IBM Cloud Docs
SSL connectivity

SSL connectivity

The Db2 Warehouse on Cloud database uses a certificate for SSL connections that is issued by a third-party digital certificate authority (CA).

The CA certificate is part of the Db2 driver package. If your application connects with a driver from the Db2 driver package, you do not need to download the certificate separately. You can download the Db2 driver package from the web console.

However, if your application has its own driver, you might need to download the certificate separately. You can download the certificate from the web console.

Secure Sockets Layer (SSL) is a security protocol that provides communication privacy. SSL enables client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery. SSL-enabled client applications use standard encryption techniques to help ensure secure communication.

Configuring your applications to connect to your Db2 Warehouse on Cloud database with SSL is strongly recommended. You should use only non-SSL connections if your are using legacy applications that cannot connect using an SSL connection.

SSL connections to Db2 Warehouse on Cloud are enforced by default on all new and recently deployed instances and will start to be enforced on all older instances in April and May, 2020. To enable a non-SSL port on your IBM Cloud system or to keep a non-SSL port enabled, open a support case to make that request.

Configuring your Db2 client

  1. Download the IBM Global Security Kit (GSKit) by selecting the GSKit appropriate for your operating system (OS).

  2. Download the SSL certificate from the Connection configuration resources section under Connections in the Administration page of the Db2 Warehouse on Cloud web console. Store the SSL certificate file in a directory that can be referenced in a subsequent command.

  3. Install the GSKit. See the following links for instructions:

    For more details, see IBM Global Security Kit global installation instructions overview

  4. Set environment variable paths:

    • AIX: LIBPATH /usr/opt/ibm/gsk8/lib

    • Linux: LD_LIBRARY_PATH /usr/local/ibm/gsk8/lib

    • UNIX: LD_LIBRARY_PATH /opt/ibm/gsk8/lib

    • Windows: PATH <installation_directory>\gsk8\bin <installation_directory>\gsk8\lib (lib64 for GSKit 64-bit)

  5. Create keystore. The following example command pertains to Windows:

    gsk8capicmd_64 -keydb -create -db "mykeystore.kdb" -pw "passw0rd" -stash
    

    You must have the ability to write to the directory or you will get an error.

  6. Add SSL certificate to the keystore. The following example command pertains to Windows:

    gsk8capicmd_64 -cert -add -db “mykeystore.kdb” -pw “passw0rd” -label ACIBLUDB_SSL -file c:\ssl\ACI_DigiCertGlobalRootCA.crt
    
  7. Update the Db2 database manager. The following example command pertains to Windows:

    db2 update dbm cfg using SSL_CLNT_KEYDB c:\PROGRA~1\IBM\gsk8\mykeystore.kdb
    

    On Windows, Program Files must use PROGRA~1.

Connecting to your database

  1. [Optional] If you use Data Studio, you can now connect to the database by selecting port 50001 and sslConnection=true.

  2. Catalog the node and database. The following example commands pertain to Windows:

    db2 catalog tcpip node ACICLD_S remote <IP_address_of_BLUDB_database_server> server 50001 security SSL
    
    db2 catalog db BLUDB as ACIBLU_S at node ACICLD_S
    
  3. Connect to your database with an SSL connection. The following example commands pertain to Windows:

    db2 terminate
    
    db2 connect to ACIBLU_S user <user_name>
    

For more information, see Configuring Secure Sockets Layer (SSL) support in non-Java Db2 clients.