Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

IBM DB2

Adding the CA Cert and Generating the CSR

search

Adding the CA Cert and Generating the CSR

You can download and add the CA cert in the local keystore for any of the following Certificate Authorities:

Local CA

  1. In the CipherTrust Manager, download the Local CA Cert (Certificate.pem).

  2. Move the downloaded CA Cert to work folder that you created in DB2 Server.

  3. Rename the Certificate.pem to ca.crt.

    mv <work_folder_location/Certificate.pem> <work_folder_location/ca.crt

    For example: mv /opt/wallet/KMIP/Certificate.pem /opt/wallet/KMIP/ca.crt

  4. Add the CA cert to the local keystore.

    </home/<DB2 user instance>/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db <work_folder_location/local_keystore> -stashed -label <LABEL FOR CA CERTIFICATE> -file <CA CERTIFICATE FILE>

    For Example: /home/db2user/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "/opt/wallet/KMIP/clientkeydb.p12" -stashed -label "DB2_CA_CERT" -file "/opt/wallet/KMIP/ca.crt"

External CA

  1. Generate the External CA using OpenSSL or any other CA generator.

  2. Upload the CA on the CipherTrust Manager, using the following steps:

    1. Go to CA > External.

    2. On the CA page, click Add External CA.

    3. Paste the contents of the rootCACert.pem and click Save.

  3. Move the downloaded CA Cert to work folder that you created in DB2 Server.

  4. Add the CA cert to the local keystore.

    </home/<DB2 user instance>/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db <work_folder_location/local_keystore> -stashed -label <LABEL FOR CA CERTIFICATE> -file <CA CERTIFICATE FILE>

    For Example: /home/db2user/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "/opt/wallet/KMIP/clientkeydb.p12" -stashed -label "DB2_CA_CERT" -file "/opt/wallet/KMIP/ca.crt"

Generating the CSR for Client Certificate

After adding the CA cert to the local keystore, generate the Client Certificate request using the following steps:

In the DB2 server, generate the Client Certificate Request. Use the newly created user created on CipherTrust Manager (DB2_CLIENT_CERT in this case) as reference while generating the CSR.

<DB2_HOME>/sqllib/gskit/bin/gsk8capicmd_64 -certreq -create -db < LOCAL KEYSTORE FILE> -stashed -label <LABEL FOR CLIENT CERTIFICATE> -dn <CLIENT CERTIFICATE DETAILS> -target <CLIENT CSR FILE> -size 2048 -sigalg SHA256

For Example: /home/db2user/sqllib/gskit/bin/gsk8capicmd_64 -certreq -create -db "/opt/wallet/KMIP/clientkeydb.p12" -stashed -label "DB2_CLIENT_CERT" -dn "CN=DB2_CLIENT_CERT, O=Gemalto, OU=PA, L=Noida, ST=UP, C=IN" -target "/opt/wallet/KMIP/client_cert_request.arm" -size 2048 -sigalg SHA256

Generating the CSR for Server Certificate

Note

Server certificate is required only when you are using External CA. You may skip this step if you are using the Local CA.

To create a server certificate, perform the following steps:

  1. Create a server key using the following command.

    openssl genrsa -out server.key 2048

  2. Create a CSR for the server, using the above generated key.

    openssl req -key server.key -new -sha256 -out server.csr -subj /O=my-org/OU=my-org/OU=server/CN=server

After generating the CSR (server.csrin this case), create a server certificate using the following openssl command:

openssl x509 -req -days 7300 -in server.csr -CA rootCACert.pem -CAkey rootCAKey.pem -CAcreateserial -out server.cert -sha256

This Server key and Server certificate will be used in configuring the KMIP interface.

On this page