Hi,


Can anyone please provide me the procedure on how to set up SSL link between WAS 8.5 and DB2  so that there is encrypted flow of information between WAS and database.

Thanks,
Kushal

Hi Kushal,

  I have never done with DB2 (yes with an LDAP) but the steps normally are the same.
 
  - Enable SSL in your target host (DB2). Normally is done enabling an SSL port on DB2 and using a certificate (known or self-signed)
    Configuring Secure Sockets Layer (SSL) support in a DB2 instance
    http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.5.0/com.ibm.db2.luw.admin.sec.doc/doc/t0025241.html?lang=en
    
  - Exchange issuers SSL CA certificate between source (WAS) and target (DB2). You need to import WAS certificate issuer CA into TrueStore of the DB2 and viceversa
 
  - Change the port of your Datasource (to the SSL port)  
     
  Hope this helps. Tell us if you need more support
 
Regards

Thanks Gabriel.What if we need FIPS complaint ssl communication?what additional steps are needed then?

Also just wanted to know if ssl is teally needed between WAS n database as i have not seen such a set up in my previous projects
Will it affect the performance adversely?

Kushal,

  Here the configurations to be compliant with FIPS from WAS point of view.
 
  Federal Information Processing Standard support
  www-01.ibm.com/support/knowledgecenter/S...
 
  Configuring Federal Information Processing Standard Java Secure Socket Extension files
  www-01.ibm.com/support/knowledgecenter/S...
 
 
  from DB2 point of view

  Standards compliance
  www-01.ibm.com/support/knowledgecenter/S...

  Configuring the Java Runtime Environment to use SSL
  www-01.ibm.com/support/knowledgecenter/S...

  Configuring Secure Sockets Layer (SSL) support in non-Java DB2 clients
  www-01.ibm.com/support/knowledgecenter/S...  
 
  To your question about SSL performance, my experience is YES. When we have configured LDAP communication with SSL/TLS the performance goes down, we have mitigated using SSL caches but with caches when any change has occurred you need to wait to reflect new changes. Normally security and performance are not very friends, so you need choice   
 
 
  Hope this helps. Tell us if you need more support
 
Regards

Hi Gabriel,

One more question somewhat related to the earlier question

Is there any way we can Restrict the database(DB2) ports so they can only be accessed by only known clients (i.e., the app servers)?


Thanks,
Kushal
 

Kushal,

  Yes you need to configure Trusted Context, I have used to share the logged user in an Application (at Application Server) with DB2 so the authorizations at DB2 level (grants) are done at logged user level and not to Datasource user.
 
  review next links:
 
  "A trusted context is a database object that defines a trust relationship for a connection between the database and an external entity such as an application server."
    
 
  Trusted contexts and trusted connections
  www-01.ibm.com/support/knowledgecenter/S...
 
  Restricting database connections using trusted contexts in DB2 for Linux, UNIX, and Windows
  www.ibm.com/developerworks/data/library/...
 
  Restricting database connections using the CONNECT_PROC database configuration parameter in DB2 for Linux, Unix, and Windows
  www.ibm.com/developerworks/data/library/...
 
  Because  there is a DB2 question maybe you can get more information in DB2 Forum
 
  www.ibm.com/developerworks/community/for...
 
 
  Hope this helps. Tell us if you need more support
 
Regards