TLS Hostname Validation

A change that affects all users of TLS/SSL encryption. Starting with Version 12 of the Db2 Clients and Data Server Drivers, the JDBC property “sslClientHostnameValidation” and the corresponding ODBC/CLI configuration parameter “SSLClientHostnameValidation” change their default setting from “OFF” to “BASIC”.

With “BASIC”, the data server drivers require that the Db2 server certificate presented in the TLS handshake contains a so-called “subject alternate name” (SAN) which contains the IP address and/or DNS host name of the Db2 server the client application connects to. With the previous default setting “OFF”, SANs could be empty or contain non-matching IP addresses or DNS host names.

Required action:

When migrating to Db2 12 on the Db2 Client and Data Server Driver side, check the SANs on your Db2 server certificates and make sure they contain all possible IP addresses and DNS host names your clients can use in their connection strings or properties.

Users of Db2 for z/OS Data Sharing connecting through a Sysplex Distributor should take care that the IP address and DNS host name of the Sysplex Distributor is available on the server certificate. For more information, see here:

https://www.ibm.com/docs/en/db2/12.1?topic=instances-connections-other-topologies

When you are not sure whether the Db2 server certificates can be configured accordingly, you can disable hostname validation by explicitly setting this property to “OFF”.