Your suggested change has been received. Thank you.

close

Suggest A Change

https://thales.na.market.dpondemand.io/docs/dpod/services/kmo….

Thales Logo

All

  • All
back

IBM DB2

Integration with CipherTrust Manager

search

Integration with CipherTrust Manager

This section lists the steps to integrate IBM DB2 with CipherTrust Manager.

Prerequisites

This section provides the prerequisites for integration of IBM DB2 with CipherTrust Manager.

  1. Setting up the Environment

  2. Creating a Local Keystore

Setting up the Environment

You need to set up the environment before starting the integration. Setting up the environment includes the following steps:

Using Root User

  1. Create a work folder where all the certificates, keystore, and config files will be created. This work folder will be owned by DB2 instance user.

    mkdir <folder path>

  2. Assign permission to DB2 instance user to the above created work folder.

    chown -R <DB2 instance user> <folder path>

After performing the above steps, DB2 instance user should have correct permission on the above created work folder.

To check the permission, try to create a dummy text file inside the above create work folder using the DB2 instance user.

For Example:

(as db2user) cd /opt/wallet/KMIP
(as db2user) touch test.txt
(as db2user) ls -l

Ensure that test.txt is created.

Note

In this document, we will use:

  • /opt/wallet/KMIP as the work folder.

  • db2user as the DB2 instance user.

Creating a Local Keystore

To create a local keystore, run the following command:

/home/<DB2 instance user>/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db <work folder path followed by the local keystore filename> -pw <PASSWORD> -type pkcs12 -stash

For example: /home/db2user/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db /opt/wallet/KMIP/clientkeydb.p12 -pw "asdf1234" -type pkcs12 -stash

After executing the above command, ensure that local keystore file (clientkeydb.p12 in this case) is created at the specified location.

Configuration on CipherTrust Manager

To configure the CipherTrust Manager, you need to perform the following steps:

  1. Creating a Domain (optional)

  2. Creating a User

  3. Assigning User to a Group

  4. Registering a KMIP Client

  5. Configuring the KMIP Interface

Creating a Domain (Optional)

Perform the following steps on CipherTrust Manager:

Note

This step is optional and needs to be performed only if you want to integrate within a domain.

  1. Navigate to Admin Settings > Domains.

  2. Click Add Domain. The Add Domain page appears.

  3. Specify the following information:

    • Name - Enter the domain name.

    • Admins - Select the admins (one or more) from the list available in the drop down. For example, admin.

    • Parent CA - Select parent CA as root CA.

    • Allow Subdomain User Management - Select this check box if you want to enable user management in the subdomain through this domain.

  4. Click Save.

  5. Click the current domain name at the top right corner to switch to the newly created domain.

Creating a User

To create a user, perform the following steps:

  1. Log on to the CipherTrust Manager GUI.

  2. Navigate to Access Management > Users.

  3. On the Users page, click Add User.

  4. On the Add User screen, provide the following details:

    • Full Name

    • Username

    • Email

    • Password

    • Password Match

    For more information on creating a user depending on the selected connection type, refer to Managing Users.

  5. Click Add User. The newly created user is listed on the Users page.

To create a user, perform the following steps:

Note

You can only create users in sub domains if you have enabled Allow Subdomain User Management while creating a domain.

  1. Log on to the CipherTrust Manager GUI with the User you created within the Sub Domain.

  2. Navigate to Access Management > Users.

  3. On the Users page, click Create User.

  4. On the Create User screen provide the following details:

    • Enter Username.

    • Enter Password.

  5. Click Create. The newly created user is listed on the Users page.

Assigning User to a Group

Perform the following steps to add user to a group:

  1. Navigate to Access Management > Users.

  2. Select the required User from the list, the respective User details page appears.

  3. Click GROUPS. On the search bar, enter the Key Admins or Key Users group depending on the level of access you want to grant to the user.

  4. Click Add. User is now assigned to the selected Group .

Registering a KMIP Client

You can register a KMIP client on the CipherTrust Manager through:

  • Auto Registration

  • Manual Registration

  1. Create a Registration Token using the following steps:

    1. Log on to the CipherTrust Manager in the root domain.

    2. Go to Access Management > Registration Tokens.

    3. Click Add Registration Token.

    Copy the Registration Token once it is created.

  2. To enable Auto Registration perform the following steps:

    1. Go to Admin Settings > Interfaces.

    2. Select the desired KMIP interface from the list. The corresponding Interface Details page is displayed.

    3. On the Interface Details page, select Auto Registration checkbox to enable Auto Registration.

    4. Paste the Registration Token.

    5. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

    6. Click Update.

  1. Log on to the CipherTrust Manager.

  2. Go to Products > KMIP.

  3. Create Client Profile using the following steps:

    1. Go to Client Profile and click Add Profile.

    2. Add a Profile Name.

    3. Select CN in Username Location in Certificate.

    4. Click Certificate Details.

    5. Paste the content of client.csr.

    6. Click Save.

  4. Create Registration Token using the following steps:

    1. Navigate to Registration Tokens under Access Management and click Add Registration Token > Begin.

    2. Add a Name Prefix.

    3. Specify a Token Lifetime value along with Certificate Duration, and Client Capacity for the token.

    4. Click Next. You can alternatively click Select CA to proceed further.

    5. Select the CA Type as Local or External depending on the type of CA required.

    6. Select the appropriate CA from the dropdown menu and click Select Profile.

    7. Select the Client Profile from the dropdown which you have created in the above step.

    8. Click Create Token.

    9. Copy the value of the Token created and click Add Token.

    Note

    If you are using External CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager.

  5. Go to Registered Clients and click Add Client.

    • Specify client name and paste the Registration Token generated in the above step.

      Note

      If you are using external CA then you need to paste the signed client certificate in the Client Certificate field.

    • Click Save to save the client certificate.

You can register a KMIP client on the CipherTrust Manager through:

  • Auto Registration

  • Manual Registration

  1. Create a Registration Token in the sub-domain using the following steps:

    1. Log on to the CipherTrust Manager in your specified subdomain.

    2. Go to Access Management > Registration Tokens.

    3. Click Add Registration Token > Begin.

    4. Add a Name Prefix.

    5. Specify a Token Lifetime value along with the Client Capacity for the token.

    6. Copy the value of the Registration Token once it is created.

  2. To enable Auto Registration perform the following steps:

    1. Log on to the CipherTrust Manager in the root domain.

    2. Go to Admin Settings > Interfaces.

    3. Select the desired kmip interface from the list. The respective Interface Detail page appears.

    4. elect Auto Registration.

    5. Paste the Registration Token.

    6. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

    7. Click Update.

  1. Log on to the CipherTrust Manager into your domain.

  2. Go to Products > KMIP.

  3. Create Client Profile using the following steps:

    1. Go to Client Profile and click Add Profile.

    2. Add a Profile Name.

    3. Select CN in Username Location in Certificate.

    4. Expand the Certificate Details section.

    5. You can either paste the content of a generated client.csr or you can create one, by filling in the details.

      In case of domains, the format to enter the Common Name field for the CSR is: domainName||domainUser

    6. Click Save.

  4. Create a Registration Token using the following steps:

    1. Go to Registration Token and click New Registration Token > Begin.

    2. Add a Name Prefix.

    3. Specify a Token Lifetime value along with the Client Capacity for the token.

    4. Click Select CA.

    5. Select the CA type as Local/External depending on what you are using.

    6. Select the appropriate CA from the dropdown menu and click Select Profile.

    7. Select the Client Profile from the dropdown which you have created in the above step.

    8. Click Create Token.

    9. Copy the value of the Token created and click Done.

  5. If you are using External CA then you can select the external CA which was created using openssl and uploaded on the CipherTrust Manager.

  6. Go to Registered Clients and click Add Client.

    1. Specify client name and paste the Registration Token generated in the above step.

      Note

      If you are using external CA then you need to paste the signed client certificate in the Client Certificate field.

    2. Click Save to save the client certificate.

Configuring the KMIP Interface

The KMIP interface can be configured through:

  1. Go to Admin Settings > Interfaces.

  2. On the KMIP Interface, click the ellipsis button (...) and then click View/Edit.

  3. Select the Auto Registration checkbox if you auto-registered your KMIP client and paste the value of the registration token that you created.

    Note

    By default, Auto Registration is disabled.

  4. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

  5. Specify selections for Local CA for Automatic Server Certificate Generation as desired.

    Note

    Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of External CA.

  6. Select the CA according to your preference:

    • If you are using External CA then select the CA under External Trusted CAs

    • If you are using Local CA then select the CA under Local Trusted CAs

  7. If you are using an External CA, expand the Upload Certificate section:

    • In the Certificate field, paste the contents of Server Certificate, CA, and Server Key file in the same order. Do not introduce any space or character or symbol between the contents of these files.

    • Select certificate Format as PEM.

    • Password field is optional and can be skipped.

    • Click Update.

  1. Switch to Root Domain.

  2. Go to Admin Settings > Interfaces.

  3. On the KMIP Interface, click the ellipsis button (...) and then click View/Edit.

  4. Select the Auto Registration checkbox if you auto-registered your KMIP client and paste the value of the registration token that you created.

    Note

    By default, the Auto Registration is disabled.

  5. Select the mode as TLS, verify client cert, user name taken from client cert, auth request is optional.

  6. Specify selections for Local CA for Automatic Server Certificate Generation as desired.

    Note

    Local CA for Automatic Server Certificate Generation should be set to Turn off auto generation from Local CA in case of External CA.

  7. Select the CA according to your preference.

    1. Login to your sub-domain. Go to CA > Local. Click the ellipsis (...) and copy the contents of your CA Certificate.

    2. Logout of your sub-domain and now login to the root domain.

    3. Go to CA > External > Add External CA.

    4. Enter a name for this Domain CA and select the text radio button and paste the certificate contents.

    5. Click Add External CA.

    6. Go to Admin Settings > Interfaces.

    7. Click the Add icon to add the External CA.

    8. Click Update.

    Note

    If you are using an External CA in the root Domain, you need to add the CA as an External CA in both the root domain as well as the sub-domain and modify the interface accordingly.

    1. Go to Admin Settings > Interfaces.

    2. Click the Add icon to add the External CA.

    3. Click Update.

    4. On the KMIP interface, click the ellipsis (...) > Certificate Options > Upload New Certificate > Ok.

    5. Select the Certificate Chain option and click Build Certificate Chain.

    6. Click on Text and paste the contents of Server Certificate, CA, and Server Key file in the same order. Do not introduce any space, character or symbol between the contents of these files.

    7. Select certificate Format as PEM.

    8. Click on Upload Certificate.

Configuration on IBM DB2

Generating Master Encryption Key in the CipherTrust Manager

To generate the Master Encryption Key in the CipherTrust Manager, perform the following steps:

  1. Create a centralized KeyStore.

    1. To store a Master Encryption Key in CipherTrust Manager for a DB2 native encryption, you need to create a configuration file that contains all details about this centralized KeyStore i.e. the CipherTrust Manager.

    2. In the work folder (/opt/wallet/KMIP) of the DB2 server, create kmip.cfg file with the following details:

      VERSION=1
PRODUCT_NAME=KEYSECURE
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=/opt/wallet/KMIP/clientkeydb.p12
SSL_KEYDB_STASH=/opt/wallet/KMIP/clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=DB2_CLIENT_CERT
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false
MASTER_SERVER_HOST=IP of CM
MASTER_SERVER_KMIP_PORT=<port for KMIP interface>
CLONE_SERVER_HOST=
CLONE_SERVER_KMIP_PORT=

    where:

    • SSL_KEYDB (Required): Absolute path and name of the local keystore file that holds the SSL certificates for communication between DB2 server and the CipherTrust Manager.

    • SSL_KEYDB_STASH (Optional): Absolute path and name of the stash file for the local keystore that hold the certificates for communication between DB2 server and the CipherTrust Manager.

    • SSL_KMIP_CLIENT_CERTIFICATE_LABEL (Required): The label of the SSL certificate for authenticating the client during communication with the CipherTrust Manager.

    • MASTER_SERVER_HOST is the CipherTrust Manager IP.

    • MASTER_SERVER_KMIP_PORT is the KMIP interface Port in the CipherTrust Manager.

  2. Configure a DB2 instance to use CipherTrust Manager as centralized keystore.

    1. Enter into DB2 command line using the db2 command with the DB2@instance user.

    2. Update the keystore to point to our new config file kmip.cfg.

      db2 => update dbm cfg using keystore_location <file path>/kmip.cfg
db2 => update dbm cfg using keystore_type kmip

    3. Stop and Start the database.

      db2 => db2stop
db2 => db2start

Creating an Encrypted Database

To create an encrypted database you need to add the parameter encrypt in the create database command.

db2 => create db <database_name> encrypt

For Example: db2 => create db myencdb encrypt

Note

  • In the above example, an encrypted database myencdb is created. This database is using the native encryption of DB2.

  • After executing the above command, a master encryption key is created in the CipherTrust Manager.

On this page