Configuring DB2
About this task
To configure supported
versions of DB2 for FIPS compliance, perform the following procedure:
Note: For
information about supported versions of DB2, refer to the System Requirements Document at https://workloadautomation.hcldoc.com/help/topic/com.hcl.wa.doc_9.4/distrDDguides.html.
- Ensure that the path to the GSKit libraries
is included in the relevant environment variables. The names of the
environment variables vary depending on the operating system, as follows:
- UNIX and Linux
- LIBPATH, LD_LIBRARY_PATH, or SHLIB_PATH environment variables. Specify this information in the .profile file for the DB2 instance owner.
- Windows
- PATH environment variable. For example, c:\Program Files\HCL\gsk8\lib.
GSKit is automatically included when you install the DB2 database system.- On Windows 32-bit operating systems
- the GSKit libraries are located in C:\Program Files\HCL\GSK8\lib. In this case, the system PATH must include C:\Program Files\HCL\GSK8\lib.
- On Windows 64-bit operating systems
- the 64-bit GSKit libraries are located in C:\Program Files\HCL\GSK8\lib64 and the 32-bit GSKit libraries are located in C:\Program Files (x86)\HCL\GSK8\lib.
- On UNIX and Linux operating systems,
- the GSKit libraries are located in sqllib/lib. Therefore, the LIBPATH, SHLIB_PATH or LD_LIBRARY_PATH environment variables must include sqllib/lib.
- On non-Windows operating systems
- the DB2 database manager installs GSKit locally, and for a given instance, the GSKit libraries might be located in sqllib/lib or sqllib/lib64.
- To set up your DB2 server for SSL support, log in as the DB2 instance
owner and set the following configuration parameters and the DB2COMM registry
variable. Use the db2 update dbm cfg using parameter_name parameter_value command,
where
- parameter_name
- Is the name of the parameter to be set.
- parameter_value
- Is the value of the parameter to be set.
- Set the ssl_svr_keydb configuration parameter to the fully
qualified path of the key database file. For example:
where:C:\TWS\installations\tws850cli\TWS\ssl\gskit\TWSClientKeyStore.kdb- TWSClientKeyStore.kdb
- Is the fully-qualified file name of the KeyStore that stores the DB2 certificate, and the trusted certificates, for example the certificates for the WebSphere Application Server to connect to. This KeyStore can be the same one you specified in the localopts parameters. See Setting localopts parameters for FIPS. Note that it must be recognized by the JKS WebSphere Application Server certificate.
- Set the ssl_svr_stash configuration parameter to the fully
qualified path of the stash file. For example:
If ssl_svr_stash is null (unset), SSL support is not enabled.C:\TWS\installations\tws850cli\TWS\ssl\gskit\TWSClientKeyStore.sth - Set the ssl_svr_label configuration parameter to the label
of the digital certificate of the server. If ssl_svr_label is
not set, the default certificate in the key database is used. If there
is no default certificate in the key database, SSL is not enabled.
For example:
"client" - Set the ssl_svcename configuration parameter to the port
that the DB2 database system listens on for SSL connections. If TCP/IP
and SSL are both enabled (the DB2COMM registry variable is
set to 'TCPIP, SSL'), set ssl_svcename to a different port
than the port to which svcename is set. The svcename configuration
parameter sets the port that the DB2 database system listens on for
TCP/IP connections. If you set ssl_svcename to the same port
as svcename, neither TCP/IP or SSL are enabled. If ssl_svcename
is null (unset), SSL support is not enabled. Note:
- In HADR environments, do not set hadr_local_svc on the primary or standby database system to the same value as you set for ssl_svcename. Also, do not set hadr_local_svc to the same value as svcename, or svcename plus one.
- When the DB2COMM registry variable is set to 'TCPIP,SSL', if TCPIP support is not properly enabled, for example due to the svcename configuration parameter being set to null, the error SQL5043N is returned and SSL support is not enabled.
- (Optional) If you want to specify which cipher suites the server can use, set the ssl_cipherspecs configuration parameter. If you leave ssl_cipherspecs as null (unset), this allows GSKit to pick the strongest available cipher suite that is supported by both the client and the server.
- Add the value SSL to the DB2COMM registry variable. For
example:
The database manager can support multiple protocols at the same time. For example, to enable both TCP/IP and SSL communication protocols:db2set -i db2inst1 DB2COMM=SSL
where:db2set -i db2inst1 DB2COMM=SSL,TCPIP- db2inst1
- Is the DB2 instance name.
Note: During the installation of a HCL Workload Automation master domain manager or backup master domain manager, it is necessary to enable the DB2 TCPIP port. DB2 can support both TCP/IP and SSL communications protocols at the same time. The DB2 administrator can set the TCPIP port with the command db2set DB2COMM=TCPIP, SSL. Use this command if you are installing a HCL Workload Automation master domain manager or backup master domain manager and already have a FIPS-enabled instance of DB2. After installation, you can choose to reset DB2COMM with only SSL. - Restart the DB2 instance. For example:
db2stop db2starts
- Insert the following
default JSSE socket factories parameters in the java.security file
of the HCL Workload Automation WebSphere Application Server:
ssl.SocketFactory.provider=com.ibm.jsse2.SSLSocketFactoryImpl ssl.ServerSocketFactory.provider=com.ibm.jsse2.SSLServerSocketFactoryImpl - Restart DB2.
Note: It is not necessary to update the DB2 JVM. This is
because you already updated the JVM of WebSphere Application Server in
the procedure described in Configuring WebSphere Application Server for FIPS.
For more information about how to configure DB2 to be FIPS compliant, see the DB2 documentation that describes how to configure Secure Sockets Layer (SSL) support in a DB2 instance.