DB2 on SSL - stanislawbartkowski/wikis GitHub Wiki

DB2 server

How to enable SSL for DB2 server: https://github.com/stanislawbartkowski/wikis/wiki/DB2-HADR#db2-on-tls

DB2 command-line client

https://github.com/stanislawbartkowski/wikis/wiki/DB2-HADR#db2-client-on-ssl

Java client

DB2 Instance server

Find the location of the certificate Keystore and the certificate label.

db2 get dbm cfg | grep -i SSL_SVR_KEYDB

SSL server keydb file                   (SSL_SVR_KEYDB) = /home/db2inst1/security/db2.kdb

db2 get dbm cfg | grep -i SSL_SVR_LABEL

 SSL server certificate label            (SSL_SVR_LABEL) = db2

Export server certificate.

gsk8capicmd_64 -cert -extract -db /home/db2inst1/security/db2.kdb -label db2 -target /tmp/db2.arm -format ascii -fips -stashed

Move the certificate to the client machine.

Client machine

Create truststore and import certificate using a password.

/home/db2inst1/client keytool -import -file /tmp/db2.arm -keystore server.jks

JDBC URL

The DB2 JDBC URL string requires including additional parameters to enable SSL transport.

Parameter	Desciption	Sample value
sslConnection	Enable SSL	sslConnection=true
sslTrustStoreLocation	Path to Java keystore	sslTrustStoreLocation=/home/db2inst1/client/server.jks
sslTrustStorePassword	Keystore password	sslTrustStorePassword=secret

Example of full URL string.

jdbc:db2://db1.sb.com:50010/SAMPLE:sslConnection=true;sslTrustStoreLocation=/home/db2inst1/client/server.jks;sslTrustStorePassword=secret;

Example of simple Java code connecting to DB2 using secure transport.

The following Java exception can be thrown.

Reply.fill() - socketInputStream.read (-1).  Komunikat: The server selected protocol version TLS11 is not accepted by client preferences [TLS12]. ERRORCODE=-4499, SQLSTATE=08001

https://stackoverflow.com/questions/33008332/how-to-reactivate-tls1-0-in-jre8u60

It means that TLS1.0 is disabled by JVM. In order to enable it, use Security.setProperty("jdk.tls.disabledAlgorithms", "");

import java.security.Security;
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.SQLException;

public class Main {

//    private static final String URL = "jdbc:db2://db1.sb.com:50000/SAMPLE";
    private static final String URL = "jdbc:db2://db1.sb.com:50010/SAMPLE:sslConnection=true;";
    private static final String TRUSTSTORE="/home/db2inst1/client/server.jks";
    private static final String TRUSTPASSWORD="secret";

    private static Connection connect(String url, String user, String password) throws SQLException {
        String secureURL= url + "sslTrustStoreLocation=" + TRUSTSTORE + ";sslTrustStorePassword=" + TRUSTPASSWORD +';';
        System.out.println(secureURL);
        return DriverManager.getConnection(secureURL, user, password);
    }

    public static void main(String[] args) throws SQLException {
        System.out.println("Hello, World!");
        Security.setProperty("jdk.tls.disabledAlgorithms", "");
        Connection con = connect(URL,"db2inst1","db2inst1");
        ResultSet res = con.createStatement().executeQuery("SELECT COUNT(*) FROM SYSCAT.TABLES");
        res.next();
        int num = res.getInt(1);
        System.out.println("Num of tables " + num);
        con.close();
    }

}

Connect from DBevaer

Use the following trick: append :sslConnection=true; to the database name, pay attention to colon and semicolon.