DB2 10.5 for Linux, UNIX, and Windows
NIST SP 800-131A compliance in a DB2 instance
The DB2® Cancun Release adds NIST SP 800-131A compliance. A DB2 instance is not configured by default to comply with NIST SP 800-131A. If you are required to comply with NIST SP 800-131A, you must configure your database instance.
A DB2 instance is strictly
compliant with NIST SP 800-131A and encrypts data in-transit when:
- The database manager configuration parameter SSL_VERSIONS is set
to TLSV12, which is recommended, TLS11, or TLS10.Note: If the SSL_VERSIONS parameter is set to TLSV12 and TLSV1, you can take advantage of TVL 1.2 support and fall back on TLS 1.1 or TLS 1.0 support. In this scenario, the database instance is not strictly compliant with NIST SP 800-131A.
- The database manager configuration parameter SSL_CIPHERSPECS is
set to a symmetric algorithm key length that is greater than or equal
to 112.Note: The following list of cipher suites meet this key length requirement.
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- The database manager configuration parameter SSL_SVC_LABEL specifies
a certificate with RSA key length that is greater than or equal to
2048, and that has a digital signature with minimum SHA2.Note: If SSL_VERSIONS is set to TLS12, certificates that are signed with SHA1 are automatically excluded. SHA1 is not NIST SP800A-131 compliant.
Note: For data at rest encryption, you must use InfoSphere Guardium
Data Encryption.
Examples
1.
Setting instance configuration parameters so that the instance is
strictly compliant with NIST SP 800-131A.
- Set the DB2 registry variable
DB2COMM to include SSL.
DB2SET DB2COMM=TCPIP,SSL
- Set the DB2 database manager
configuration parameter SSL_VERSIONS to TLSV12.
DB2 UPDATE DBM CFG SSL_VERSIONS=TLSV12
- Set the database manager configuration parameter SSL_CIPHERSPECS
to a symmetric algorithm key length that is greater than or equal
to 112.
DB2 UPDATE DBM CFG SSL_CIPHERSPECS=TLS_RSA_WITH_AES_256_GCM_SHA384
- Set the database manager configuration parameter SSL_SVC_LABEL
to a certificate with RSA key length that is greater than or equal
to 2048. That certificate must also have a digital signature with
minimum SHA2.
gsk8capicmd_64 -cert … -size 2048 -sigalg SHA256WithRSA -label "myselfsigned_SHA2_2K" ... DB2 UPDATE DBM CFG SSL_SVR_LABEL=myselfsigned_SHA_2K
2. Setting instance configuration
parameters to take advantage of TLS 1.2 support, and be ready to fall
back to TLS 1.1 or 1.0.
- Set the DB2 registry variable
DB2COMM to include SSL.
DB2SET DB2COMM=TCPIP,SSL
- Set the DB2 database manager configuration parameter
SSL_VERSIONS to TLSV12,
TLSV1.
DB2 UPDATE DBM CFG SSL_VERSIONS USING TLSV12,TLSV1