SSL Connection Over JDBC for DB2
Create Certificate
The steps demonstrated here are performed on a Windows DB2 machine version 11.5.
Before proceeding, ensure that GSKit lib is added to the PATH variable.
Create a key database and configure your digital certificates.
gsk8capicmd_64 -keydb -create -db "mydbserver.kdb" -pw "changeit" -stash
Add the certificate for the server to the key database.
gsk8capicmd_64 -cert -create -db "mydbserver.kdb" -pw "changeit" -label "myselfsigned" -dn "CN=myhost.mycompany.com O=myOrganization, OU=myOrganizationUnit,L=myLocation,ST=ON,C=CA"
Extract the certificate to a file.
gsk8capicmd_64 -cert -extract -db "mydbserver.kdb" -pw "changeit" -label "myselfsigned" -target "mydbserver.arm" -format ascii -fips
Set up SSL support.
db2 update dbm cfg using SSL_SVR_KEYDB "C:\Program Files\IBM\gsk8\bin\mydbserver.kdb" db2 update dbm cfg using SSL_SVR_STASH "C:\Program Files\IBM\gsk8\bin\mydbserver.sth" db2 update dbm cfg using SSL_SVR_LABEL myselfsigned db2 update dbm cfg using SSL_SVCENAME 50443 db2 update dbm cfg using SSL_VERSIONS TLSv12
Add the SSL to the DB2COMM registry variable.
#bash db2set -i db2inst DB2COMM=SSL,TCPIP
Note
Replace db2inst with your db2 instance.
Restart DB2 instance.
db2stop, db2start
Verify the SSL parameter.
GET DATABASE MANAGER CONFIGURATION
Upload Certificate
The CA certificate can be uploaded through the CipherTrust Manager's REST interface or GUI.
CipherTrust Manager's UI
Log on to the CipherTrust Manager GUI.
Click Database Protection to open the application. The Databases screen displays the list of existing database connections, if any.
In the left pane, click Database Certificates and enter the following details.
Field Description Name Unique name for certificate. Certificate Content of the cert.txt
file in .PEM format.Click Upload.
The SSL setup is complete. You can now create database connection over SSL.
CipherTrust Manager's Rest interface
Open the CipherTrust Manager URL in a browser. The login page is displayed.
On the login page, click the API & CLI Documentation link. The API playground is displayed in the right.
Click Authenticate.
Enter username, password, domain, and click POST. The default domain is
root
.In the left pane, click CDP > Database.
Click Upload - post. The Upload - post section is displayed on the right.
In the body field, paste the CA certificate in the
.pem
format as shown below.{ "name":"myCertCh", "cert":"-----BEGIN CERTIFICATE-----\nMIIBkDCB+gIBADANBgkqhkiG9w0BAQQFADARMQ8wDQYDVQQDEwZzZXJ2ZXIwHhcNMTkwNzMwMDQy\nODUyWhcNMjAwNzI5MDQyODUyWjARMQ8wDQYDVQQDEwZzZXJ2ZXIwgZ8wDQYJKoZIhvcNAQEBBQAD\ngY0AMIGJAoGBAMPJ9L0IanR5XxajKiLjEns2geFzYjCdOpIcqiHTH78D7N1nIm/XMWTbo7Bebi0V\nrirWM1LUakhHxUSV9L+nb1IMaAuk01/pmJaSbU8EPzcmujWoA66gKg2K0phExoT1RQ+QE+6pLBPl\nftSB8VLNiPcXx4GMQcUq9Kiw4CMmozvBAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAjxmFBnkkxp1K\n2gkDsfvz5Uq7bGvXwdO8M/j5Ryz812f4pzyCXbb8p4rkf9l27WJAJ6Ero9U07K7Rd8NqBJmReobq\nDcPQnp2y4dzsPI7/oMHfk69DkGIa4PHhEYcXWz37L33CBrxnASpqM6yc/thjARt73Ejs80foBkAf\nOG6//Cs=\n-----END CERTIFICATE-----" }
Click POST.
Select SSL
On the DB2 Database Configuration page, select the Protocol as SSL.