DB2 SSL setup

This page explains how to set up SSL/TLS connections between database clients, database servers, and Gallium Data.

Because Gallium Data stands between the database client(s) and the DB2 database, it can act as a gateway to your DB2 database. You can communicate with or without SSL/TLS on either side:

In the following, we'll assume that you will store your keys and certificates in Gallium Data. If you prefer not to do that, see the key loaders documentation on how to retrieve keys from outside of Gallium Data at runtime.

Server side

Setting up SSL on DB2 is explained in the IBM documentation.

Once your DB2 server is using SSL, you can configure your Gallium Data connection to use SSL with the following options:

Use SSL to server

If this option is selected, then Gallium Data will use SSL when connecting to DB2. If DB2 does not support SSL, the connection will typically hang or fail.

Trust server certificate

When Gallium Data opens a new SSL connection to DB2, it receives an SSL certificate from DB2. 

If this option is selected, Gallium Data will accept this certificate at face value. This is useful when DB2 is using a self-signed certificate, for instance.

If this option is not selected, then Gallium Data will verify that DB2's certificate is valid. In that case:

SSL authentication with server

DB2 can be configured to require SSL authentication from clients. If that option is in place in DB2, then when Gallium Data opens a connection to DB2, DB2 will request a valid certificate from Gallium Data.

In that case, you will need to add a secret key and corresponding certificate to the project's Crypto section, under Keys. This certificate will have to be issued by a CA that is trusted by DB2.

Client side

If your database clients need to connect to Gallium Data with SSL (regardless of what happens on the server side), you will need an SSL certificate in Gallium Data. You have the following options:


This option requires the least amount of work, since Gallium Data comes pre-configured with a self-signed certificate.

However, this option is also the least secure, because everyone who uses Gallium Data has access to the same certificate. This is usually fine for experimentation, but definitely not for real-world applications.

Database clients that connect to Gallium Data using SSL will have to accept that self-signed certificate. This can be done either by instructing the clients to not verify the server's certificate, or (more commonly) by providing Gallium Data's certificate to the clients as a trusted certificate.

More details here.


If you're OK with a self-signed certificate, but you want your own certificate to avoid any potential security issues, you can create a new self-signed certificate and install it in Gallium Data. 

Database clients connecting to Gallium Data will have to accept this new certificate, which can be done either by telling the clients to not verify the server certificate, or by providing the new certificate to the clients as one they should trust.

More details here


For a more secure solution, you may consider creating a new CA-signed certificate and installing it in Gallium Data. Because it's signed by a trusted CA, the database clients should accept that certificate automatically. This is often the preferred solution for production.

More details here


If you're comfortable using the same certificate in Gallium Data and in DB2, you can get the private key and certificate from your DB2 instance and install it in Gallium Data.

More details here


Setting up the database client(s) to use SSL is explained in the various DB2 drivers' documentation (e.g. Java, Python, Node.js).

Once the key and certificate are installed, you can turn on the "Use SSL to clients" option in your Gallium Data connection(s).