DB2: using the server certificate

If your database clients already connect to DB2 using SSL, you may be able to reuse the same certificate that is in use in DB2.

This may not be possible if your clients use hostname validation, unless you change the certificate to add the address of the Gallium Data server(s), or you change DNS entries to point to Gallium Data.

If hostname validation is not an issue, then you can figure out where DB2's certificate and key are with the command:

db2 get dbm cfg

The response will include a fair amount of details including something like:

 ...

 SSL server keydb file                   (SSL_SVR_KEYDB) = /certs/server.p12

 SSL server stash file                   (SSL_SVR_STASH) = /certs/server.sth

 SSL server certificate label            (SSL_SVR_LABEL) = PROD_CERT_43

 SSL service name                         (SSL_SVCENAME) = 50011

 ...

The file of interest here is /certs/server.p12 (of course it will be a different file for you), as it contains the secret key and the certificate. You will need to extract both as PEM file, and install them in Gallium Data in the Crypto section, under Keys.

Extract the key and certificate

You can extract the private key with:

openssl pkcs12 -in /certs/server.p12 -nocerts -nodes -out private.key

You will of course need to enter the password for the keystore. 

This will create a file with a section bracketed between

-----BEGIN PRIVATE KEY-----

and:

-----END PRIVATE KEY-----

Copy this section (including the BEGIN and END lines) into the Gallium Data Crypto section, under Keys:

You can then extract the certificate using:

openssl pkcs12 -in /certs/server.p12 -out cert.crt -nokeys

The resulting file will have a section bracketed between:

-----BEGIN CERTIFICATE-----

and ends with:

-----END CERTIFICATE-----

You will need to copy this (including the BEGIN and END lines) into the Gallium Data Crypto section, under Keys:

Once this is done, you can turn on the "Use SSL to clients" option in your Gallium Data connection.