Professional Documents
Culture Documents
Boston, MA
1
Agenda
• Where to encrypt? What is SSL/TLS?
• Learn about IBM GSKit, certificates and self-signed certificates and
configure the server side of TLS encryption
• Configure the client side of TLS encryption for CLI, ODBC and JDBC
• Troubleshooting and verify your configuration, select the right
ciphers for encryption
• Current issues, open RFEs aka AHA ideas
2
Moments of Encryption
• Encryption during Authentication
• Transmission of encrypted login credentials
• Encryption in use
• Encryption of single columns (by application code)
• Encryption in motion
• Data transmission over the wire is encrypted
• Encryption at rest
• Encryption of database and transaction log files on disk, tapes, etc.
3
Default Configuration
• Db2's default configuration is still based on assumptions of Db2 for OS/2.
At that time simple configuration was preferred over security.
• By default just simple authentication with plain text passwords over the wire
• db2 get dbm cfg | fgrep AUTHENTICATION Default is SERVER
• At least switch to AUTHENTICATION=SERVER_ENCRYPT to enforce transmission of
encrypted passwords over the wire during Connect
• Very old clients (before V9.7) could have issues with SERVER_ENCRYPT as they were
not prepared for modern encryption
• Data is still transferred unencrypted
• Solution: db2 update dbm cfg using AUTHENTICATION=DATA_ENCRYPT (=deprecated)
4
AUTHENTICATION = SERVER_ENCRYPT
• Db2 engine takes care of encryption
• Beside db2 update dbm cfg using AUTHENTICATION SERVER_ENCRYPT other params
have to be set to close other issues:
db2 update dbm cfg using ALTERNATE_AUTH_ENC AES_CMP
db2set DB2AUTH=DISABLE_CHGPASS,OSAUTHDB,JCC_ENFORCE_SECMEC,
TRUSTEDCLIENT_SRVRENC
• DISABLE_CHGPASS disables password change during connect
• OSAUTHDB points to local OS for user and group enumeration
• JCC_ENFORCE_SECMEC disables passwords in plain text (since Db2 10.5.0.4)
• If you still have (very) old clients, set this option temporarily and monitor
db2diag.log
• db2set DB2AUTH=JCC_NOENFORCE_SECMEC_MSG
5
Encryption with SSL
• SSL is the synonym for encrypted communication via Secure Sockets
Layer
• SSL 1.0 was never published as standard
• SSL 2.0 published February 1995; used until ~2011, deprecated due to security
flaws
• SSL v3, last version, deprecated, unsafe (e.g. POODLE attack).
• TLS stands for Transport Layer Security and is successor of SSL
• TLS 1.0 is successor of SSL v3
• TLS 1.1 published April 2006 and also has flaws
• TLS 1.2 came in 2008 and was more widely used since the flaws of TLS 1.1 came up
• TLS 1.3 is current since August 2018
6
IBM Global Security Kit (1|2)
• Which SSL/TLS version is supported by Db2?
• Db2 itself does not provide SSL/TLS encryption but uses IBM Global Security Kit
aka GSKit for it
• GSKit is the OS extension for encrypted socket communication
https://www.ibm.com/docs/en/db2/11.5?topic=encryption-global-security-kit-
installation-gskit
• GSKit gets automatically installed with server install. It's a separate install for
Db2 client code
• GSKit has the Highlander principle: There can only be one!
• It gets especially interesting, if multiple IBM server products ship GSKit
and try to install/use their own:
• E.g. IBM Db2, TSM and MQ on a single machine
7
IBM Global Security Kit (2|2)
• GSKit V8 - Instructions to find current installed version details:
https://www.ibm.com/support/pages/gskit-v8-instructions-find-
current-installed-version-details
• GSKit Versions Shipped with Db2:
https://www.ibm.com/support/pages/gskit-versions-shipped-db2
• TLS 1.3 support for Db2 requires (breaking) changes and is
supported with Db2 11.5.8 or later
8
Configuration steps for TLS encryption
• Create a keyring for the server
• Create a certificate for the server (self-signed or CA-signed)
• Import the certificate in the keyring of the server
9
Db2 server side: Create a keyring
• User db2inst1:
mkdir -p /home/db2inst1/SSL
cd /home/db2inst1/SSL
• echo "Create a keyring:"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db
"Db2_keydb.kdb" -pw "passw0rd" -stash
• Beware:
There is a 32-bit and a 64-bit GSKit. The paths get set by db2profile, but it
seems in some versions the 32-bit path is incorrect and returns "error while
loading shared directories"
• Quick fix: Append /gskit_db2 to the variable LD_LIBRARY_PATH
https://www.ibm.com/support/knowledgecenter/de/SSEPGG_10.5.0/com.ibm.db2.luw.
admin.sec.doc/doc/t0025241.html
Example:
$ cat userprofile
AddRemoveString PATH ${INST_DIR}/gskit/bin r
AddRemoveString PATH /usr/opt/ibm/gsk8_64/bin a
10
Db2 server side: Create CA-signed certs
• echo "Create certification request to send to Root CA"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -certreq -create -db "Db2_keydb.kdb"
-stashed -label "myserver_db2_4096" -san_dnsname "myserver.de"
-dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096
-sig_alg SHA256_WITH_RSA -file "MyCertRequest.arm"
• echo "Send MyCertRequest.arm to CA to get it signed"
• echo "Add certificates of Root CA and any intermediates (otherwise SQL30081N with -414)"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -file CAChain.crt
-db "Db2_keydb.kdb" -stashed -format ascii
• echo "CA returns: MyServerCert.crt"
• echo "Import of MyServerCert.crt in your keyring"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -receive
-file MyServerCert.crt -db "Db2_keydb.kdb" -stashed -format ascii
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.ad
min.sec.doc/doc/t0025241.html
For public CA's you need this parameter too: subject alternative name (SAN) or IP
address:
-san_dnsname "hostname,hostname.my.fulldns.site" or -san_ipaddress
See also https://www.ibm.com/developerworks/library/se-gskit/index.html
11
Db2 server side: Create a self-signed
certificate
• echo "Not required by CA-signed certificate! This is an alternative!"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -create
-db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -expire 1000
-dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096
-sig_alg SHA256_WITH_RSA
• echo "Export of public signature for trust_db of clients"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -extract -db "Db2_keydb.kdb"
-stashed -label "myserver_db2_4096" -target "myserver_db2_public_key.arm"
-format ascii -fips
12
Server Certificate comes from public CA
• One customer got the public-signed certificate not as ASCII files
but as a PFX keyring in PKCS12 format:
openssl pkcs12 -nokeys -info -in source_ring.pfx -passin pass:'mypass'
13
How to verify keyring and certificate? (1|2)
• echo "Verify a certificate"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -list -db
"Db2_keydb.kdb" -stashed
• Certificate found:
* Standard, - personal, ! reliable, # secret key
! "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de"
! "CN=ARS Root CA 01,DC=ARS,DC=de"
- myserver_db2_4096
• echo "Verify key database"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -list -db
"Db2_keydb.kdb" -stashed
14
How to verify keyring and certificate? (2|2)
• echo "Verify a new certificate"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -details -label
myserver_db2_4096 -db "Db2_keydb.kdb" -stashed
• Label : myserver_db2_4096
Key length : 4096
Version : X509 V3
Serial : 740000007415c7837855d62d17000000000074
Issuer : "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de"
Subject : CN=myserver.de,OU=ARS,O=IT,L=Munich,ST=BY,C=DE
Not valid before : 17. April 2020 11:50:22 MESZ
Not valid after : 20. July 2022 11:50:22 MESZ
15
Configuration Server
• echo "Instance configuration"
db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/SSL/Db2_keydb.kdb
db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/SSL/Db2_keydb.sth
db2 update dbm cfg using SSL_SVR_LABEL myserver_db2_4096
db2 update dbm cfg using SSL_VERSIONS TLSV12
• echo "Insert SSL port in /etc/services file"
vi /etc/services
REM start notepad c:\windows\system32\drivers\etc\services
REM Append a line like: db2c_tlsinst1 50443
• echo "Set SSL_SVCENAME to port name and set DB2COMM"
db2 update dbm cfg using SSL_SVCENAME db2c_tlsinst1
db2set DB2COMM=SSL,TCPIP
• echo "Check if max_connections <= max_coordagents Connection Concentrator=OFF"
• echo "Restart Instance to bring changes into effect"
db2stop && sleep 5 && db2start
Before you configure TLS support, complete the following prerequisite steps:
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.ad
min.sec.doc/doc/t0025241.html
Ensure that the connection concentrator is not activated. TLS support is not enabled in
the Db2 instance when the connection concentrator is running. Determine whether the
connection concentrator is activated by running the GET DATABASE MANAGER
CONFIGURATION command. If the configuration parameter max_connections is set to a
value greater than the value of max_coordagents, connection concentrator is activated.
16
Verify server setup
• Under Linux the openssl command has an option to connect and
establish a session via SSL/TLS
openssl s_client -servername myServer -connect myServer:50443
• This can help to debug session negotiation, certificates, etc.
• End the openssl session with 'Q' or Ctrl+C
17
Expired Server certificate (1|2)
• Entry in db2diag.log when the CA signed server certificate expires
2022-07-26-11.16.21.218655+120 I6820357A497 LEVEL: Error
PID : 6292094 TID : 292736 PROC : db2sysc 0
INSTANCE: db2inst1 NODE : 000 DB :
HOSTNAME: myhost
EDUID : 292736 EDUNAME: db2agent () 0
FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30
MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the
return code "401" in "sqlccSSLSocketSetup".
• On client side
SQL30081N A communication error has been detected. Communication protocol
being used: "SSL". Communication API being used: "SOCKETS". Location where
the error was detected: "". Communication function detecting the error:
"sqlccSSLSocketSetup". Protocol specific error code(s): "420", "*", "*".
SQLSTATE=08001
18
Expired Server certificate (2|2)
• During expiration server will continue to run, but fails to start SSL
listener on restart.
• Certificate validity dates can be retrieved via openssl:
echo -n Q | openssl s_client -servername myServer -connect myServer:50443
| openssl x509 -noout -dates
• Or check directly for certificate expiration within next 7 days
(7 days = 7*24*3600 = 604800 seconds)
echo -n Q | openssl s_client -servername myServer -connect myServer:50443
| openssl x509 -noout –checkend 604800
https://www.cyberciti.biz/faq/find-check-tls-ssl-certificate-expiry-date-from-linux-unix/
19
HADR and SSL
• SSL for HADR has to be configured on the database side
• Create keyrings and truststores on both sides, include Client side
configuration on the other server and vice versa
• In database configuration use label accordingly
HADR SSL certificate label (HADR_SSL_LABEL) = my_hadr_certlabel
HADR SSL Hostname Validation (HADR_SSL_HOST_VAL) = OFF
20
Configuration of CLI Client (1|2)
• echo "Install GSKit on client machine (Fix central: Tivoli Global Security)"
Install the binaries according to Db2 Knowledge Center
https://www.ibm.com/docs/en/db2/11.5?topic=gskit-global-installation-instructions
• echo "Create a client keyring"
mkdir -p ~/SSL && cd ~/SSL
/home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create
-db "client_trust.kdb" -pw "MyPass" -stash
• echo "Add the root certificate and any intermediaries (otherwise SQL30081N with -414)"
/home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add
-db "client_trust.kdb" -stashed -file /tmp/CAChain.crt -format ascii -fips
• echo "Not required for CA-signed certificates: Import your self-signed certificate"
/home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kbd" -stashed
-label "MyServer" -file /home/db2inst1/SSL/myserver_db2_public_key.arm
-format ascii -fips
21
Configuration of CLI Client (2|2)
• Update client instance configuration :
db2 update dbm cfg using SSL_CLNT_KEYDB /home/exrsc/SSL/client_trust.kdb
db2 update dbm cfg using SSL_CLNT_STASH /home/exrsc/SSL/client_trust.sth
For Windows Clients, if Root-CA signature is available in Windows Trust Store:
db2 update dbm cfg using SSL_CLNT_KEYDB GSK_MS_CERTIFICATE_STORE
db2 update dbm cfg using SSL_CLNT_STASH NULL
Set PATH and LIB to the according directories for 32-bit and 64-bit binaries:
set PATH=C:\PROGRA~1\IBM\GSKIT\BIN; C:\PROGRA~2\IBM\GSKIT\BIN;%PATH%
set LIB=C:\PROGRA~1\IBM\GSKIT\LIB64;C:\PROGRA~2\IBM\GSKIT\LIB;%LIB%
Achtung:
https://www.ibm.com/support/pages/resolving-gskit-108-reason-9-errors-when-
connecting-dashdbdb2-cloud-db2-clients
22
JDBC connections
• JDBC is simple to configure! Server side configured as above
• Trust Store get's created with Java JDK keytool instead of GSKit :
(In this example with a self-signed certificate)
keytool -importcert -alias MyServer -keystore MyTrustStore.jks -storepass cacerts -storetype jks
-file myserver_db2_public_key.arm -noprompt
keytool -list -v -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file
• Remark:
Some applications might use their own JDK and maybe they have a separate trust store then
Check with "dir /s /b cacerts" or "find . -name cacerts -type f" in the application directory
Complete guide to set up SSL using IBM Data Server Driver for JDBC and SQLJ
https://www.ibm.com/support/pages/complete-guide-set-ssl-using-ibm-data-server-
driver-jdbc-and-sqlj
IBM Data Server Driver for JDBC and SQLJ configuration properties
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.apd
v.java.doc/src/tpc/imjcc_r0052075.html
23
IBM Technote
https://www.ibm.com/support/pages/node/1077081
https://www.ibm.com/support/pages/node/1077081
24
IBM Data Server Driver for ODBC and CLI
• Small footprint drivers for Db2; just unpack ZIP archive and set paths e.g. for Linux
export DB2_CLI_DRIVER_INSTALL_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver
export LD_LIBRARY_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib
export LIBPATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib
export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/bin:$PATH
export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/adm:$PATH
• Database can get catalogued via db2cli.ini or db2dsdriver.cfg
Either use sample templates or db2cli commands:
• Examples:
db2cli writecfg add -database MYSAMPL -host myserver.de -port 50443 -parameter
"SecurityTransportMode=SSL;SSLServerCertificate=/opt/ibm/odbc_cli/clidriver/cfg/mydbclient.kdb"
db2cli validate
db2cli validate -dsn mysampl -connect -user testuser -passwd 'Nosey*ent_ya'
• Trust store must be in CMS format.
• Root CAs can be included automatically to keyring, if sent as Trust store .arm file on first connect
db2cli.ini:
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.apd
v.cli.doc/doc/c0007882.html
db2dsdcfgfill:
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.swg.im.dbcli
ent.config.doc/doc/r0054557.html
25
Configuration for WAS Liberty profile
•
26
Hostname validation (Db2 11.5.6+ clients)
• Db2 11.5.6 clients and later can verify the server's hostname that
appears in the server certificate with the name the client is
connection to. This adds another layer of security.
• Client compares to CN or better SAN field of server certificate
• Enabled at client via db2cli.ini SSLClientHostnameValidation=Basic
• If host validation fails, SQL20576N with SQLSTATE 08001 is
returned to the client and a message is logged in db2diag.log
27
Representing Server names in TLS certs
• https://www.ibm.com/docs/en/db2/11.5?topic=instances-
representing-servers-in-certificate
https://www.ibm.com/docs/en/db2/11.5?topic=instances-representing-servers-in-
certificate
28
Check usage of secure connections
• Which application is now using a TLS connection?
SELECT
substr( CLIENT_PRDID, 1, 10 ) AS CLIENT_PRDID,
substr( APPLICATION_NAME, 1, 20 ) AS APPL_NAME,
substr( CLIENT_HOSTNAME, 1, 22 ) AS CLIENTHOST,
CLIENT_PROTOCOL AS PROTOCOL,
CAST( CURRENT server AS CHAR( 8 )) AS DB_NAME,
SUBSTR( EXECUTION_ID, 1, 15 ) AS EXEC_ID,
SUBSTR( SESSION_AUTH_ID, 1, 15 ) AS SESSION_AUTHID,
COUNT(*) AS COUNT
FROM
TABLE ( mon_get_connection( NULL, -2 ))
GROUP BY
CLIENT_PRDID, APPLICATION_NAME, CLIENT_HOSTNAME,
CLIENT_PROTOCOL, CURRENT server, EXECUTION_ID,
SESSION_AUTH_ID
ORDER BY
1,2,3,4,5,6
29
Ciphers and encryption methods
• https://scotthelme.co.uk/https-cheat-sheet/
30
Ciphers and Db2 (1|2)
• During SSL handshake client and server negotiate the most secure encryption
method. If no compatible method was found, connection fails. The order of
so called Cipher Suites cannot be changed.
• If SSL_VERSIONS was set to TLSv12, following SSL_CIPHERSPECS are usable:
TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA
31
Ciphers and Db2 (2|2)
• Configure ciphers in Db2 (length max 255 chars):
db2 update dbm cfg using SSL_CIPHERSPECS TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
32
Support us! (1|2)
• https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-984
• https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-133
33
Support us! (2|2)
• https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-952
34
Technotes
• Error ECF_CRYPT_UNEXPECTED_ERROR in db2diag.log: "FIPS:
internal test failed, interface disabled"
https://www.ibm.com/support/pages/node/6356455
Problem:
The internal self-test in GSKit fails when it can't get sufficient
entropy via hardware or software RNG (Random Number
Generation). This can cause the Db2 instance to stop functioning
correctly, and will require a restart of the instance.
35
Further links
• Step-by-Step Instructions to Configure a Secure Database System,
Greg Stager: https://www.idug.org/p/bl/ar/blogaid=1121
• Cipher Used? IC85574: INFORMATIONAL MESSAGE ADM7016I
LOGGED IN DB2DIAG.LOG EVEN IF DIAGLEVEL=3,
https://www.ibm.com/support/pages/apar/IC85574
• SSL/TLS: How to choose your cipher suite
https://technology.amis.nl/2017/07/04/ssltls-choose-cipher-
suite/
36
SSL and Db2 on (IBM) Cloud
• Supporting links to use Db2 on Cloud with SSL/TLS
Short compact configuration guide for Db2 on Cloud:
https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-ssl_support
How to connect to Db2 on Cloud, connect options
https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-connect_options
SSL as requirement for IAM-based authentication
https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-iam#iam_prereqs
If the new token-based authentication with JWT (JSON Web Token) is used, it is strongly
suggested to protect the token with TLS
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.admin.s
ec.doc/doc/c_token_auth.html
37
Thank You
38