Did any know where and how do the configuration on Liberty profile to access a Data Source, to use a DB2 resource connection exposed using TLS mutual authentication. We change the url and port and maintain the same credentials, but need to configure the certificates information on Liberty. Any help?

Did you configure the SSL Configuration properly? See https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/rwlp_ssl.html which is required to configure the certificates and key strores.

This is our main issue, we are trying to create the right server.xml configuration, did you have some sample about that? We don't do the TLS early because our application was on the same IaaS platform. We are following the documentation that you shared, but have some errors, because we don't know how assure that the JDBC connection requests, will use the TLS and cert configuration. For example; we have "PEM" files either JKS and could not find a sample with type "PEM". When we call the DB2 exposed resource we receive a connection refuse error.

Thanks for help

Can you please share some error information you are getting? Which error do you get in Liberty? Which one on the DB2 site?

"mensaje": "Exception [EclipseLink-4002] (Eclipse Persistence Services - 2.6.5.WAS-v20180104-90e991c): org.eclipse.persistence.exceptions.DatabaseException Internal Exception: java.sql.SQLNonTransientException: [jcc][t4][2030][11211][4.21.29] A communication error occurred during operations on the connection's underlying socket, socket input stream, or socket output stream. Error location: Reply.fill() - insufficient data (-1). Message: Insufficient data. ERRORCODE=-4499, SQLSTATE=08001 DSRA0010E: SQL State = 08001, Error Code = -4,499 Error Code: -4499"

Hello Carlos,

is this the only error you get on the liberty side? So you get a connection exception which looks like the following link. So this could be an SSL issue. Do the error messages you get on the DB2 side point to an SSL issues as well? What errors do you get there?

But going back to Liberty configuration. You have the SSL Feature enabled, at least one SSL Configration (which is compatible with the SSL Configuration on the DB2 side), and a default SSL Configuration?

What does your Datasource definition look like? Did you configure the driver to use SSL and certificates? The following link gives a hint about the properties you have to set on the Datasource definition.

Hi Hermann

The url that you send was about WAS ND, but we are doing this on WAS Liberty and we are trying to find configuration to access the DB2 resource using TLS Mutual Authentication, we find that can do the configuration by three ways:

1. Using JDBC properties, but this will make us manage the JDBC pooling and will lost the Application Server capabilities to manage the connection
2. Using server.xml file properties, but it has a lot of security parameters and we don't know how do the right configuration to access DB2 as a TLS SSL Mutual authentication resource
3. Use the local storage key-store, but again don't know how must configure it to be used and how assure that, when our application create the connection to get access to DB2 resource, will use that configuration.

As you can see, we have a lot of options and possibilities and what to avoid the essay error method and try to get directions on the right way to do the configuration "our first question".
For example; we have pem files, but now know that need to use keytool command to change to jks, additional after a lot of activities our last error was:
com.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][4.21.29] A communication error occurred during operations on the connection's underlying socket, socket input stream, or socket output stream.  Error location: Reply.fill() - socketInputStream.read (-1).  Message: Received fatal alert: handshake_failure. ERRORCODE=-4499, SQLSTATE=08001
Thanks a lot for your help

Hello Carlos,

well - sure I'm aware that the link I sent was from WAS ND but the idea was to give you a link to the required JDBC driver settings for TLS authentication. My understanding of the ERRORCODE=-4499, SQLSTATE=08001 is namely that the client and the server can't establish an SSL connection at all. I.e. the client send an un-encrypted  request to the server port (which is as per you previous update) expecting an encrypted communication. Is your JDBC driver configured accordingly?

Hi Carlos and Hermann

I was working on a connection SSL/TLS in one way authentication or with self-signed certificate and I recommend you do the next three task.

Task 1. Connection validation: check the certificate types if you have certificates in .pem format probably you use openssl to generate it, to check the connection with your files from a remote client, execute on terminal the next command.

$openssl s_client -connect host.ibmcloud.com:port -key our_private_key.pem -showcerts -cert our_server-signed_cert.pem

if output is success connection now you can generate your keystore.

Task 2. how to generate the keystore.jks?

Create a keystore on pkcs12 format with the key.pem and cert.pem

$openssl pkcs12 -export -inkey key.pem -in cert.pem -out client.packet

the comand require a password: #PASSWORD#

create a keystore with format jks based on the keystore with format pkcs12

$keytool -importkeystore -deststorepass #PASSWORD# -destkeypass #PASSWORD# -destkeystore keystore.jks -srckeystore client.packet -srcstoretype PKCS12 -srcstorepass #PASSWORD# -alias 1

add ca2-cert.pem to the keystore.jks

$keytool -importcert -alias ca -trustcacerts -file /root/ca2-cert.pem -keystore keystore.jks

now the keystore.jks has the ca2-cert.pem and the keystore.packet(that contains the key.pem and cert.pem)

Task 3. The next task is configuration of your server.xml on liberty profile.

configure the keystore parameters on the properties.db2.jcc is very important put the parameter sslConnection="true"

For example:

<dataSource beginTranForResultSetScrollingAPIs="false"
   beginTranForVendorAPIs="false" connectionSharing="MatchCurrentState"
   isolationLevel="TRANSACTION_READ_COMMITTED"
   jndiName="jdbc/#######" queryTimeout="10"
   statementCacheSize="10" syncQueryTimeoutWithTransactionTimeout="false"
   transactional="false">
   <jdbcDriver
      javax.sql.ConnectionPoolDataSource="com.ibm.db2.jcc.DB2ConnectionPoolDataSource"
      libraryRef="DB2Lib" />
   <properties.db2.jcc currentLockTimeout="10"
      currentSchema="####" cursorSensitivity="0" databaseName="####"
      deferPrepares="true" driverType="4" loginTimeout="0"
      password="####" portNumber="###" resultSetHoldability="1"
      retrieveMessagesFromServerOnGetMessage="true"
      serverName="####.ibmcloud.com" traceLevel="-1"
      user="####" sslConnection="true" />
   <connectionManager agedTimeout="7200"
      connectionTimeout="180" maxIdleTime="1800" maxPoolSize="10"
      minPoolSize="1" purgePolicy="EntirePool" reapTime="180" />
dataSource>

and configure server.xml keystore parameters. For example:

<sslDefault sslRef="defaultSSLSettings" />
<ssl clientAuthenticationSupported="false" id="defaultSSLSettings"
   keyStoreRef="defaultKeyStore" pollingRate="5s" updateTrigger="polled"
   trustStoreRef="defaultKeyStore" />
<keyStore id="defaultKeyStore" password="#####" fileBased="true"
updateTrigger="mbean" readOnly="true" type="JKS" location="/location/keystore.jks">
keyStore>

after that create in your server root folder a file named “jvm.options” with next jdk parameters.

-Djavax.net.ssl.keyStore = /location/keystore.jks

-Djavax.net.ssl.keyStorePassword = #######

-Djavax.net.ssl.trustStore = /location/keystore.jks

-Djavax.net.ssl.trustStoreType=jks

-Djavax.net.ssl.trustStorePassword = #######

this work for me and I wait help you.

System Information

OS:RHEL 7.4

IDE: EclipseOxygen

AS: Liberty Profile

JDBC: IBM Data Server Driver for JDBC and SQLJ 4.24.92

References

http://fm4dd.com/database/howto-encrypt-IBMdb2-jdbc.htm

https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/rwlp_ssl.html