DB2 SSL setup
This page explains how to set up SSL/TLS connections between database clients, database servers, and Gallium Data.
Because Gallium Data stands between the database client(s) and the DB2 database, it can act as a gateway to your DB2 database. You can communicate with or without SSL/TLS on either side:
In the following, we'll assume that you will store your keys and certificates in Gallium Data. If you prefer not to do that, see the key loaders documentation on how to retrieve keys from outside of Gallium Data at runtime.
Server side
Setting up SSL on DB2 is explained in the IBM documentation.
Once your DB2 server is using SSL, you can configure your Gallium Data connection to use SSL with the following options:
Use SSL to server
If this option is selected, then Gallium Data will use SSL when connecting to DB2. If DB2 does not support SSL, the connection will typically hang or fail.
Trust server certificate
When Gallium Data opens a new SSL connection to DB2, it receives an SSL certificate from DB2.
If this option is selected, Gallium Data will accept this certificate at face value. This is useful when DB2 is using a self-signed certificate, for instance.
If this option is not selected, then Gallium Data will verify that DB2's certificate is valid. In that case:
If DB2's certificate is signed by a major CA (certificate authority), then the verification should succeed
If DB2's certificate is self-signed, then you will need to add DB2's certificate or a parent certificate to the project's Crypto section, under Trust
SSL authentication with server
DB2 can be configured to require SSL authentication from clients. If that option is in place in DB2, then when Gallium Data opens a connection to DB2, DB2 will request a valid certificate from Gallium Data.
In that case, you will need to add a secret key and corresponding certificate to the project's Crypto section, under Keys. This certificate will have to be issued by a CA that is trusted by DB2.
Client side
If your database clients need to connect to Gallium Data with SSL (regardless of what happens on the server side), you will need an SSL certificate in Gallium Data. You have the following options:
use the self-signed certificate that comes pre-installed in Gallium Data
create a new self-signed certificate and install it in Gallium Data.
create a new CA-signed certificate and install it in Gallium Data
extract the certificate from your DB2 database and install it in Gallium Data
- Using the self-signed certificate that comes with Gallium Data
This option requires the least amount of work, since Gallium Data comes pre-configured with a self-signed certificate.
However, this option is also the least secure, because everyone who uses Gallium Data has access to the same certificate. This is usually fine for experimentation, but definitely not for real-world applications.
Database clients that connect to Gallium Data using SSL will have to accept that self-signed certificate. This can be done either by instructing the clients to not verify the server's certificate, or (more commonly) by providing Gallium Data's certificate to the clients as a trusted certificate.
Advantages: easiest solution (nothing to do in Gallium Data)
Disadvantages: insecure, clients must trust certificate
- Creating a self-signed certificate for Gallium Data
If you're OK with a self-signed certificate, but you want your own certificate to avoid any potential security issues, you can create a new self-signed certificate and install it in Gallium Data.
Database clients connecting to Gallium Data will have to accept this new certificate, which can be done either by telling the clients to not verify the server certificate, or by providing the new certificate to the clients as one they should trust.
Advantages: fairly easy, less insecure than previous option
Disadvantages: clients must trust new certificate
- Create a new CA-signed certificate for Gallium Data
For a more secure solution, you may consider creating a new CA-signed certificate and installing it in Gallium Data. Because it's signed by a trusted CA, the database clients should accept that certificate automatically. This is often the preferred solution for production.
Advantages: secure, clients will trust this new certificate
Disadvantages: requires work to create the certificate
- Use DB2's certificate in Gallium Data
If you're comfortable using the same certificate in Gallium Data and in DB2, you can get the private key and certificate from your DB2 instance and install it in Gallium Data.
Advantages: secure, clients will trust this certificate
Disadvantages: using the same certificate on two different servers may be frowned upon
Setting up the database client(s) to use SSL is explained in the various DB2 drivers' documentation (e.g. Java, Python, Node.js).
Once the key and certificate are installed, you can turn on the "Use SSL to clients" option in your Gallium Data connection(s).