Configuring SSL for a Db2 instance

To secure the connection between the i2® Analyze application server and the database instance, you must change the configuration of both. The Db2® server stores its associated certificates in a key database, so you must create and populate a key database for the Db2 server to use.

In i2 Analyze, SSL connections that involve the Db2 server require a key database that contains a signed certificate. In a production deployment, after you create the key database, you must populate it with a certificate that is signed by a trusted certificate authority. To demonstrate a working configuration, you can create and use a self-signed certificate. If you are using a certificate that is signed by a certificate authority, then you can add it to the key database and you do not need to complete step 2 to create the self-signed certificate.

Ensure that you understand the details that are provided in the Db2 documentation to configure SSL for your Db2 instance. For more information, see Configuring Secure Sockets Layer (SSL) support in a Db2 instance.

To run the commands in the procedure, set your Windows™ environment variable as follows: set PATH=<path_to_gsk8_directory>\bin;<path_to_gsk8_directory>\lib;%PATH%

  1. Create a key database by using the GSKCapiCmd tool.
    1. Start the GSKCapiCmd tool.
      Note: Start the GSKCapiCmd tool by using the gskcapicmd command. Follow the details that are provided in the Db2 documentation link for the path to the command, the required libraries, and the command syntax.
    2. Create a key database.
      For example, to create the key file, run the following command:
      gsk8capicmd_64 -keydb -create -db "C:\i2\i2analyze\i2-db2-keystore.kdb" -pw "password" -stash
      Important: Ensure that you enter values as follows:
      • Set the location of the key database to the directory that contains the toolkit.
      • Assign a secure password.
  2. Create a self-signed certificate.
    For example, to create the self-signed certificate, run the following command:
    gsk8capicmd_64 -cert -create -db "C:\i2\i2analyze\i2-db2-keystore.kdb" -label "dbKey" -dn "CN=hostname" -pw "password"
    Note: The command is a simplified version of the command in the Db2 documentation without the O, OU, L, and C values that are not required for this example. Use a label of dbKey to align with httpKey and libertyKey used in the HTTP server and Liberty keystores. Ensure that the common name in the certificate matches the fully qualified domain name of the database instance server.
  3. Extract the certificate from the key database.
    For example, to extract the certificate, run the following command:
    gsk8capicmd_64 -cert -extract -db "C:\i2\i2analyze\i2-db2-keystore.kdb" -label "dbKey" -target "C:\i2\i2analyze\i2-db2-certificate.cer" -pw "password"
  4. Configure Db2 for SSL.
    For example, to configure Db2 for SSL only, run the following commands on the Db2 server:
    db2 "UPDATE DBM CFG USING SSL_SVR_KEYDB C:\i2\i2analyze\i2-db2-keystore.kdb"
db2 "UPDATE DBM CFG USING SSL_SVR_STASH C:\i2\i2analyze\i2-db2-keystore.sth"
db2 "UPDATE DBM CFG USING SSL_SVR_LABEL dbKey"
db2 "UPDATE DBM CFG USING SSL_VERSIONS TLSv12"
db2 "UPDATE DBM CFG USING SSL_SVCENAME 50001"
db2set DB2COMM=SSL
  5. Navigate to the toolkit/scripts directory, and run the command to stop Liberty: 
    setup -t stopLiberty
  6. Restart Db2 for the changes to take effect:
    db2stop
db2start

After you configure Db2, you can check the db2diag.log file to ensure that there are no errors with your SSL configuration.

Note: If you are using a remote Db2 database, then you must configure the Db2 client on the Liberty server to communicate by using SSL. Run the following commands to configure the Db2 client to use the keystore and stash file:
db2 "UPDATE DBM CFG USING SSL_CLNT_KEYDB C:\i2\i2analyze\i2-db2-keystore.kdb"
db2 "UPDATE DBM CFG USING SSL_CLNT_STASH C:\i2\i2analyze\i2-db2-keystore.sth"