SSL Connection Over JDBC for DB2

Create Certificate

The steps demonstrated here are performed on a Windows DB2 machine version 11.5.

Before proceeding, ensure that GSKit lib is added to the PATH variable.

Create a key database and configure your digital certificates.

gsk8capicmd_64 -keydb -create -db "mydbserver.kdb" -pw "changeit"  -stash

Add the certificate for the server to the key database.

gsk8capicmd_64 -cert -create -db "mydbserver.kdb" -pw "changeit" -label "myselfsigned" -dn "CN=myhost.mycompany.com O=myOrganization, OU=myOrganizationUnit,L=myLocation,ST=ON,C=CA"

Extract the certificate to a file.

gsk8capicmd_64 -cert -extract -db "mydbserver.kdb" -pw "changeit" -label "myselfsigned" -target "mydbserver.arm" -format ascii -fips

Set up SSL support.

db2 update dbm cfg using SSL_SVR_KEYDB  "C:\Program Files\IBM\gsk8\bin\mydbserver.kdb"
db2 update dbm cfg using SSL_SVR_STASH "C:\Program Files\IBM\gsk8\bin\mydbserver.sth"
db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
db2 update dbm cfg using SSL_SVCENAME 50443
db2 update dbm cfg using SSL_VERSIONS TLSv12

Add the SSL to the DB2COMM registry variable.
```
#bash
db2set -i db2inst DB2COMM=SSL,TCPIP
```
Note
Replace db2inst with your db2 instance.
Restart DB2 instance.
```
 db2stop, db2start
```
Verify the SSL parameter.
```
GET DATABASE MANAGER CONFIGURATION
```

Upload Certificate

The CA certificate can be uploaded through the CipherTrust Manager's REST interface or GUI.

CipherTrust Manager's UI

Log on to the CipherTrust Manager GUI.
Click Database Protection to open the application. The Databases screen displays the list of existing database connections, if any.
In the left pane, click Database Certificates and enter the following details.
Field Description
Name Unique name for certificate.
Certificate Content of the cert.txt file in .PEM format.
Click Upload.

Field	Description
Name	Unique name for certificate.
Certificate	Content of the `cert.txt` file in .PEM format.

The SSL setup is complete. You can now create database connection over SSL.

CipherTrust Manager's Rest interface

Open the CipherTrust Manager URL in a browser. The login page is displayed.
On the login page, click the API & CLI Documentation link. The API playground is displayed in the right.
Click Authenticate.
Enter username, password, domain, and click POST. The default domain is root.
In the left pane, click CDP > Database.
Click Upload - post. The Upload - post section is displayed on the right.

In the body field, paste the CA certificate in the .pem format as shown below.

{
    "name":"myCertCh",
    "cert":"-----BEGIN CERTIFICATE-----\nMIIBkDCB+gIBADANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZzZXJ2ZXIwHhcNMTkwNzMwMDQy\nODUyWhcNMjAwNzI5MDQyODUyWjARMQ8wDQYDVQQDEwZzZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQAD\ngY0AMIGJAoGBAMPJ9L0IanR5XxajKiLjEns2geFzYjCdOpIcqiHTH78D7N1nIm/XMWTbo7Bebi0V\nrirWM1LUakhHxUSV9L+nb1IMaAuk01/pmJaSbU8EPzcmujWoA66gKg2K0phExoT1RQ+QE+6pLBPl\nftSB8VLNiPcXx4GMQcUq9Kiw4CMmozvBAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAjxmFBnkkxp1K\n2gkDsfvz5Uq7bGvXwdO8M/j5Ryz812f4pzyCXbb8p4rkf9l27WJAJ6Ero9U07K7Rd8NqBJmReobq\nDcPQnp2y4dzsPI7/oMHfk69DkGIa4PHhEYcXWz37L33CBrxnASpqM6yc/thjARt73Ejs80foBkAf\nOG6//Cs=\n-----END CERTIFICATE-----"
}

Click POST.

Select SSL

On the DB2 Database Configuration page, select the Protocol as SSL.

Suggest A Change