DB2 with default certificate

If you're OK using the default self-signed certificate that comes with Gallium Data, all you need to do is configure your DB2 clients to accept this certificate. 

To get the default Gallium Data certificate, go under Crypto -> Keys and copy from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- inclusive into a text file (let's call it /certs/cert.pem).

From a Java client, you can then use a JDBC URL in the form:

Connection con = DriverManager.getConnection("jdbc:db2://192.168.1.69:50012/testdb:" +    
    "sslConnection=true;sslCertLocation=/certs/cert.pem;", "DB2INST1", "Password1");

The final semicolon is required after the name of the certificate file.

If you try to connect a Java client using SSL without providing the server certificate file, or the wrong certificate file, you will get an exception:

com.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][4.32.28] A communication error occurred during operations on the connection's underlying socket, socket input stream, or socket output stream.  Error location: Reply.fill() - socketInputStream.read (-1).  Message: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. ERRORCODE=-4499, SQLSTATE=08001

This indicates that the DB2 client connected to Gallium Data, did a TLS handshake, but the certificate that it received from Gallium Data could not be verified.

Other DB2 drivers (Python, Node.js, ODBC, etc...) will use a very similar approach.