In this topic, I would like to cover the base instance configuration of Db2 v11.1 to enable SSL connections from clients. In most situations, databases are accessed over a restricted network, but in some cases, it is necessary to allow access from an untrusted location.
One part of this task is authentication (which can be done also via certificates) and another part is the encrypted connection that protects the communication between server and client, making it unreadable for the attacker.
This post will cover configuration of Linux IBM Db2 v11.1 instance (other platforms are similar). It will allow you to connect to the database using any type of client which supports SSL connection. The configuration of the client will be covered in the further post.
Before starting (requirements):
As a first step, it is necessary to create a certificate folder, a key database and set up digital certificates. To create a certificate folder and a key database use the following command:
gsk8capicmd_64 -keydb -create -db "server.kdb" -pw "Passw0rd" –stash
Command mkdir and cd will create the directory and change the location to the directory.
Command gsk8capicmd_64 is used for management of CA certificates. In our command we used the following options:
The next step is to create a certificate for the key database. In this example, I will use a self-signed certificate. Creating a certificate signed by certificate authorities will be covered in another post. Here, I will create a self-signed certificate with a label mylabel.
gsk8capicmd_64 -cert -create -db "server.kdb" -pw "Passw0rd" -label "mylabel" -dn "CN=testcompany" -size 2048 -sigalg SHA256_WITH_RSA
The following options are used:
Now it is necessary to extract the certificate file that will be distributed to clients to enable them to establish the SSL connection (client version 10.5 FP 5 and higher). The extracted certificate will be stored in the file server.arm.
gsk8capicmd_64 -cert -extract -db "server.kdb" -pw "Passw0rd" -label "mylabel" -target "server.arm" -format ascii –fips
The new options used here are:
The system will generate the following files in the certs folder:
Now it is possible to configure the Db2 instance. The first command sets up the option SSL_SVR_KEYDB. If this parameter is null, SSL support is not enabled, so the path to the key store file is required.
db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/certs/server.kdb
The following command sets up the SSL_SVR_STASH option (for a stash file).
db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/certs/server.sth
The SSL_SVR_STASH option needs to be set to enable SSL communication.
Both commands will return the warning SQL1362W. It can be ignored for now.
It is also necessary to set the SSL_SVR_LABEL and fill it with the value defined as a label when the certificate was created.
db2 update dbm cfg using SSL_SVR_LABEL mylabel
The SSL connections require a separate port. It can be defined as a service name or port number. The service name needs to be defined in /etc/services. My service name looks like this:
The service name is db2cs_db2inst1, port 50001, protocol TCP. This parameter is also required to enable SSL connections.
db2 update dbm cfg using SSL_SVCENAME db2cs_db2inst1
The last step before a restart of the instance is to set the environment variable for the instance. The database manager can support multiple protocols at the same time, but the following command will enable only SSL connections.
db2set -i db2inst1 DB2COMM=SSL
This command will allow SSL connections for instance db2inst1.
The last step is to restart the instance.
If you see no error during the start, the configuration was successful. You can do a quick check with netstat and see if the port for the service is listening. To establish the SSL connection from the client it is necessary to configure the client. These steps will be described in a future post.