Configuring SSL for DB2 for LUW

For DB2 LUW 9.7 & later:

Refer to the Configuring Secure Sockets Layer (SSL) support in a DB2 instance chapter in the DB2 documentation for details.

The following is an example of using self-signed certificates.

Use GSKit to create a keystore file (certificate database) and a certificate. Export the certificate if desired:

C> cd C:\Program Files\ibm\gsk8\bin\gsk8capicmd

C> gsk8capicmd -keydb -create -db "mydbserver.kdb" -pw "mypassword" -stash

C> gsk8capicmd -cert -create -db "mydbserver.kdb" -pw " mypassword " -label "SelfSigned" -dn "CN=myhost.mydomain.com,O=MyCompany,OU=CustomerSupport,L=California,ST=ON,C=CA"

C> gsk8capicmd -cert -extract -db "mydbserver.kdb" -pw "mypassword" -label "SelfSigned" -target "MYHOSTserver.arm" -format ascii -fips

On UNIX, make sure that the DB2 instance owner has read access to the keystore file.

Update DB2 and restart it:

C> db2 update dbm cfg using SSL_SVR_KEYDB "C:\Program Files\ibm\gsk8\bin\mydbserver.kdb"

C> db2 update dbm cfg using SSL_SVR_LABEL SelfSigned

C> db2 update dbm cfg using SSL_SVR_STASH "C:\Program Files\ibm\gsk8\bin\mydbserver.sth"

C> db2 update dbm cfg using SSL_SVCENAME 50029

C> db2set -i db2 DB2COMM=SSL,TCPIP

C> db2stop

C> db2start

Note that there is a problem in DB2 LUW 9.7 fp3 (resolved in fp4); see IC72728: THE PORT NUMBER FOR SSL_SVCENAME IN THE SERVICE FILE IS USED FOR SVCENAME. The value specified for SSL_SVCENAME is being used for both SSL and non-SSL listeners, causing a conflict. The workaround is to set the SVCENAME parameter using an explicit port number:

C> db2 update dbm cfg using SVCENAME 50000

For DB2 LUW 9.1 & 9.5:

The procedure is similar to the above instructions for  DB2 LUW 9.7, except

• The gskit is v7 rather than v8 (e.g. run C:\Program Files\ibm\gsk7\bin\ gsk7capicmd instead of C:\Program Files\ibm\gsk8\bin\gsk8capicmd)

• Rather than using DBM configuration, the DB2 SSL parameters are stored in a configuration file sslconfig.ini located in the following directory:

• Linux and UNIX: INSTHOME/cfg/SSLconfig.ini

• Windows: INSTHOME/SSLconfig.ini

where INSTHOME is the home directory of the instance.

Here is a sample sslconfig.ini:

DB2_SSL_KEYSTORE_FILE=C:\Program Files\ibm\gsk7\bin\mydbserver.kdb

DB2_SSL_LISTENER=50448

DB2_SSL_KEYSTORE_PW=mypassword

DB2_SSL_KEYSTORE_LABEL=SelfSigned

 After configuring gsk7 and creating sslconfig.ini, enter db2set -i db2 DB2COMM=SSL,TCPIP and restart DB2