SlideShare a Scribd company logo

2022-Db2-Securing_Your_data_in_motion.pdf

R
Roland Schock

Learn how to setup encrypted access to an IBM Db2 database running under Linux, Unix and Windows. Also details are given how to configure the client side.

Data & Analytics
1 of 32
Download to read offline
Boston, MA Securing your data in motion with TLS Roland Schock Session Code: G10
Agenda • Where to encrypt? What is SSL/TLS? • Learn about IBM GSKit, certificates and self-signed certificates and configure the server side of TLS encryption • Configure the client side of TLS encryption for CLI, ODBC and JDBC • Troubleshooting and verify your configuration, select the right ciphers for encryption • Current issues, open RFEs aka AHA ideas
Moments of Encryption • Encryption during Authentication • Transmission of encrypted login credentials • Encryption in use • Encryption of single columns (by application code) • Encryption in motion • Data transmission over the wire is encrypted • Encryption at rest • Encryption of database and transaction log files on disk, tapes, etc.
Default Configuration • Db2's default configuration is still based on assumptions of Db2 for OS/2. At that time simple configuration was preferred over security. • By default just simple authentication with plain text passwords over the wire • db2 get dbm cfg | fgrep AUTHENTICATION ➔ Default is SERVER • At least switch to AUTHENTICATION=SERVER_ENCRYPT to enforce transmission of encrypted passwords over the wire during Connect • Very old clients (before V9.7) could have issues with SERVER_ENCRYPT as they were not prepared for modern encryption • Data is still transferred unencrypted • Solution: db2 update dbm cfg using AUTHENTICATION=DATA_ENCRYPT (=deprecated) • ➔ Much better: Switch to SSL or TLS session encryption
AUTHENTICATION = SERVER_ENCRYPT • Db2 engine takes care of encryption • Beside db2 update dbm cfg using AUTHENTICATION SERVER_ENCRYPT other params have to be set to close other issues: db2 update dbm cfg using ALTERNATE_AUTH_ENC AES_CMP db2set DB2AUTH=DISABLE_CHGPASS,OSAUTHDB,JCC_ENFORCE_SECMEC, TRUSTEDCLIENT_SRVRENC • DISABLE_CHGPASS disables password change during connect • OSAUTHDB points to local OS for user and group enumeration • JCC_ENFORCE_SECMEC disables passwords in plain text (since Db2 10.5.0.4) • If you still have (very) old clients, set this option temporarily and monitor db2diag.log • db2set DB2AUTH=JCC_NOENFORCE_SECMEC_MSG
Encryption with SSL • SSL is the synonym for encrypted communication via Secure Sockets Layer • SSL 1.0 was never published as standard • SSL 2.0 published February 1995; used until ~2011, deprecated due to security flaws • SSL v3, last version, deprecated, unsafe (e.g. POODLE attack). • TLS stands for Transport Layer Security and is successor of SSL • TLS 1.0 is successor of SSL v3 • TLS 1.1 published April 2006 and also has flaws • TLS 1.2 came in 2008 and was more widely used since the flaws of TLS 1.1 came up • TLS 1.3 is current since August 2018
IBM Global Security Kit (1|2) • Which SSL/TLS version is supported by Db2? • Db2 itself does not provide SSL/TLS encryption but uses IBM Global Security Kit aka GSKit for it • GSKit is the OS extension for encrypted socket communication https://www.ibm.com/docs/en/db2/11.5?topic=encryption-global-security-kit- installation-gskit • GSKit gets automatically installed with server install. It's a separate install for Db2 client code • GSKit has the Highlander principle: There can only be one! • It gets especially interesting, if multiple IBM server products ship GSKit and try to install/use their own: • E.g. IBM Db2, TSM and MQ on a single machine
IBM Global Security Kit (2|2) • GSKit V8 - Instructions to find current installed version details: https://www.ibm.com/support/pages/gskit-v8-instructions-find- current-installed-version-details • GSKit Versions Shipped with Db2: https://www.ibm.com/support/pages/gskit-versions-shipped-db2 • The current GSKit does not support TLS 1.3 yet and hence Db2 can only use up to TLS 1.2 for now • Breaking news: IBM is going to support TLS 1.3 for client/server, HADR, KMIP soon!
Configuration steps for TLS encryption • Create a keyring for the server • Create a certificate for the server (self-signed or CA-signed) • Import the certificate in the keyring of the server
Db2 server side: Create a keyring • User db2inst1: mkdir -p /home/db2inst1/SSL cd /home/db2inst1/SSL • echo "Create a keyring:" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "Db2_keydb.kdb" -pw "passw0rd" -stash • Beware: There is a 32-bit and a 64-bit GSKit. The paths get set by db2profile, but it seems in some versions the 32-bit path is incorrect and returns "error while loading shared directories" • Quick fix: Append /gskit_db2 to the variable LD_LIBRARY_PATH
Db2 server side: Create CA-signed certs • echo "Create certification request to send to Root CA" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -certreq -create -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -san_dnsname "myserver.de" -dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096 -sig_alg SHA256_WITH_RSA -file "MyCertRequest.arm" • echo "Send MyCertRequest.arm to CA to get it signed" • echo "Add certificates of Root CA and any intermediates (otherwise SQL30081N with -414)" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -file CAChain.crt -db "Db2_keydb.kdb" -stashed -format ascii • echo "CA returns: MyServerCert.crt" • echo "Import of MyServerCert.crt in your keyring" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -receive -file MyServerCert.crt -db "Db2_keydb.kdb" -stashed -format ascii
Db2 server side: Create a self-signed certificate • echo "Not required by CA-signed certificate! This is an alternative!" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -create -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -expire 1000 -dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096 -sig_alg SHA256_WITH_RSA • echo "Export of public signature for trust_db of clients" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -extract -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -target "myserver_db2_public_key.arm" -format ascii -fips • Remark for self-signed certificates: • They are as secure as CA-signed certs, but require more work. More servers have to be trusted at clients and updated over time due to expiration. • Transfer of the public server signature to the client has to be secure to prevent man-in-the-middle attacks.
How to verify keyring and certificate? (1|2) • echo "Verify a certificate" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -list -db "Db2_keydb.kdb" -stashed • Certificate found: * Standard, - personal, ! reliable, # secret key ! "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de" ! "CN=ARS Root CA 01,DC=ARS,DC=de" - myserver_db2_4096 • echo "Verify key database" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -list -db "Db2_keydb.kdb" -stashed
How to verify keyring and certificate? (2|2) • echo "Verify a new certificate" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -details -label myserver_db2_4096 -db "Db2_keydb.kdb" -stashed • Label : myserver_db2_4096 Key length : 4096 Version : X509 V3 Serial : 740000007415c7837855d62d17000000000074 Issuer : "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de" Subject : CN=myserver.de,OU=ARS,O=IT,L=Munich,ST=BY,C=DE Not valid before : 17. April 2020 11:50:22 MESZ Not valid after : 20. July 2022 11:50:22 MESZ
Configuration Server • echo "Instance configuration" db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/SSL/Db2_keydb.kdb db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/SSL/Db2_keydb.sth db2 update dbm cfg using SSL_SVR_LABEL myserver_db2_4096 db2 update dbm cfg using SSL_VERSIONS TLSV12 • echo "Insert SSL port in /etc/services file" vi /etc/services REM start notepad c:windowssystem32driversetcservices REM Append a line like: db2c_tlsinst1 50443 • echo "Set SSL_SVCENAME to port name and set DB2COMM" db2 update dbm cfg using SSL_SVCENAME db2c_tlsinst1 db2set DB2COMM=SSL,TCPIP • echo "Check if max_connections <= max_coordagents ➔ Connection Concentrator=OFF" • echo "Restart Instance to bring changes into effect" db2stop && sleep 5 && db2start
Expired Server certificate • Entry in db2diag.log when the CA signed server certificate expires 2022-07-26-11.16.21.218655+120 I6820357A497 LEVEL: Error PID : 6292094 TID : 292736 PROC : db2sysc 0 INSTANCE: db2inst1 NODE : 000 DB : HOSTNAME: myhost EDUID : 292736 EDUNAME: db2agent () 0 FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30 MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the return code "401" in "sqlccSSLSocketSetup". • On client side SQL30081N A communication error has been detected. Communication protocol being used: "SSL". Communication API being used: "SOCKETS". Location where the error was detected: "". Communication function detecting the error: "sqlccSSLSocketSetup". Protocol specific error code(s): "420", "*", "*". SQLSTATE=08001 • Create a new CertRequest, get it signed from your CA and import it with a different label into the server keyring db2 attach to db2inst1 && db2 update dbm cfg using SSL_SVR_LABEL my_new_label IMMEDIATE • DBM Config SSL_SVR_LABEL is online updateable since V11.5.2 Check with db2pd -dbmcfg for current value in memory
HADR and SSL • SSL for HADR has to be configured on the database side • Create keyrings and truststores on both sides, include Client side configuration on the other server and vice versa • In database configuration use label accordingly HADR SSL certificate label (HADR_SSL_LABEL) = my_hadr_certlabel HADR SSL Hostname Validation (HADR_SSL_HOST_VAL) = OFF
Configuration of CLI Client (1|2) • echo "Install GSKit on client machine (Fix central: Tivoli Global Security)" Install the binaries according to Db2 Knowledge Center https://www.ibm.com/docs/en/db2/11.5?topic=gskit-global-installation-instructions • echo "Create a client keyring" mkdir -p ~/SSL && cd ~/SSL /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "client_trust.kdb" -pw "MyPass" -stash • echo "Add the root certificate and any intermediaries (otherwise SQL30081N with -414)" /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kdb" -stashed -file /tmp/CAChain.crt -format ascii -fips • echo "Not required for CA-signed certificates: Import your self-signed certificate" /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kbd" -stashed -label "MyServer" -file /home/db2inst1/SSL/myserver_db2_public_key.arm -format ascii -fips
Configuration of CLI Client (2|2) • Update client instance configuration : db2 update dbm cfg using SSL_CLNT_KEYDB /home/exrsc/SSL/client_trust.kdb db2 update dbm cfg using SSL_CLNT_STASH /home/exrsc/SSL/client_trust.sth For Windows Clients, if Root-CA signature is available in Windows Trust Store: db2 update dbm cfg using SSL_CLNT_KEYDB GSK_MS_CERTIFICATE_STORE db2 update dbm cfg using SSL_CLNT_STASH NULL Set PATH and LIB to the according directories for 32-bit and 64-bit binaries: set PATH=C:PROGRA~1IBMGSKITBIN; C:PROGRA~2IBMGSKITBIN;%PATH% set LIB=C:PROGRA~1IBMGSKITLIB64;C:PROGRA~2IBMGSKITLIB;%LIB% • Catalog your node db2 catalog tcpip node INST1SSL remote myserver.de server 50443 security SSL db2 catalog db SAMPLE at node INST1SSL
JDBC connections • JDBC is simple to configure! Server side configured as above • Trust Store get's created with Java JDK keytool instead of GSKit : (In this example with a self-signed certificate) keytool -importcert -alias MyServer -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file myserver_db2_public_key.arm -noprompt keytool -list -v -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file • JDBC connection string looks like: jdbc:db2://myserver.de:50443/sample:sslConnection=true;sslTrustStoreLocation=MyTrustStore.jks;sslT rustStorePassword=cacerts;sslTrustStoreType=JKS; • Remark: Some applications might use their own JDK and maybe they have a separate trust store then Check with "dir /s /b cacerts" or "find . -name cacerts -type f" in the application directory
IBM Data Server Driver for ODBC and CLI • Small footprint drivers for Db2; just unpack ZIP archive and set paths e.g. for Linux export DB2_CLI_DRIVER_INSTALL_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver export LD_LIBRARY_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib export LIBPATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/bin:$PATH export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/adm:$PATH • Database can get catalogued via db2cli.ini or db2dsdriver.cfg Either use sample templates or db2cli commands: • Examples: db2cli writecfg add -database MYSAMPL -host myserver.de -port 50443 -parameter "SecurityTransportMode=SSL;SSLServerCertificate=/opt/ibm/odbc_cli/clidriver/cfg/mydbclient.kdb" db2cli validate db2cli validate -dsn mysampl -connect -user testuser -passwd 'Nosey*ent_ya' • Trust store must be in CMS format. • Root CAs can be included automatically to keyring, if sent as Trust store .arm file on first connect
Configuration for WAS Liberty profile •
Check usage of secure connections • Which application is now using a TLS connection? SELECT substr( CLIENT_PRDID, 1, 10 ) AS CLIENT_PRDID, substr( APPLICATION_NAME, 1, 20 ) AS APPL_NAME, substr( CLIENT_HOSTNAME, 1, 22 ) AS CLIENTHOST, CLIENT_PROTOCOL AS PROTOCOL, CAST( CURRENT server AS CHAR( 8 )) AS DB_NAME, SUBSTR( EXECUTION_ID, 1, 15 ) AS EXEC_ID, SUBSTR( SESSION_AUTH_ID, 1, 15 ) AS SESSION_AUTHID, COUNT(*) AS COUNT FROM TABLE ( mon_get_connection( NULL, -2 )) GROUP BY CLIENT_PRDID, APPLICATION_NAME, CLIENT_HOSTNAME, CLIENT_PROTOCOL, CURRENT server, EXECUTION_ID, SESSION_AUTH_ID ORDER BY 1,2,3,4,5,6
Ciphers and encryption methods • https://scotthelme.co.uk/https-cheat-sheet/
Ciphers and Db2 (1|2) • During SSL handshake client and server negotiate the most secure encryption method. If no compatible method was found, connection fails. The order of so called Cipher Suites cannot be changed. • If SSL_VERSIONS was set to TLSv12, following SSL_CIPHERSPECS are usable: ▪ TLS_RSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ▪ TLS_RSA_WITH_AES_256_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ▪ TLS_RSA_WITH_AES_256_CBC_SHA ▪ TLS_RSA_WITH_AES_128_GCM_SHA256 ▪ TLS_RSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ▪ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ▪ TLS_RSA_WITH_AES_128_CBC_SHA
Ciphers and Db2 (2|2) • Configure ciphers in Db2 (length max 255 chars): db2 update dbm cfg using SSL_CIPHERSPECS TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 • Whatever Cipher is finally used cannot be retrieved (GSKit doesn't feed this back to Db2)
Support us! (1|2) • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-984 • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-133
Support us! (2|2) • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-952
Technotes • Error ECF_CRYPT_UNEXPECTED_ERROR in db2diag.log: "FIPS: internal test failed, interface disabled" https://www.ibm.com/support/pages/node/6356455 Problem: The internal self-test in GSKit fails when it can't get sufficient entropy via hardware or software RNG (Random Number Generation). This can cause the Db2 instance to stop functioning correctly, and will require a restart of the instance.
Further links • Step-by-Step Instructions to Configure a Secure Database System, Greg Stager: https://www.idug.org/p/bl/ar/blogaid=1121 • Cipher Used? IC85574: INFORMATIONAL MESSAGE ADM7016I LOGGED IN DB2DIAG.LOG EVEN IF DIAGLEVEL=3, https://www.ibm.com/support/pages/apar/IC85574 • SSL/TLS: How to choose your cipher suite https://technology.amis.nl/2017/07/04/ssltls-choose-cipher- suite/
SSL and Db2 on (IBM) Cloud • Supporting links to use Db2 on Cloud with SSL/TLS Short compact configuration guide for Db2 on Cloud: https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-ssl_support How to connect to Db2 on Cloud, connect options https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-connect_options SSL as requirement for IAM-based authentication https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-iam#iam_prereqs If the new token-based authentication with JWT (JSON Web Token) is used, it is strongly suggested to protect the token with TLS https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.admin.s ec.doc/doc/c_token_auth.html
Thank You Speaker: Roland Schock Email Address: roland.schock@arcor.de Session Code: G10 Please fill out your session evaluation before leaving!

Recommended

Presentation capacity management for oracle exadata database machine v2
Presentation capacity management for oracle exadata database machine v2Presentation capacity management for oracle exadata database machine v2
Presentation capacity management for oracle exadata database machine v2
xKinAnx
 
Tanel Poder - Performance stories from Exadata Migrations
Tanel Poder - Performance stories from Exadata MigrationsTanel Poder - Performance stories from Exadata Migrations
Tanel Poder - Performance stories from Exadata Migrations
Tanel Poder
 
Transaction Management on Cassandra
Transaction Management on CassandraTransaction Management on Cassandra
Transaction Management on Cassandra
Scalar, Inc.
 
IBM Storwize V7000 — unikátní virtualizační diskové pole
IBM Storwize V7000 — unikátní virtualizační diskové poleIBM Storwize V7000 — unikátní virtualizační diskové pole
IBM Storwize V7000 — unikátní virtualizační diskové pole
Jaroslav Prodelal
 
A Deep Dive into ASM Redundancy in Exadata
A Deep Dive into ASM Redundancy in ExadataA Deep Dive into ASM Redundancy in Exadata
A Deep Dive into ASM Redundancy in Exadata
Emre Baransel
 
Elasticsearch Monitoring in Openshift
Elasticsearch Monitoring in OpenshiftElasticsearch Monitoring in Openshift
Elasticsearch Monitoring in Openshift
Lukas Vlcek
 
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
Ji-Woong Choi
 
Maximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19cMaximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19c
Glen Hawkins
 

Recommended

Presentation capacity management for oracle exadata database machine v2
Presentation capacity management for oracle exadata database machine v2Presentation capacity management for oracle exadata database machine v2
Presentation capacity management for oracle exadata database machine v2
xKinAnx
 
Tanel Poder - Performance stories from Exadata Migrations
Tanel Poder - Performance stories from Exadata MigrationsTanel Poder - Performance stories from Exadata Migrations
Tanel Poder - Performance stories from Exadata Migrations
Tanel Poder
 
Transaction Management on Cassandra
Transaction Management on CassandraTransaction Management on Cassandra
Transaction Management on Cassandra
Scalar, Inc.
 
IBM Storwize V7000 — unikátní virtualizační diskové pole
IBM Storwize V7000 — unikátní virtualizační diskové poleIBM Storwize V7000 — unikátní virtualizační diskové pole
IBM Storwize V7000 — unikátní virtualizační diskové pole
Jaroslav Prodelal
 
A Deep Dive into ASM Redundancy in Exadata
A Deep Dive into ASM Redundancy in ExadataA Deep Dive into ASM Redundancy in Exadata
A Deep Dive into ASM Redundancy in Exadata
Emre Baransel
 
Elasticsearch Monitoring in Openshift
Elasticsearch Monitoring in OpenshiftElasticsearch Monitoring in Openshift
Elasticsearch Monitoring in Openshift
Lukas Vlcek
 
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
[오픈소스컨설팅]Day #1 MySQL 엔진소개, 튜닝, 백업 및 복구, 업그레이드방법
Ji-Woong Choi
 
Maximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19cMaximum Availability Architecture - Best Practices for Oracle Database 19c
Maximum Availability Architecture - Best Practices for Oracle Database 19c
Glen Hawkins
 
Scalar DL Technical Overview
Scalar DL Technical OverviewScalar DL Technical Overview
Scalar DL Technical Overview
Scalar, Inc.
 
DataStax: Extreme Cassandra Optimization: The Sequel
DataStax: Extreme Cassandra Optimization: The SequelDataStax: Extreme Cassandra Optimization: The Sequel
DataStax: Extreme Cassandra Optimization: The Sequel
DataStax Academy
 
Less05 asm instance
Less05 asm instanceLess05 asm instance
Less05 asm instance
Amit Bhalla
 
UKOUG, Oracle Transaction Locks
UKOUG, Oracle Transaction LocksUKOUG, Oracle Transaction Locks
UKOUG, Oracle Transaction Locks
Kyle Hailey
 
Sql server performance tuning
Sql server performance tuningSql server performance tuning
Sql server performance tuning
Jugal Shah
 
Deep Dive on Amazon Aurora
Deep Dive on Amazon AuroraDeep Dive on Amazon Aurora
Deep Dive on Amazon Aurora
Amazon Web Services
 
Deploying PostgreSQL on Kubernetes
Deploying PostgreSQL on KubernetesDeploying PostgreSQL on Kubernetes
Deploying PostgreSQL on Kubernetes
Jimmy Angelakos
 
pstack, truss etc to understand deeper issues in Oracle database
pstack, truss etc to understand deeper issues in Oracle databasepstack, truss etc to understand deeper issues in Oracle database
pstack, truss etc to understand deeper issues in Oracle database
Riyaj Shamsudeen
 
Getting Started with MicroPython and LoPy
Getting Started with MicroPython and LoPyGetting Started with MicroPython and LoPy
Getting Started with MicroPython and LoPy
Christian Fässler
 
Why oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19cWhy oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19c
Satishbabu Gunukula
 
PostgreSQL replication
PostgreSQL replicationPostgreSQL replication
PostgreSQL replication
NTT DATA OSS Professional Services
 
Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]
Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]
Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]
Markus Michalewicz
 
Postgresql database administration volume 1
Postgresql database administration volume 1Postgresql database administration volume 1
Postgresql database administration volume 1
Federico Campoli
 
Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security Presentation
Francisco Alvarez
 
Oracle RAC features on Exadata
Oracle RAC features on ExadataOracle RAC features on Exadata
Oracle RAC features on Exadata
Anil Nair
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
Nabeel Yoosuf
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL Administration
EDB
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewall
xKinAnx
 
Oracle Data Guard
Oracle Data GuardOracle Data Guard
Oracle Data Guard
Martin Meyer
 
Exadata Performance Optimization
Exadata Performance OptimizationExadata Performance Optimization
Exadata Performance Optimization
Enkitec
 
IBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptxIBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptx
RaulRamirez547593
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 

More Related Content

What's hot

UKOUG, Oracle Transaction Locks
UKOUG, Oracle Transaction LocksUKOUG, Oracle Transaction Locks
UKOUG, Oracle Transaction Locks
Kyle Hailey
 
Exadata Performance Optimization
Exadata Performance OptimizationExadata Performance Optimization
Exadata Performance Optimization
Enkitec
 

What's hot (20)

Scalar DL Technical Overview
Scalar DL Technical OverviewScalar DL Technical Overview
Scalar DL Technical Overview
 
DataStax: Extreme Cassandra Optimization: The Sequel
DataStax: Extreme Cassandra Optimization: The SequelDataStax: Extreme Cassandra Optimization: The Sequel
DataStax: Extreme Cassandra Optimization: The Sequel
 
Less05 asm instance
Less05 asm instanceLess05 asm instance
Less05 asm instance
 
UKOUG, Oracle Transaction Locks
UKOUG, Oracle Transaction LocksUKOUG, Oracle Transaction Locks
UKOUG, Oracle Transaction Locks
 
Sql server performance tuning
Sql server performance tuningSql server performance tuning
Sql server performance tuning
 
Deep Dive on Amazon Aurora
Deep Dive on Amazon AuroraDeep Dive on Amazon Aurora
Deep Dive on Amazon Aurora
 
Deploying PostgreSQL on Kubernetes
Deploying PostgreSQL on KubernetesDeploying PostgreSQL on Kubernetes
Deploying PostgreSQL on Kubernetes
 
pstack, truss etc to understand deeper issues in Oracle database
pstack, truss etc to understand deeper issues in Oracle databasepstack, truss etc to understand deeper issues in Oracle database
pstack, truss etc to understand deeper issues in Oracle database
 
Getting Started with MicroPython and LoPy
Getting Started with MicroPython and LoPyGetting Started with MicroPython and LoPy
Getting Started with MicroPython and LoPy
 
Why oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19cWhy oracle data guard new features in oracle 18c, 19c
Why oracle data guard new features in oracle 18c, 19c
 
PostgreSQL replication
PostgreSQL replicationPostgreSQL replication
PostgreSQL replication
 
Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]
Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]
Oracle RAC 12c Practical Performance Management and Tuning OOW13 [CON8825]
 
Postgresql database administration volume 1
Postgresql database administration volume 1Postgresql database administration volume 1
Postgresql database administration volume 1
 
Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security Presentation
 
Oracle RAC features on Exadata
Oracle RAC features on ExadataOracle RAC features on Exadata
Oracle RAC features on Exadata
 
Oracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12cOracle Transparent Data Encryption (TDE) 12c
Oracle Transparent Data Encryption (TDE) 12c
 
Mastering PostgreSQL Administration
Mastering PostgreSQL AdministrationMastering PostgreSQL Administration
Mastering PostgreSQL Administration
 
Presentation database security audit vault & database firewall
Presentation database security audit vault & database firewallPresentation database security audit vault & database firewall
Presentation database security audit vault & database firewall
 
Oracle Data Guard
Oracle Data GuardOracle Data Guard
Oracle Data Guard
 
Exadata Performance Optimization
Exadata Performance OptimizationExadata Performance Optimization
Exadata Performance Optimization
 

Similar to 2022-Db2-Securing_Your_data_in_motion.pdf

Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentation
Chris Geier
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
Faisal Akber
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
J.D. Wade
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
CODE BLUE
 

Similar to 2022-Db2-Securing_Your_data_in_motion.pdf (20)

IBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptxIBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptx
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentation
 
Plam16 jan
Plam16 janPlam16 jan
Plam16 jan
 
From Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsFrom Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security Enhancements
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 

Recently uploaded

Exploratory Data Analysis - Dilip S.pptx
Exploratory Data Analysis - Dilip S.pptxExploratory Data Analysis - Dilip S.pptx
Exploratory Data Analysis - Dilip S.pptx
DilipVasan
 
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Valters Lauzums
 
一比一原版麦考瑞大学毕业证成绩单如何办理
一比一原版麦考瑞大学毕业证成绩单如何办理一比一原版麦考瑞大学毕业证成绩单如何办理
一比一原版麦考瑞大学毕业证成绩单如何办理
cyebo
 
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
pyhepag
 
一比一原版西悉尼大学毕业证成绩单如何办理
一比一原版西悉尼大学毕业证成绩单如何办理一比一原版西悉尼大学毕业证成绩单如何办理
一比一原版西悉尼大学毕业证成绩单如何办理
pyhepag
 
一比一原版纽卡斯尔大学毕业证成绩单如何办理
一比一原版纽卡斯尔大学毕业证成绩单如何办理一比一原版纽卡斯尔大学毕业证成绩单如何办理
一比一原版纽卡斯尔大学毕业证成绩单如何办理
cyebo
 

Recently uploaded (20)

Easy and simple project file on mp online
Easy and simple project file on mp onlineEasy and simple project file on mp online
Easy and simple project file on mp online
 
Generative AI for Trailblazers_ Unlock the Future of AI.pdf
Generative AI for Trailblazers_ Unlock the Future of AI.pdfGenerative AI for Trailblazers_ Unlock the Future of AI.pdf
Generative AI for Trailblazers_ Unlock the Future of AI.pdf
 
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
Data Visualization Exploring and Explaining with Data 1st Edition by Camm sol...
 
Webinar One View, Multiple Systems No-Code Integration of Salesforce and ERPs
Webinar One View, Multiple Systems No-Code Integration of Salesforce and ERPsWebinar One View, Multiple Systems No-Code Integration of Salesforce and ERPs
Webinar One View, Multiple Systems No-Code Integration of Salesforce and ERPs
 
2024 Q1 Tableau User Group Leader Quarterly Call
2024 Q1 Tableau User Group Leader Quarterly Call2024 Q1 Tableau User Group Leader Quarterly Call
2024 Q1 Tableau User Group Leader Quarterly Call
 
社内勉強会資料  Mamba - A new era or ephemeral
社内勉強会資料  Mamba - A new era or ephemeral社内勉強会資料  Mamba - A new era or ephemeral
社内勉強会資料  Mamba - A new era or ephemeral
 
Exploratory Data Analysis - Dilip S.pptx
Exploratory Data Analysis - Dilip S.pptxExploratory Data Analysis - Dilip S.pptx
Exploratory Data Analysis - Dilip S.pptx
 
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
Data Analytics for Digital Marketing Lecture for Advanced Digital & Social Me...
 
一比一原版麦考瑞大学毕业证成绩单如何办理
一比一原版麦考瑞大学毕业证成绩单如何办理一比一原版麦考瑞大学毕业证成绩单如何办理
一比一原版麦考瑞大学毕业证成绩单如何办理
 
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
一比一原版加利福尼亚大学尔湾分校毕业证成绩单如何办理
 
AI Imagen for data-storytelling Infographics.pdf
AI Imagen for data-storytelling Infographics.pdfAI Imagen for data-storytelling Infographics.pdf
AI Imagen for data-storytelling Infographics.pdf
 
Machine Learning for Accident Severity Prediction
Machine Learning for Accident Severity PredictionMachine Learning for Accident Severity Prediction
Machine Learning for Accident Severity Prediction
 
Artificial_General_Intelligence__storm_gen_article.pdf
Artificial_General_Intelligence__storm_gen_article.pdfArtificial_General_Intelligence__storm_gen_article.pdf
Artificial_General_Intelligence__storm_gen_article.pdf
 
How I opened a fake bank account and didn't go to prison
How I opened a fake bank account and didn't go to prisonHow I opened a fake bank account and didn't go to prison
How I opened a fake bank account and didn't go to prison
 
2024 Q2 Orange County (CA) Tableau User Group Meeting
2024 Q2 Orange County (CA) Tableau User Group Meeting2024 Q2 Orange County (CA) Tableau User Group Meeting
2024 Q2 Orange County (CA) Tableau User Group Meeting
 
一比一原版西悉尼大学毕业证成绩单如何办理
一比一原版西悉尼大学毕业证成绩单如何办理一比一原版西悉尼大学毕业证成绩单如何办理
一比一原版西悉尼大学毕业证成绩单如何办理
 
Supply chain analytics to combat the effects of Ukraine-Russia-conflict
Supply chain analytics to combat the effects of Ukraine-Russia-conflictSupply chain analytics to combat the effects of Ukraine-Russia-conflict
Supply chain analytics to combat the effects of Ukraine-Russia-conflict
 
Atlantic Grupa Case Study (Mintec Data AI)
Atlantic Grupa Case Study (Mintec Data AI)Atlantic Grupa Case Study (Mintec Data AI)
Atlantic Grupa Case Study (Mintec Data AI)
 
Pre-ProductionImproveddsfjgndflghtgg.pptx
Pre-ProductionImproveddsfjgndflghtgg.pptxPre-ProductionImproveddsfjgndflghtgg.pptx
Pre-ProductionImproveddsfjgndflghtgg.pptx
 
一比一原版纽卡斯尔大学毕业证成绩单如何办理
一比一原版纽卡斯尔大学毕业证成绩单如何办理一比一原版纽卡斯尔大学毕业证成绩单如何办理
一比一原版纽卡斯尔大学毕业证成绩单如何办理
 

2022-Db2-Securing_Your_data_in_motion.pdf

  • 1. Boston, MA Securing your data in motion with TLS Roland Schock Session Code: G10
  • 2. Agenda • Where to encrypt? What is SSL/TLS? • Learn about IBM GSKit, certificates and self-signed certificates and configure the server side of TLS encryption • Configure the client side of TLS encryption for CLI, ODBC and JDBC • Troubleshooting and verify your configuration, select the right ciphers for encryption • Current issues, open RFEs aka AHA ideas
  • 3. Moments of Encryption • Encryption during Authentication • Transmission of encrypted login credentials • Encryption in use • Encryption of single columns (by application code) • Encryption in motion • Data transmission over the wire is encrypted • Encryption at rest • Encryption of database and transaction log files on disk, tapes, etc.
  • 4. Default Configuration • Db2's default configuration is still based on assumptions of Db2 for OS/2. At that time simple configuration was preferred over security. • By default just simple authentication with plain text passwords over the wire • db2 get dbm cfg | fgrep AUTHENTICATION ➔ Default is SERVER • At least switch to AUTHENTICATION=SERVER_ENCRYPT to enforce transmission of encrypted passwords over the wire during Connect • Very old clients (before V9.7) could have issues with SERVER_ENCRYPT as they were not prepared for modern encryption • Data is still transferred unencrypted • Solution: db2 update dbm cfg using AUTHENTICATION=DATA_ENCRYPT (=deprecated) • ➔ Much better: Switch to SSL or TLS session encryption
  • 5. AUTHENTICATION = SERVER_ENCRYPT • Db2 engine takes care of encryption • Beside db2 update dbm cfg using AUTHENTICATION SERVER_ENCRYPT other params have to be set to close other issues: db2 update dbm cfg using ALTERNATE_AUTH_ENC AES_CMP db2set DB2AUTH=DISABLE_CHGPASS,OSAUTHDB,JCC_ENFORCE_SECMEC, TRUSTEDCLIENT_SRVRENC • DISABLE_CHGPASS disables password change during connect • OSAUTHDB points to local OS for user and group enumeration • JCC_ENFORCE_SECMEC disables passwords in plain text (since Db2 10.5.0.4) • If you still have (very) old clients, set this option temporarily and monitor db2diag.log • db2set DB2AUTH=JCC_NOENFORCE_SECMEC_MSG
  • 6. Encryption with SSL • SSL is the synonym for encrypted communication via Secure Sockets Layer • SSL 1.0 was never published as standard • SSL 2.0 published February 1995; used until ~2011, deprecated due to security flaws • SSL v3, last version, deprecated, unsafe (e.g. POODLE attack). • TLS stands for Transport Layer Security and is successor of SSL • TLS 1.0 is successor of SSL v3 • TLS 1.1 published April 2006 and also has flaws • TLS 1.2 came in 2008 and was more widely used since the flaws of TLS 1.1 came up • TLS 1.3 is current since August 2018
  • 7. IBM Global Security Kit (1|2) • Which SSL/TLS version is supported by Db2? • Db2 itself does not provide SSL/TLS encryption but uses IBM Global Security Kit aka GSKit for it • GSKit is the OS extension for encrypted socket communication https://www.ibm.com/docs/en/db2/11.5?topic=encryption-global-security-kit- installation-gskit • GSKit gets automatically installed with server install. It's a separate install for Db2 client code • GSKit has the Highlander principle: There can only be one! • It gets especially interesting, if multiple IBM server products ship GSKit and try to install/use their own: • E.g. IBM Db2, TSM and MQ on a single machine
  • 8. IBM Global Security Kit (2|2) • GSKit V8 - Instructions to find current installed version details: https://www.ibm.com/support/pages/gskit-v8-instructions-find- current-installed-version-details • GSKit Versions Shipped with Db2: https://www.ibm.com/support/pages/gskit-versions-shipped-db2 • The current GSKit does not support TLS 1.3 yet and hence Db2 can only use up to TLS 1.2 for now • Breaking news: IBM is going to support TLS 1.3 for client/server, HADR, KMIP soon!
  • 9. Configuration steps for TLS encryption • Create a keyring for the server • Create a certificate for the server (self-signed or CA-signed) • Import the certificate in the keyring of the server
  • 10. Db2 server side: Create a keyring • User db2inst1: mkdir -p /home/db2inst1/SSL cd /home/db2inst1/SSL • echo "Create a keyring:" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "Db2_keydb.kdb" -pw "passw0rd" -stash • Beware: There is a 32-bit and a 64-bit GSKit. The paths get set by db2profile, but it seems in some versions the 32-bit path is incorrect and returns "error while loading shared directories" • Quick fix: Append /gskit_db2 to the variable LD_LIBRARY_PATH
  • 11. Db2 server side: Create CA-signed certs • echo "Create certification request to send to Root CA" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -certreq -create -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -san_dnsname "myserver.de" -dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096 -sig_alg SHA256_WITH_RSA -file "MyCertRequest.arm" • echo "Send MyCertRequest.arm to CA to get it signed" • echo "Add certificates of Root CA and any intermediates (otherwise SQL30081N with -414)" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -file CAChain.crt -db "Db2_keydb.kdb" -stashed -format ascii • echo "CA returns: MyServerCert.crt" • echo "Import of MyServerCert.crt in your keyring" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -receive -file MyServerCert.crt -db "Db2_keydb.kdb" -stashed -format ascii
  • 12. Db2 server side: Create a self-signed certificate • echo "Not required by CA-signed certificate! This is an alternative!" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -create -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -expire 1000 -dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096 -sig_alg SHA256_WITH_RSA • echo "Export of public signature for trust_db of clients" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -extract -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -target "myserver_db2_public_key.arm" -format ascii -fips • Remark for self-signed certificates: • They are as secure as CA-signed certs, but require more work. More servers have to be trusted at clients and updated over time due to expiration. • Transfer of the public server signature to the client has to be secure to prevent man-in-the-middle attacks.
  • 13. How to verify keyring and certificate? (1|2) • echo "Verify a certificate" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -list -db "Db2_keydb.kdb" -stashed • Certificate found: * Standard, - personal, ! reliable, # secret key ! "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de" ! "CN=ARS Root CA 01,DC=ARS,DC=de" - myserver_db2_4096 • echo "Verify key database" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -list -db "Db2_keydb.kdb" -stashed
  • 14. How to verify keyring and certificate? (2|2) • echo "Verify a new certificate" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -details -label myserver_db2_4096 -db "Db2_keydb.kdb" -stashed • Label : myserver_db2_4096 Key length : 4096 Version : X509 V3 Serial : 740000007415c7837855d62d17000000000074 Issuer : "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de" Subject : CN=myserver.de,OU=ARS,O=IT,L=Munich,ST=BY,C=DE Not valid before : 17. April 2020 11:50:22 MESZ Not valid after : 20. July 2022 11:50:22 MESZ
  • 15. Configuration Server • echo "Instance configuration" db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/SSL/Db2_keydb.kdb db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/SSL/Db2_keydb.sth db2 update dbm cfg using SSL_SVR_LABEL myserver_db2_4096 db2 update dbm cfg using SSL_VERSIONS TLSV12 • echo "Insert SSL port in /etc/services file" vi /etc/services REM start notepad c:windowssystem32driversetcservices REM Append a line like: db2c_tlsinst1 50443 • echo "Set SSL_SVCENAME to port name and set DB2COMM" db2 update dbm cfg using SSL_SVCENAME db2c_tlsinst1 db2set DB2COMM=SSL,TCPIP • echo "Check if max_connections <= max_coordagents ➔ Connection Concentrator=OFF" • echo "Restart Instance to bring changes into effect" db2stop && sleep 5 && db2start
  • 16. Expired Server certificate • Entry in db2diag.log when the CA signed server certificate expires 2022-07-26-11.16.21.218655+120 I6820357A497 LEVEL: Error PID : 6292094 TID : 292736 PROC : db2sysc 0 INSTANCE: db2inst1 NODE : 000 DB : HOSTNAME: myhost EDUID : 292736 EDUNAME: db2agent () 0 FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30 MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the return code "401" in "sqlccSSLSocketSetup". • On client side SQL30081N A communication error has been detected. Communication protocol being used: "SSL". Communication API being used: "SOCKETS". Location where the error was detected: "". Communication function detecting the error: "sqlccSSLSocketSetup". Protocol specific error code(s): "420", "*", "*". SQLSTATE=08001 • Create a new CertRequest, get it signed from your CA and import it with a different label into the server keyring db2 attach to db2inst1 && db2 update dbm cfg using SSL_SVR_LABEL my_new_label IMMEDIATE • DBM Config SSL_SVR_LABEL is online updateable since V11.5.2 Check with db2pd -dbmcfg for current value in memory
  • 17. HADR and SSL • SSL for HADR has to be configured on the database side • Create keyrings and truststores on both sides, include Client side configuration on the other server and vice versa • In database configuration use label accordingly HADR SSL certificate label (HADR_SSL_LABEL) = my_hadr_certlabel HADR SSL Hostname Validation (HADR_SSL_HOST_VAL) = OFF
  • 18. Configuration of CLI Client (1|2) • echo "Install GSKit on client machine (Fix central: Tivoli Global Security)" Install the binaries according to Db2 Knowledge Center https://www.ibm.com/docs/en/db2/11.5?topic=gskit-global-installation-instructions • echo "Create a client keyring" mkdir -p ~/SSL && cd ~/SSL /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "client_trust.kdb" -pw "MyPass" -stash • echo "Add the root certificate and any intermediaries (otherwise SQL30081N with -414)" /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kdb" -stashed -file /tmp/CAChain.crt -format ascii -fips • echo "Not required for CA-signed certificates: Import your self-signed certificate" /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kbd" -stashed -label "MyServer" -file /home/db2inst1/SSL/myserver_db2_public_key.arm -format ascii -fips
  • 19. Configuration of CLI Client (2|2) • Update client instance configuration : db2 update dbm cfg using SSL_CLNT_KEYDB /home/exrsc/SSL/client_trust.kdb db2 update dbm cfg using SSL_CLNT_STASH /home/exrsc/SSL/client_trust.sth For Windows Clients, if Root-CA signature is available in Windows Trust Store: db2 update dbm cfg using SSL_CLNT_KEYDB GSK_MS_CERTIFICATE_STORE db2 update dbm cfg using SSL_CLNT_STASH NULL Set PATH and LIB to the according directories for 32-bit and 64-bit binaries: set PATH=C:PROGRA~1IBMGSKITBIN; C:PROGRA~2IBMGSKITBIN;%PATH% set LIB=C:PROGRA~1IBMGSKITLIB64;C:PROGRA~2IBMGSKITLIB;%LIB% • Catalog your node db2 catalog tcpip node INST1SSL remote myserver.de server 50443 security SSL db2 catalog db SAMPLE at node INST1SSL
  • 20. JDBC connections • JDBC is simple to configure! Server side configured as above • Trust Store get's created with Java JDK keytool instead of GSKit : (In this example with a self-signed certificate) keytool -importcert -alias MyServer -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file myserver_db2_public_key.arm -noprompt keytool -list -v -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file • JDBC connection string looks like: jdbc:db2://myserver.de:50443/sample:sslConnection=true;sslTrustStoreLocation=MyTrustStore.jks;sslT rustStorePassword=cacerts;sslTrustStoreType=JKS; • Remark: Some applications might use their own JDK and maybe they have a separate trust store then Check with "dir /s /b cacerts" or "find . -name cacerts -type f" in the application directory
  • 21. IBM Data Server Driver for ODBC and CLI • Small footprint drivers for Db2; just unpack ZIP archive and set paths e.g. for Linux export DB2_CLI_DRIVER_INSTALL_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver export LD_LIBRARY_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib export LIBPATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/bin:$PATH export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/adm:$PATH • Database can get catalogued via db2cli.ini or db2dsdriver.cfg Either use sample templates or db2cli commands: • Examples: db2cli writecfg add -database MYSAMPL -host myserver.de -port 50443 -parameter "SecurityTransportMode=SSL;SSLServerCertificate=/opt/ibm/odbc_cli/clidriver/cfg/mydbclient.kdb" db2cli validate db2cli validate -dsn mysampl -connect -user testuser -passwd 'Nosey*ent_ya' • Trust store must be in CMS format. • Root CAs can be included automatically to keyring, if sent as Trust store .arm file on first connect
  • 22. Configuration for WAS Liberty profile •
  • 23. Check usage of secure connections • Which application is now using a TLS connection? SELECT substr( CLIENT_PRDID, 1, 10 ) AS CLIENT_PRDID, substr( APPLICATION_NAME, 1, 20 ) AS APPL_NAME, substr( CLIENT_HOSTNAME, 1, 22 ) AS CLIENTHOST, CLIENT_PROTOCOL AS PROTOCOL, CAST( CURRENT server AS CHAR( 8 )) AS DB_NAME, SUBSTR( EXECUTION_ID, 1, 15 ) AS EXEC_ID, SUBSTR( SESSION_AUTH_ID, 1, 15 ) AS SESSION_AUTHID, COUNT(*) AS COUNT FROM TABLE ( mon_get_connection( NULL, -2 )) GROUP BY CLIENT_PRDID, APPLICATION_NAME, CLIENT_HOSTNAME, CLIENT_PROTOCOL, CURRENT server, EXECUTION_ID, SESSION_AUTH_ID ORDER BY 1,2,3,4,5,6
  • 24. Ciphers and encryption methods • https://scotthelme.co.uk/https-cheat-sheet/
  • 25. Ciphers and Db2 (1|2) • During SSL handshake client and server negotiate the most secure encryption method. If no compatible method was found, connection fails. The order of so called Cipher Suites cannot be changed. • If SSL_VERSIONS was set to TLSv12, following SSL_CIPHERSPECS are usable: ▪ TLS_RSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ▪ TLS_RSA_WITH_AES_256_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ▪ TLS_RSA_WITH_AES_256_CBC_SHA ▪ TLS_RSA_WITH_AES_128_GCM_SHA256 ▪ TLS_RSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ▪ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ▪ TLS_RSA_WITH_AES_128_CBC_SHA
  • 26. Ciphers and Db2 (2|2) • Configure ciphers in Db2 (length max 255 chars): db2 update dbm cfg using SSL_CIPHERSPECS TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 • Whatever Cipher is finally used cannot be retrieved (GSKit doesn't feed this back to Db2)
  • 27. Support us! (1|2) • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-984 • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-133
  • 28. Support us! (2|2) • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-952
  • 29. Technotes • Error ECF_CRYPT_UNEXPECTED_ERROR in db2diag.log: "FIPS: internal test failed, interface disabled" https://www.ibm.com/support/pages/node/6356455 Problem: The internal self-test in GSKit fails when it can't get sufficient entropy via hardware or software RNG (Random Number Generation). This can cause the Db2 instance to stop functioning correctly, and will require a restart of the instance.
  • 30. Further links • Step-by-Step Instructions to Configure a Secure Database System, Greg Stager: https://www.idug.org/p/bl/ar/blogaid=1121 • Cipher Used? IC85574: INFORMATIONAL MESSAGE ADM7016I LOGGED IN DB2DIAG.LOG EVEN IF DIAGLEVEL=3, https://www.ibm.com/support/pages/apar/IC85574 • SSL/TLS: How to choose your cipher suite https://technology.amis.nl/2017/07/04/ssltls-choose-cipher- suite/
  • 31. SSL and Db2 on (IBM) Cloud • Supporting links to use Db2 on Cloud with SSL/TLS Short compact configuration guide for Db2 on Cloud: https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-ssl_support How to connect to Db2 on Cloud, connect options https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-connect_options SSL as requirement for IAM-based authentication https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-iam#iam_prereqs If the new token-based authentication with JWT (JSON Web Token) is used, it is strongly suggested to protect the token with TLS https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.admin.s ec.doc/doc/c_token_auth.html
  • 32. Thank You Speaker: Roland Schock Email Address: roland.schock@arcor.de Session Code: G10 Please fill out your session evaluation before leaving!