SHA256
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
    • TLS_RSA_WITH_3DES_EDE_CBC_SHA
  • The database manager configuration parameter SSL_SVC_LABEL specifies a certificate with RSA key length that is greater than or equal to 2048, and that has a digital signature with minimum SHA2.
    Note: If SSL_VERSIONS is set to TLS12, certificates that are signed with SHA1 are automatically excluded. SHA1 is not NIST SP800A-131 compliant.
Note: For data at rest encryption, you must use InfoSphere Guardium Data Encryption.

Examples

1. Setting instance configuration parameters so that the instance is strictly compliant with NIST SP 800-131A.
  • Set the DB2 registry variable DB2COMM to include SSL.
    DB2SET DB2COMM=TCPIP,SSL
  • Set the DB2 database manager configuration parameter SSL_VERSIONS to TLSV12.
    DB2 UPDATE DBM CFG SSL_VERSIONS=TLSV12
  • Set the database manager configuration parameter SSL_CIPHERSPECS to a symmetric algorithm key length that is greater than or equal to 112.
    DB2 UPDATE DBM CFG SSL_CIPHERSPECS=TLS_RSA_WITH_AES_256_GCM_SHA384
  • Set the database manager configuration parameter SSL_SVC_LABEL to a certificate with RSA key length that is greater than or equal to 2048. That certificate must also have a digital signature with minimum SHA2.
    gsk8capicmd_64 -cert … -size 2048 -sigalg SHA256WithRSA -label "myselfsigned_SHA2_2K" ...
DB2 UPDATE DBM CFG SSL_SVR_LABEL=myselfsigned_SHA_2K
These settings ensure that all connections over SSL in any CLP or Java™ application strictly adhere to NIST SP 800-131A.
2. Setting instance configuration parameters to take advantage of TLS 1.2 support, and be ready to fall back to TLS 1.1 or 1.0.
  • Set the DB2 registry variable DB2COMM to include SSL.
    DB2SET DB2COMM=TCPIP,SSL
  • Set the DB2 database manager configuration parameter SSL_VERSIONS to TLSV12, TLSV1.
    DB2 UPDATE DBM CFG SSL_VERSIONS USING TLSV12,TLSV1