HCL Workload Automation, Version 9.4

Configuring DB2 in SSL mode

Set up your DB2 server for SSL support.

Before you begin

Make sure you have logged in as the DB2 instance owner and set the following configuration parameters and the DB2COMM registry variable.

Use the db2 update dbm cfg using parameter_name parameter_value command, where parameter_name is the name of the parameter to be set and parameter_value is the value of the parameter to be set.

Procedure

  1. Set the ssl_svr_keydb configuration parameter to the fully qualified path of the key database file. For example; C:\TWS\installations\tws850cli\TWS\ssl\gskit\TWSClientKeyStore.kdb where TWSClientKeyStore.kdb is the fully-qualified file name of the KeyStore that stores the DB2 certificate and the trusted certificates.
    Note: It must be recognized by the JKS WebSphere Application Server certificate. If ssl_svr_keydb is null (unset), SSL support is not enabled.
  2. 2. Set ssl_svr_stash configuration parameter to the fully qualified path of the stash file. For example: C:\TWS\installations\tws850cli\TWS\ssl\gskit\TWSClientKeyStore.sth. If ssl_svr_stash is null (unset), SSL support is not enabled.
  3. 3. Set ssl_svr_label configuration parameter to the label of the digital certificate of the server. If ssl_svr_label is not set, the default certificate in the key database is used. If there is no default certificate in the key database, SSL is not enabled. For example: client.
  4. 4. Set ssl_svcename configuration parameter to the port that the DB2 database system uses for SSL connections. If TCP/IP and SSL are both enabled (the DB2COMM registry variable is set to 'TCPIP, SSL'), set ssl_svcename to a port different from the one set for svcename. The svcename configuration parameter sets the port that the DB2 database system uses for TCP/IP connections. If you set ssl_svcename to the same port as svcename, neither TCP/IP or SSL are enabled. If ssl_svcename is null (unset), SSL support is not enabled.
    Note: When the DB2COMM registry variable is set to 'TCPIP,SSL', if TCPIP support is not properly enabled, for example because to the svcename configuration parameter set to null, the error SQL5043N is returned and SSL support is not enabled.
  5. Add the value SSL to the DB2COMM registry variable. For example: db2set -i db2inst1 DB2COMM=SSL. The database manager can support multiple protocols at the same time. For example, to enable both TCP/IP and SSL communication protocol, specify: db2set -i db2inst1 DB2COMM=SSL,TCPIP where: db2inst1 is the DB2 instance name
  6. Restart the DB2 instance. For example:
    db2stop
    db2start