Secure Socket Layer (SSL) implementation in Db2

-

Db2 supports the use of Secured Socket Layer (SSL) to enable authentication through digital certificates, and to provide private communication between the client and the server via encryption to encrypt data in-transit. The SSL support is provided through the IBM Global Security Kit (GSKit) libraries that are installed on the Db2 server.

Implement SSL using the following steps:

Create a key database:

gsk8capicmd_64 -keydb -create -db "KeyDB.kdb" -pw "Passw0rd" -stash

The -stash option creates a stash file with an extension of.sth. This stash file will be used by the GSKit to obtain the password during the instance restart

 Configure digital certificates.

Add a digital certificate for your server to the key database. The server sends this certificate to clients during the SSL handshake to provide authentication for the server.

gsk8capicmd_64 -cert -create -db "KeyDB.kdb" -pw "Passw0rd"  -label "MyKeyDBLabel" -dn "CN=myhost.mycompany.com,O=myOrganization,OU=myOrganizationUnit,L=myLocation,ST=ON,C=CA" -size 2048 -sigalg SHA256_WITH_RSA;

Configure the necessary Db2 database manager configuration parameters and registry variables for SSL.

ssl_svr_keydb: Specifies the key file to be used for SSL setup at server-side. The default is NULL. If this is set to NULL, SSL support is disabled.

UPDATE DBM CFG USING SSL_SVR_KEYDB /home/db2inst1/sqllib/security/keystore/KeyDB.kdb;

ssl_svr_stash: Specifies a fully qualified file path for the stash file to be used for SSL setup at the server-side. The default is NULL. If this is set to NULL, SSL support is disabled.

UPDATE DBM CFG USING SSL_SVR_STASH home/db2inst1/sqllib/security/keystore/mydbserver.sth;

ssl_svr_label: Specifies a label of the personal certificate of the server in the key database. The default is NULL. If this set to NULL, the default certificate in the key database is used. If there is no default certificate in the key database, SSL support is disabled.

UPDATE DBM CFG USING SSL_SVR_LABEL MyKeyDBLabel;

ssl_svcename: Specifies the name of the port that a database server uses to await communications from remote client nodes using SSL protocol.

UPDATE DBM CFG USING SSL_SVCENAME db2inst1_ssl_port;

DB2COMM: This registry variable specifies communication protocols for the current Db2 instance.

db2set DB2COMM=SSL

If you want to allow both SSL and TCPIP communications, you can set the DB2COMM registry variable to both SSL and TCPIP.

 db2set DB2COMM=SSL,TCPIP

ssl_cipherspecs: Specifies the cipher suites that the server allows for incoming connection requests when using the SSL protocol. The default is NULL. If this is set to NULL, the GSKit will pick the strongest available cipher suite.

UPDATE DBM CFG USING SSL_CIPHERSPECS TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384;

Restart the database instance:

db2stop; db2start

Comments

Post a Comment

Popular posts from this blog

Db2 export command example using file format (del , ixf)

-
You want to transfer data from a db2 database table to another db2 database or within the same database, one of the way is to use db2 export / import command. Using db2 export / import you can move your data to excel also.   DB2 export command exports data selected by SQL statement from a table or view to an external files in the format of  del - delimited , wsf - worksheet format , ixf - Integration Exchange Format,asc.   The DEL format uses delimiter and column separator and decimal point. The default string delimiter is double quote " and column separator is comma(,) and Decimal Point is dot(.), you can also specify your own string delimiter & column separator, decimal point. Another format supported by DB2 is   IXF (Integration Exchange Format). It is a generic relational database exchange format which supports an end-of-record delimiter . IXF architecture supports to exchange of relational database structures and data. IXF is used for transferring data ...
Read more

How to fix DB2 Tablespace OFFLINE state issue?

-
Sometimes we face an error where one (or more) of our db2 tablespaces goes offline caused by loads, DB crashes, abnormal db2 services/or server shutdown, etc. So in this blogpost let us see how can we check which tablespace is in OFFLINE state and bring back tablespace’s state to ONLINE.   Finding TableSpace State To check which tablespace is OFFLINE, execute the below command: SYNTAX: db2 connect to <database_name> db2 list tablespaces |egrep -i "ID|Name|State" db2 list tablespaces show detail   If u see Tablespace state with 0x4000, then that tablespace is in Offline state There are 2 methods to resolve the tablespace from offline to online as below. Method1: We can execute below DB2 commands to take off tablespace's OFFLINE state.   db2 terminate db2 force application all db2 connect to <database_name>   Method 2:  Perform ALTER Tablespace command to bring the tablespace up while the rest of the database is still up...
Read more

Phases of a load operation

-
A complete load operation consists of five distinct phases; they are as follows: Analyze phase Load phase Build phase Delete phase Index copy phase Analyze phase:  This phase of the Load process is only utilized when a column-organized table is being loaded and the column compression dictionaries need to be built. This happens during a LOAD REPLACE operation, a LOAD REPLACE RESETDICTIONARY operation, a LOAD REPLACE RESETDICTIONARYONLY operation, or a LOAD INSERT operation (if the column-organized table is empty). For column-organized tables, this phase is followed by the load, build, and delete phases. The following diagram showcases the steps involved in the analyze phase. The analyze phase is invoked if you are loading data for the first time into a column-organized BLU acceleration table using LOAD INSERT, or running a LOAD REPLACE with RESETDICTIONARY or RESETDICTIONARYONLY clause. Load phase:  During this phase, data is loaded into the table, and index keys and table stat...
Read more