Before you begin
There are some of the environment variables that you need to change in commands according to your environment.
db2instance – Replace this with environment DB2 instance.
CN=<Server Host> – Replace it with your server host name.
OU=<Organization Unit> – Replace it with your Organization.
L=<Server Location> – Replace it with Server physical Location.
ST=<Server State> – Replace it with Server state.
C=<Server Country> – Replace it with Server Country.
label – Replace it with label of your choice.
Password – Password of your choice.
Adjusting the db2profile
1. First verify that you have gskit available in your db2 installation path. (Note you may have standalone gskit installed on your system as well)
2. Go to db2 installation path
if you have above path you will see gskit commands available there.
3. If you find gskit from step 2, Modify the db2profile to add the following.
### Added to set the GSKIT PATH
PATH=/home/<db2instance>/sqllib/gskit/bin:$PATH; export PATH
4. Run db2profile after the changes.
5. Go through step 1 to make sure which gsk8capicmd_64 returns the path.
Note – If you do not find gskit installed on your system you need to install it from IBM Fixed Central here.
Creating Certificate KeyStores
Step 1. Login to DB2 Server using putty
Step 2. Create a separate folder structure to protect Signer Certificate, KeyStore and Stash file.
Step 3. Use the gsk8capicmd_64 command to create key database.
gsk8capicmd_64 -keydb -create -db “db2_ssl_keydb.kdb” -pw “<password>” -type cms -stash
Note – You should have 4 new files created in /home/<db2instance>/db2_ssl path.
Step 4. Create a Certificate Signing Request (CSR) File
gsk8capicmd_64 -certreq -create -db “db2_ssl_keydb.kdb” -pw “<password>” -label “IBM_CA_signed” -dn “CN=<Server Host>, O=IBM, OU=<Org Unit>, L=<Server Location>, ST= <Server State>, C= <Server Country>” -file db2_ssl_ibmca_certreq.csr -size 2048 -sigalg SHA512WithRSA
You will receive a new file with extension .csr
Step 5. Run command
You will see the request key.
Requesting Certificate on IBM CA website
1. Go to IBM CA website
2. Select Server Certificates
3. Select Create Profile
Note – You can use your existing profile if you already have one.
4. Fill in the details – Profile Information
* Label is basically for you to identify your server
5. Fill in the details – Certificate Fields
CN – Your server host name
OU – Fill in your organizational Unit
C – Country where the server is located
L, S – Server Location
Note – You can fill-in the same info that you have used in generating the request file in previous step.
6. Fill in the details – Description
7. Fill in the details – Owner and MAD Address.
dd owner to the certificate, you can add your team member who can backup you and/or project manager. You may have multiple people added as owner.
MAD reference is you server host name or alias. You can search your server in MAD DB site. There is a link beside the input box.
8. Click on Submit. It will create your profile
9. On next screen you will see a button “Request Certificate” click on it.
10. Select copy and paste option. And Paste the whole contents of your CSR file (generated from step Create Certificate KeyStores – Step 5):
11. Select your approving manager.
12. Submit the request.
13. Once you have your approval. Follow the next steps.
Downloading Certificates from IBM CA
Step 1. Once the approval is in place, you will receive an email from service machine.
It will have download links for the IBMRoot and IBMIntermediate certificates.
Download both the certificates (IBMRoot and IBMIntermediate)
Alternately you can download them from IBMCA website -> Certificate tab -> at the bottom of the page.
Step 2. Goto IBM CA website
Select Certificates tab → select Server label from the list.
On the next screen select “CRT File” from Action dropdown and click on arrow “>” to download it.
Now you will have the 3rd file.
Step 3. Now you got the total of 3 files (2 .der files and 1 .crt file)
IBMRoot (carootcert.der), IBMIntermediate (caintermediatecert.der) and cert.crt file
Ftp all 3 files to DB2 server. You need to place them under the folder you have created. As per our eg db2_ssl.
Now you need to install the certificates.
Run the following commands
Step 1. Add the root certificate to KeyStore
gsk8capicmd_64 -cert -add -db “db2_ssl_keydb.kdb” -pw “<password>” -label “IBMCA_Root” -file carootcert.der -format binary -fips
Step 2. Add the Intermediate certificate to KeyStore
gsk8capicmd_64 -cert -add -db “db2_ssl_keydb.kdb” -pw “<password>” -label “IBMCA_Intermediate” -file caintermediatecert.der -format binary -fips
Step 3. Receive the signer certificate to KeyStore
gsk8capicmd_64 -cert -receive -file cert.crt -db db2_ssl_keydb.kdb -pw “<password>” -format binary -default_cert yes
Step 4. Validate
Run the following command to list the certificates.
gsk8capicmd_64 -cert -list -db db2_ssl_keydb.kdb -stashed
You should see 3 certificates in your keystore.
Configuring DBM CFG - Server side
Step 1. Configure the DBM configuration. (for DB2 Server)
db2 update dbm cfg using SSL_SVR_KEYDB /home/<db2instance>/db2_ssl/db2_ssl_keydb.kdb
db2 update dbm cfg using SSL_SVR_STASH /home/<db2instance>/db2_ssl/db2_ssl_keydb.sth
db2 update dbm cfg using SSL_SVR_LABEL <Default Certificate Label>
Note – Only set the Default Certificate Label. System will atomically use the reset of the certificate chain.
Step 2. Recycle the DB Instance.
Configuring SSL on Client side
Here are the steps to configure SSL on Client side:
Step 1. Download the IBM CA Root Certificate (carootcert.der). This is a binary-encoded DER-format certificate. Save it somewhere convenient.
Step2. Create a new folder where you will store all Client SSl files:
Step 3. FTP carootcert.der to /home/<db2instance>/SSL_CLIENT
Step 4. Use GSKit to create a key database by running the following command:
/home/<db2instance>/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db “/home/<db2instance>/SSL_CLIENT/ibmca.kdb” -pw “<password>” -stash
Step 5. For Linux and Mac users, run the following commands to ensure that all users on the system (including both your own main userid and the DB2 instance id) can read the key database files:
chmod 775 /home/<db2instance>/SSL_CLIENT/ibmca.kdb
chmod 775 /home/<db2instance>/SSL_CLIENT/ibmca.sth
Step 6. Update your DB2 client environment to look for this key database:
db2 update dbm cfg using SSL_CLNT_KEYDB /home/<db2instance>/SSL_CLIENT/ibmca.kdb
db2 update dbm cfg using SSL_CLNT_STASH /home/<db2instance>/SSL_CLIENT/ibmca.sth
db2 force application all
Step 7. Import the IBM CA root certificate (as downloaded in step 1) into the GSKit key database:
/home//<db2instance>/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db “/home/<db2instance>/SSL_CLIENT/ibmca.kdb” -pw “<password>” -label “IBMRoot” -file “/home/<db2instance>/SSL_CLIENT/carootcert.der -format binary
Step 8. Finally, catalog the DB2 connection using SSL. Note that you need to know the secure port number for the database systems you want to connect to securely.
db2 catalog tcpip node <node_name> remote <hostname> server <sslport> security ssl
db2 catalog db <db_name> as <db_alias> at node <node_name> authentication SERVER_ENCRYPT
Step 9. Test the connection as normal:
db2 connect to <db_alias> user <user_id>