DB2: creating a self-signed certificate

To create a new self-signed certificate for Gallium Data, you can use OpenSSL. Other tools, such as  IBM's own gsk8capicmd, work equally well, but we'll use OpenSSL in this article.

Create the private key and certificate

Create a private key (we'll call it "SelfSigned1", feel free to use a different name):

ssh-keygen -m pkcs8 -f /certs/SelfSigned1.key -q -N ""

This creates two files:

• SelfSigned1.key is the secret key

• SelfSigned1.key.pub is the public key

Create a CSR (certificate signing request):

openssl req -new -key /certs/SelfSigned1.key -out /certs/SelfSigned1.csr -outform pem -batch

This creates a file called SelfSigned1.crt, which will be used in the next step.

Create a certificate:

openssl x509 -req -days 365 -in /certs/SelfSigned1.csr -signkey /certs/SelfSigned1.key -out /certs/cert.pem

This creates a file called cert.pem, which contains the certificate.

Install the key and the certificate in Gallium Data

Copy the contents of the file SelfSigned1.key into the Keys section of the Crypto area. You need to copy the entire contents of the file, including -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- :

Now add the contents of the certificate file cert.pem after that, again including -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----

The Keys section should now contain both the private key and the certificate. The order does not matter.

At that point, Gallium Data is ready to use SSL to connect with DB2 clients, but we need to make sure these clients are ready.

Make the certificate available to the DB2 clients

The file cert.pem will be used by the DB2 clients to validate the server.

From a Java client, you can use a JDBC URL in the form:

Connection con = DriverManager.getConnection("jdbc:db2://192.168.1.69:50012/testdb:" +    
    "sslConnection=true;sslCertLocation=/certs/cert.pem;", "DB2INST1", "Password1");

The final semicolon is required after the name of the certificate file.

If you try to connect a Java client using SSL without providing the server certificate file, or the wrong certificate file, you will get an exception:

com.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][4.32.28] A communication error occurred during operations on the connection's underlying socket, socket input stream, or socket output stream.  Error location: Reply.fill() - socketInputStream.read (-1).  Message: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. ERRORCODE=-4499, SQLSTATE=08001

This indicates that the DB2 client connected to Gallium Data, did a TLS handshake, but the certificate that it received from Gallium Data could not be verified.

Other DB2 drivers (Python, Node.js, ODBC, etc...) will use a very similar approach.