Securing your data

in motion with TLS

Roland Schock
Session Code: G10

Boston, MA

1
Agenda
• Where to encrypt? What is SSL/TLS?
• Learn about IBM GSKit, certificates and self-signed certificates and
configure the server side of TLS encryption
• Configure the client side of TLS encryption for CLI, ODBC and JDBC
• Troubleshooting and verify your configuration, select the right
ciphers for encryption
• Current issues, open RFEs aka AHA ideas

2
Moments of Encryption
• Encryption during Authentication
• Transmission of encrypted login credentials
• Encryption in use
• Encryption of single columns (by application code)
• Encryption in motion
• Data transmission over the wire is encrypted
• Encryption at rest
• Encryption of database and transaction log files on disk, tapes, etc.

3
Default Configuration
• Db2's default configuration is still based on assumptions of Db2 for OS/2.
At that time simple configuration was preferred over security.
• By default just simple authentication with plain text passwords over the wire
• db2 get dbm cfg | fgrep AUTHENTICATION  Default is SERVER
• At least switch to AUTHENTICATION=SERVER_ENCRYPT to enforce transmission of
encrypted passwords over the wire during Connect
• Very old clients (before V9.7) could have issues with SERVER_ENCRYPT as they were
not prepared for modern encryption
• Data is still transferred unencrypted
• Solution: db2 update dbm cfg using AUTHENTICATION=DATA_ENCRYPT (=deprecated)

•  Much better: Switch to SSL or TLS session encryption

4
 AUTHENTICATION = SERVER_ENCRYPT
• Db2 engine takes care of encryption
• Beside db2 update dbm cfg using AUTHENTICATION SERVER_ENCRYPT other params
have to be set to close other issues:
db2 update dbm cfg using ALTERNATE_AUTH_ENC AES_CMP
db2set DB2AUTH=DISABLE_CHGPASS,OSAUTHDB,JCC_ENFORCE_SECMEC,
TRUSTEDCLIENT_SRVRENC
• DISABLE_CHGPASS disables password change during connect
• OSAUTHDB points to local OS for user and group enumeration
• JCC_ENFORCE_SECMEC disables passwords in plain text (since Db2 10.5.0.4)

• If you still have (very) old clients, set this option temporarily and monitor
db2diag.log
• db2set DB2AUTH=JCC_NOENFORCE_SECMEC_MSG

Siehe auch Db2 Knowledge Center:

https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.ad
min.config.doc/doc/r0000294.html
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.ad
min.config.doc/doc/r0053734.html
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.ad
min.sec.doc/doc/c0005435.html
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.ad
min.regvars.doc/doc/r0005669.html#r0005669__M_DB2AUTH

How to set a valid authentication type at Db2 client

https://www.ibm.com/support/pages/how-set-valid-authentication-type-db2-client

5
Encryption with SSL
• SSL is the synonym for encrypted communication via Secure Sockets
Layer
• SSL 1.0 was never published as standard
• SSL 2.0 published February 1995; used until ~2011, deprecated due to security
flaws
• SSL v3, last version, deprecated, unsafe (e.g. POODLE attack).
• TLS stands for Transport Layer Security and is successor of SSL
• TLS 1.0 is successor of SSL v3
• TLS 1.1 published April 2006 and also has flaws
• TLS 1.2 came in 2008 and was more widely used since the flaws of TLS 1.1 came up
• TLS 1.3 is current since August 2018

6
 IBM Global Security Kit (1|2)
• Which SSL/TLS version is supported by Db2?
• Db2 itself does not provide SSL/TLS encryption but uses IBM Global Security Kit
aka GSKit for it
• GSKit is the OS extension for encrypted socket communication
https://www.ibm.com/docs/en/db2/11.5?topic=encryption-global-security-kit-
installation-gskit
• GSKit gets automatically installed with server install. It's a separate install for
Db2 client code
• GSKit has the Highlander principle: There can only be one!
• It gets especially interesting, if multiple IBM server products ship GSKit
and try to install/use their own:
• E.g. IBM Db2, TSM and MQ on a single machine

DB2 SSL - GSKit part numbers for Passport Advantage

https://www.ibm.com/support/pages/db2-ssl-gskit-part-numbers-passport-advantage

Verify GSKit Installation

https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.swg.tivoli.gs
kit.install.doc/doc/t0062024.html

GSKit Errors explained

https://www.ibm.com/support/knowledgecenter/SSEQVQ_8.1.0/tshoot/r_pdg_retcodes
.html

7
 IBM Global Security Kit (2|2)
• GSKit V8 - Instructions to find current installed version details:
https://www.ibm.com/support/pages/gskit-v8-instructions-find-
current-installed-version-details
• GSKit Versions Shipped with Db2:
https://www.ibm.com/support/pages/gskit-versions-shipped-db2
• TLS 1.3 support for Db2 requires (breaking) changes and is
supported with Db2 11.5.8 or later

DB2 SSL - GSKit part numbers for Passport Advantage

https://www.ibm.com/support/pages/db2-ssl-gskit-part-numbers-passport-advantage

Verify GSKit Installation

https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.swg.tivoli.gs
kit.install.doc/doc/t0062024.html

GSKit Errors explained

https://www.ibm.com/docs/en/db2/11.5?topic=errors-gskit-return-codes

8
Configuration steps for TLS encryption
• Create a keyring for the server
• Create a certificate for the server (self-signed or CA-signed)
• Import the certificate in the keyring of the server

9
 Db2 server side: Create a keyring
• User db2inst1:
mkdir -p /home/db2inst1/SSL
cd /home/db2inst1/SSL
• echo "Create a keyring:"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db
"Db2_keydb.kdb" -pw "passw0rd" -stash

• Beware:
There is a 32-bit and a 64-bit GSKit. The paths get set by db2profile, but it
seems in some versions the 32-bit path is incorrect and returns "error while
loading shared directories"
• Quick fix: Append /gskit_db2 to the variable LD_LIBRARY_PATH

https://www.ibm.com/support/knowledgecenter/de/SSEPGG_10.5.0/com.ibm.db2.luw.
admin.sec.doc/doc/t0025241.html

Example:
$ cat userprofile
AddRemoveString PATH ${INST_DIR}/gskit/bin r
AddRemoveString PATH /usr/opt/ibm/gsk8_64/bin a

AddRemoveString LIBPATH ${INST_DIR}/lib64/gskit r

AddRemoveString LIBPATH /usr/opt/ibm/gsk8_64/lib64 a

10
 Db2 server side: Create CA-signed certs
• echo "Create certification request to send to Root CA"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -certreq -create -db "Db2_keydb.kdb"
-stashed -label "myserver_db2_4096" -san_dnsname "myserver.de"
-dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096
-sig_alg SHA256_WITH_RSA -file "MyCertRequest.arm"
• echo "Send MyCertRequest.arm to CA to get it signed"
• echo "Add certificates of Root CA and any intermediates (otherwise SQL30081N with -414)"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -file CAChain.crt
-db "Db2_keydb.kdb" -stashed -format ascii
• echo "CA returns: MyServerCert.crt"
• echo "Import of MyServerCert.crt in your keyring"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -receive
-file MyServerCert.crt -db "Db2_keydb.kdb" -stashed -format ascii

https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.ad
min.sec.doc/doc/t0025241.html

For public CA's you need this parameter too: subject alternative name (SAN) or IP
address:
-san_dnsname "hostname,hostname.my.fulldns.site" or -san_ipaddress
See also https://www.ibm.com/developerworks/library/se-gskit/index.html

New with Db2 11.5.8:

https://www.ibm.com/docs/en/db2/11.5?topic=SSEPGG_11.5.0/com.ibm.db2.luw.admi
n.sec.doc/doc/r_import_certs.htm
A san_dnsname is required for accordance of RFC 6125, see
https://www.ibm.com/docs/en/db2/11.5?topic=instances-representing-servers-in-
certificate
It has precendence over the common name CN, which could also contain wildcards

11
Db2 server side: Create a self-signed
certificate
• echo "Not required by CA-signed certificate! This is an alternative!"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -create
-db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -expire 1000
-dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096
-sig_alg SHA256_WITH_RSA
• echo "Export of public signature for trust_db of clients"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -extract -db "Db2_keydb.kdb"
-stashed -label "myserver_db2_4096" -target "myserver_db2_public_key.arm"
-format ascii -fips

• Remark for self-signed certificates:

• They are as secure as CA-signed certs but require more work. More servers must be trusted at clients
and updated over time due to expiration.
• Transfer of the public server signature to the client must be secure to prevent man-in-the-middle
attacks.

12
Server Certificate comes from public CA
• One customer got the public-signed certificate not as ASCII files
but as a PFX keyring in PKCS12 format:
openssl pkcs12 -nokeys -info -in source_ring.pfx -passin pass:'mypass'

• Certificate needs to be imported in one step from the source:

~/sqllib/gskit/bin/gsk8capicmd_64 -cert -import -db source_ring.pfx -pw 'mypass' -label 1
-new_label dest_label -type pkcs12 -target Db2_keydb.kdb -target_pw 'passw0rd'

13
How to verify keyring and certificate? (1|2)
• echo "Verify a certificate"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -list -db
"Db2_keydb.kdb" -stashed
• Certificate found:
* Standard, - personal, ! reliable, # secret key
! "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de"
! "CN=ARS Root CA 01,DC=ARS,DC=de"
- myserver_db2_4096
• echo "Verify key database"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -list -db
"Db2_keydb.kdb" -stashed

14
How to verify keyring and certificate? (2|2)
• echo "Verify a new certificate"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -details -label
myserver_db2_4096 -db "Db2_keydb.kdb" -stashed
• Label : myserver_db2_4096
Key length : 4096
Version : X509 V3
Serial : 740000007415c7837855d62d17000000000074
Issuer : "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de"
Subject : CN=myserver.de,OU=ARS,O=IT,L=Munich,ST=BY,C=DE
Not valid before : 17. April 2020 11:50:22 MESZ
Not valid after : 20. July 2022 11:50:22 MESZ

15
 Configuration Server
• echo "Instance configuration"
db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/SSL/Db2_keydb.kdb
db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/SSL/Db2_keydb.sth
db2 update dbm cfg using SSL_SVR_LABEL myserver_db2_4096
db2 update dbm cfg using SSL_VERSIONS TLSV12
• echo "Insert SSL port in /etc/services file"
vi /etc/services
REM start notepad c:\windows\system32\drivers\etc\services
REM Append a line like: db2c_tlsinst1 50443
• echo "Set SSL_SVCENAME to port name and set DB2COMM"
db2 update dbm cfg using SSL_SVCENAME db2c_tlsinst1
db2set DB2COMM=SSL,TCPIP
• echo "Check if max_connections <= max_coordagents  Connection Concentrator=OFF"
• echo "Restart Instance to bring changes into effect"
db2stop && sleep 5 && db2start

Before you configure TLS support, complete the following prerequisite steps:
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.ad
min.sec.doc/doc/t0025241.html

Ensure that the connection concentrator is not activated. TLS support is not enabled in
the Db2 instance when the connection concentrator is running. Determine whether the
connection concentrator is activated by running the GET DATABASE MANAGER
CONFIGURATION command. If the configuration parameter max_connections is set to a
value greater than the value of max_coordagents, connection concentrator is activated.

16
Verify server setup
• Under Linux the openssl command has an option to connect and
establish a session via SSL/TLS
openssl s_client -servername myServer -connect myServer:50443
• This can help to debug session negotiation, certificates, etc.
• End the openssl session with 'Q' or Ctrl+C

17
Expired Server certificate (1|2)
• Entry in db2diag.log when the CA signed server certificate expires
2022-07-26-11.16.21.218655+120 I6820357A497 LEVEL: Error
PID : 6292094 TID : 292736 PROC : db2sysc 0
INSTANCE: db2inst1 NODE : 000 DB :
HOSTNAME: myhost
EDUID : 292736 EDUNAME: db2agent () 0
FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30
MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the
return code "401" in "sqlccSSLSocketSetup".

• On client side
SQL30081N A communication error has been detected. Communication protocol
being used: "SSL". Communication API being used: "SOCKETS". Location where
the error was detected: "". Communication function detecting the error:
"sqlccSSLSocketSetup". Protocol specific error code(s): "420", "*", "*".
SQLSTATE=08001

• Create a new CertRequest, get it signed from your CA and import it

with a different label into the server keyring
db2 attach to db2inst1 && db2 update dbm cfg using SSL_SVR_LABEL my_new_label IMMEDIATE

• DBM Config SSL_SVR_LABEL is online updateable since V11.5.2

Check with db2pd -dbmcfg for current value in memory

18
 Expired Server certificate (2|2)
• During expiration server will continue to run, but fails to start SSL
listener on restart.
• Certificate validity dates can be retrieved via openssl:
echo -n Q | openssl s_client -servername myServer -connect myServer:50443
| openssl x509 -noout -dates
• Or check directly for certificate expiration within next 7 days
(7 days = 7*24*3600 = 604800 seconds)
echo -n Q | openssl s_client -servername myServer -connect myServer:50443
| openssl x509 -noout –checkend 604800

https://www.cyberciti.biz/faq/find-check-tls-ssl-certificate-expiry-date-from-linux-unix/

19
HADR and SSL
• SSL for HADR has to be configured on the database side
• Create keyrings and truststores on both sides, include Client side
configuration on the other server and vice versa
• In database configuration use label accordingly
HADR SSL certificate label (HADR_SSL_LABEL) = my_hadr_certlabel
HADR SSL Hostname Validation (HADR_SSL_HOST_VAL) = OFF

20
Configuration of CLI Client (1|2)
• echo "Install GSKit on client machine (Fix central: Tivoli Global Security)"
Install the binaries according to Db2 Knowledge Center
https://www.ibm.com/docs/en/db2/11.5?topic=gskit-global-installation-instructions
• echo "Create a client keyring"
mkdir -p ~/SSL && cd ~/SSL
/home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create
-db "client_trust.kdb" -pw "MyPass" -stash
• echo "Add the root certificate and any intermediaries (otherwise SQL30081N with -414)"
/home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add
-db "client_trust.kdb" -stashed -file /tmp/CAChain.crt -format ascii -fips
• echo "Not required for CA-signed certificates: Import your self-signed certificate"
/home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kbd" -stashed
-label "MyServer" -file /home/db2inst1/SSL/myserver_db2_public_key.arm
-format ascii -fips

21
 Configuration of CLI Client (2|2)
• Update client instance configuration :
db2 update dbm cfg using SSL_CLNT_KEYDB /home/exrsc/SSL/client_trust.kdb
db2 update dbm cfg using SSL_CLNT_STASH /home/exrsc/SSL/client_trust.sth
For Windows Clients, if Root-CA signature is available in Windows Trust Store:
db2 update dbm cfg using SSL_CLNT_KEYDB GSK_MS_CERTIFICATE_STORE
db2 update dbm cfg using SSL_CLNT_STASH NULL
Set PATH and LIB to the according directories for 32-bit and 64-bit binaries:
set PATH=C:\PROGRA~1\IBM\GSKIT\BIN; C:\PROGRA~2\IBM\GSKIT\BIN;%PATH%
set LIB=C:\PROGRA~1\IBM\GSKIT\LIB64;C:\PROGRA~2\IBM\GSKIT\LIB;%LIB%

• Catalog your node

db2 catalog tcpip node INST1SSL remote myserver.de server 50443 security SSL
db2 catalog db SAMPLE at node INST1SSL

GSKit Return Codes:

https://www.ibm.com/support/knowledgecenter/de/SSEPGG_9.7.0/com.ibm.db2.luw.a
dmin.sec.doc/doc/r0054271.html
and
https://www.ibm.com/docs/en/db2/11.5?topic=errors-gskit-return-codes

Achtung:
https://www.ibm.com/support/pages/resolving-gskit-108-reason-9-errors-when-
connecting-dashdbdb2-cloud-db2-clients

Eine weitere Zusammenfassung:

https://www.ibm.com/developerworks/data/library/techarticle/dm-
1306securesocketlayers/

22
 JDBC connections
• JDBC is simple to configure! Server side configured as above
• Trust Store get's created with Java JDK keytool instead of GSKit :
(In this example with a self-signed certificate)
keytool -importcert -alias MyServer -keystore MyTrustStore.jks -storepass cacerts -storetype jks
-file myserver_db2_public_key.arm -noprompt
keytool -list -v -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file

• JDBC connection string looks like:

jdbc:db2://myserver.de:50443/sample:sslConnection=true;sslTrustStoreLocation=MyTrustStore.jks;sslT
rustStorePassword=cacerts;sslTrustStoreType=JKS;

• Remark:
Some applications might use their own JDK and maybe they have a separate trust store then
Check with "dir /s /b cacerts" or "find . -name cacerts -type f" in the application directory

Complete guide to set up SSL using IBM Data Server Driver for JDBC and SQLJ
https://www.ibm.com/support/pages/complete-guide-set-ssl-using-ibm-data-server-
driver-jdbc-and-sqlj

Other good hints:

https://www.ibm.com/support/pages/75-ways-demystify-db2-66-best-practices-ssl-
connection-ibm-db2-jdbc-driverdb2jcc

IBM Data Server Driver for JDBC and SQLJ configuration properties
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.apd
v.java.doc/src/tpc/imjcc_r0052075.html

Keytool common commands

https://www.sslshopper.com/article-most-common-java-keytool-keystore-
commands.html

From Greg Stager:

"Currently the default keystore type in Java is JKS, i.e the keystore format will be JKS if
you don't specify the -storetype while creating keystore with keytool. However, the
default keystore type will be changed to PKCS12 in Java 9because its enhanced
compatibility compared to JKS. You can check the default keystore type at
$JRE/lib/security/java.security file:"
https://www.pixelstech.net/article/1408345768-Different-types-of-keystore-in-Java----
Overview

23
 IBM Technote
https://www.ibm.com/support/pages/node/1077081

• Including details for

mutual aka client
side authentication
(only server-known
clients are allowed
to connect)

https://www.ibm.com/support/pages/node/1077081

24
 IBM Data Server Driver for ODBC and CLI
• Small footprint drivers for Db2; just unpack ZIP archive and set paths e.g. for Linux
export DB2_CLI_DRIVER_INSTALL_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver
export LD_LIBRARY_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib
export LIBPATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib
export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/bin:$PATH
export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/adm:$PATH
• Database can get catalogued via db2cli.ini or db2dsdriver.cfg
Either use sample templates or db2cli commands:
• Examples:
db2cli writecfg add -database MYSAMPL -host myserver.de -port 50443 -parameter
"SecurityTransportMode=SSL;SSLServerCertificate=/opt/ibm/odbc_cli/clidriver/cfg/mydbclient.kdb"
db2cli validate
db2cli validate -dsn mysampl -connect -user testuser -passwd 'Nosey*ent_ya'
• Trust store must be in CMS format.
• Root CAs can be included automatically to keyring, if sent as Trust store .arm file on first connect

db2cli command syntax:

https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.ad
min.cmd.doc/doc/r0002045.html

db2cli.ini:
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.apd
v.cli.doc/doc/c0007882.html

db2dsdcfgfill:
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.swg.im.dbcli
ent.config.doc/doc/r0054557.html

Validation of db2dsdriver.cfg file:

https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.swg.im.dbcli
ent.install.doc/doc/t0060680.html

25
Configuration for WAS Liberty profile
•

26
 Hostname validation (Db2 11.5.6+ clients)
• Db2 11.5.6 clients and later can verify the server's hostname that
appears in the server certificate with the name the client is
connection to. This adds another layer of security.
• Client compares to CN or better SAN field of server certificate
• Enabled at client via db2cli.ini SSLClientHostnameValidation=Basic
• If host validation fails, SQL20576N with SQLSTATE 08001 is
returned to the client and a message is logged in db2diag.log

See also Hostname Validaton

https://www.ibm.com/docs/en/db2/11.5?topic=transit-hostname-validation
and Representing servers in a TS certificate
https://www.ibm.com/docs/en/db2/11.5?topic=instances-representing-servers-in-
certificate
and how to trouble shoot issues
https://www.ibm.com/docs/en/db2/11.5?topic=validation-troubleshooting-hostname

27
 Representing Server names in TLS certs
• https://www.ibm.com/docs/en/db2/11.5?topic=instances-
representing-servers-in-certificate

https://www.ibm.com/docs/en/db2/11.5?topic=instances-representing-servers-in-
certificate

28
Check usage of secure connections
• Which application is now using a TLS connection?
SELECT
substr( CLIENT_PRDID, 1, 10 ) AS CLIENT_PRDID,
substr( APPLICATION_NAME, 1, 20 ) AS APPL_NAME,
substr( CLIENT_HOSTNAME, 1, 22 ) AS CLIENTHOST,
CLIENT_PROTOCOL AS PROTOCOL,
CAST( CURRENT server AS CHAR( 8 )) AS DB_NAME,
SUBSTR( EXECUTION_ID, 1, 15 ) AS EXEC_ID,
SUBSTR( SESSION_AUTH_ID, 1, 15 ) AS SESSION_AUTHID,
COUNT(*) AS COUNT
FROM
TABLE ( mon_get_connection( NULL, -2 ))
GROUP BY
CLIENT_PRDID, APPLICATION_NAME, CLIENT_HOSTNAME,
CLIENT_PROTOCOL, CURRENT server, EXECUTION_ID,
SESSION_AUTH_ID
ORDER BY
1,2,3,4,5,6

29
Ciphers and encryption methods
• https://scotthelme.co.uk/https-cheat-sheet/

30
Ciphers and Db2 (1|2)
• During SSL handshake client and server negotiate the most secure encryption
method. If no compatible method was found, connection fails. The order of
so called Cipher Suites cannot be changed.
• If SSL_VERSIONS was set to TLSv12, following SSL_CIPHERSPECS are usable:
 TLS_RSA_WITH_AES_256_GCM_SHA384  TLS_RSA_WITH_AES_128_GCM_SHA256
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384  TLS_RSA_WITH_AES_128_CBC_SHA256
 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
 TLS_RSA_WITH_AES_256_CBC_SHA256  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
 TLS_RSA_WITH_AES_256_CBC_SHA  TLS_RSA_WITH_AES_128_CBC_SHA

31
Ciphers and Db2 (2|2)
• Configure ciphers in Db2 (length max 255 chars):
db2 update dbm cfg using SSL_CIPHERSPECS TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

• Whatever Cipher is finally used cannot be retrieved (GSKit doesn't

feed this back to Db2)

32
Support us! (1|2)
• https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-984
• https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-133

33
Support us! (2|2)
• https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-952

34
Technotes
• Error ECF_CRYPT_UNEXPECTED_ERROR in db2diag.log: "FIPS:
internal test failed, interface disabled"
https://www.ibm.com/support/pages/node/6356455
Problem:
The internal self-test in GSKit fails when it can't get sufficient
entropy via hardware or software RNG (Random Number
Generation). This can cause the Db2 instance to stop functioning
correctly, and will require a restart of the instance.

35
Further links
• Step-by-Step Instructions to Configure a Secure Database System,
Greg Stager: https://www.idug.org/p/bl/ar/blogaid=1121
• Cipher Used? IC85574: INFORMATIONAL MESSAGE ADM7016I
LOGGED IN DB2DIAG.LOG EVEN IF DIAGLEVEL=3,
https://www.ibm.com/support/pages/apar/IC85574
• SSL/TLS: How to choose your cipher suite
https://technology.amis.nl/2017/07/04/ssltls-choose-cipher-
suite/

36
SSL and Db2 on (IBM) Cloud
• Supporting links to use Db2 on Cloud with SSL/TLS
Short compact configuration guide for Db2 on Cloud:
https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-ssl_support
How to connect to Db2 on Cloud, connect options
https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-connect_options
SSL as requirement for IAM-based authentication
https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-iam#iam_prereqs
If the new token-based authentication with JWT (JSON Web Token) is used, it is strongly
suggested to protect the token with TLS
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.admin.s
ec.doc/doc/c_token_auth.html

37
Thank You

Speaker: Roland Schock

Email Address: roland.schock@arcor.de

Session Code: G10

Please fill out your session evaluation before leaving!

38