HCL Workload Automation, Version 9.4

Configuring DB2

About this task

To configure supported versions of DB2 for FIPS compliance, perform the following procedure:
Note: For information about supported versions of DB2, refer to the System Requirements Document at https://workloadautomation.hcldoc.com/help/topic/com.hcl.wa.doc_9.4/distrDDguides.html.
  1. Ensure that the path to the GSKit libraries is included in the relevant environment variables. The names of the environment variables vary depending on the operating system, as follows:
    UNIX and Linux
    LIBPATH, LD_LIBRARY_PATH, or SHLIB_PATH environment variables. Specify this information in the .profile file for the DB2 instance owner.
    Windows
    PATH environment variable. For example, c:\Program Files\HCL\gsk8\lib.
    GSKit is automatically included when you install the DB2 database system.
    On Windows 32-bit operating systems
    the GSKit libraries are located in C:\Program Files\HCL\GSK8\lib. In this case, the system PATH must include C:\Program Files\HCL\GSK8\lib.
    On Windows 64-bit operating systems
    the 64-bit GSKit libraries are located in C:\Program Files\HCL\GSK8\lib64 and the 32-bit GSKit libraries are located in C:\Program Files (x86)\HCL\GSK8\lib.
    On UNIX and Linux operating systems,
    the GSKit libraries are located in sqllib/lib. Therefore, the LIBPATH, SHLIB_PATH or LD_LIBRARY_PATH environment variables must include sqllib/lib.
    On non-Windows operating systems
    the DB2 database manager installs GSKit locally, and for a given instance, the GSKit libraries might be located in sqllib/lib or sqllib/lib64.
  2. To set up your DB2 server for SSL support, log in as the DB2 instance owner and set the following configuration parameters and the DB2COMM registry variable. Use the db2 update dbm cfg using parameter_name parameter_value command, where
    parameter_name
    Is the name of the parameter to be set.
    parameter_value
    Is the value of the parameter to be set.
    1. Set the ssl_svr_keydb configuration parameter to the fully qualified path of the key database file. For example:
      C:\TWS\installations\tws850cli\TWS\ssl\gskit\TWSClientKeyStore.kdb
      where:
      TWSClientKeyStore.kdb
      Is the fully-qualified file name of the KeyStore that stores the DB2 certificate, and the trusted certificates, for example the certificates for the WebSphere Application Server to connect to. This KeyStore can be the same one you specified in the localopts parameters. See Setting localopts parameters for FIPS. Note that it must be recognized by the JKS WebSphere Application Server certificate.
      If ssl_svr_keydb is null (unset), SSL support is not enabled.
    2. Set the ssl_svr_stash configuration parameter to the fully qualified path of the stash file. For example:
      C:\TWS\installations\tws850cli\TWS\ssl\gskit\TWSClientKeyStore.sth
      If ssl_svr_stash is null (unset), SSL support is not enabled.
    3. Set the ssl_svr_label configuration parameter to the label of the digital certificate of the server. If ssl_svr_label is not set, the default certificate in the key database is used. If there is no default certificate in the key database, SSL is not enabled. For example:
      "client"
    4. Set the ssl_svcename configuration parameter to the port that the DB2 database system listens on for SSL connections. If TCP/IP and SSL are both enabled (the DB2COMM registry variable is set to 'TCPIP, SSL'), set ssl_svcename to a different port than the port to which svcename is set. The svcename configuration parameter sets the port that the DB2 database system listens on for TCP/IP connections. If you set ssl_svcename to the same port as svcename, neither TCP/IP or SSL are enabled. If ssl_svcename is null (unset), SSL support is not enabled.
      Note:
      1. In HADR environments, do not set hadr_local_svc on the primary or standby database system to the same value as you set for ssl_svcename. Also, do not set hadr_local_svc to the same value as svcename, or svcename plus one.
      2. When the DB2COMM registry variable is set to 'TCPIP,SSL', if TCPIP support is not properly enabled, for example due to the svcename configuration parameter being set to null, the error SQL5043N is returned and SSL support is not enabled.
    5. (Optional) If you want to specify which cipher suites the server can use, set the ssl_cipherspecs configuration parameter. If you leave ssl_cipherspecs as null (unset), this allows GSKit to pick the strongest available cipher suite that is supported by both the client and the server.
    6. Add the value SSL to the DB2COMM registry variable. For example:
      db2set -i db2inst1 DB2COMM=SSL
      The database manager can support multiple protocols at the same time. For example, to enable both TCP/IP and SSL communication protocols:
      db2set -i db2inst1 DB2COMM=SSL,TCPIP
      where:
      db2inst1
      Is the DB2 instance name.
      Note: During the installation of a HCL Workload Automation master domain manager or backup master domain manager, it is necessary to enable the DB2 TCPIP port. DB2 can support both TCP/IP and SSL communications protocols at the same time. The DB2 administrator can set the TCPIP port with the command db2set DB2COMM=TCPIP, SSL. Use this command if you are installing a HCL Workload Automation master domain manager or backup master domain manager and already have a FIPS-enabled instance of DB2. After installation, you can choose to reset DB2COMM with only SSL.
    7. Restart the DB2 instance. For example:
      db2stop
      db2starts
  3. Insert the following default JSSE socket factories parameters in the java.security file of the HCL Workload Automation WebSphere Application Server:
    ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl
    ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl
  4. Restart DB2.
Note: It is not necessary to update the DB2 JVM. This is because you already updated the JVM of WebSphere Application Server in the procedure described in Configuring WebSphere Application Server for FIPS.

For more information about how to configure DB2 to be FIPS compliant, see the DB2 documentation that describes how to configure Secure Sockets Layer (SSL) support in a DB2 instance.