Download PDF - IBM Redbooks
Download PDF - IBM Redbooks
Download PDF - IBM Redbooks
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Additional information: For default samples for coding an AT-TLS policy for DB2 10, see<br />
DB 10 for z/OS Administration Guide, SC19-2968.<br />
Customizing DB2 10 to use a DRDA secure port for SSL<br />
For implementation of SSL support for a DB2 server, the TCP/IP SQL Listener service task of<br />
the DDF must be able to listen to a secondary secure port for inbound SSL connections. The<br />
TCP/IP Listener accepts regular (non-SSL) connections on the DRDA port. The secure port<br />
accepts only SSL connections to provide secure communications with a partner.<br />
Client connections are assured of getting the SSL protocol connection that they require. As<br />
the system administrator, you specify the secure port number by using the following methods:<br />
► To define a secure port, you can define it by using communications records of the DB2<br />
bootstraps data sets (BSDS). This method is normally done through the supplied DSNJU003<br />
utility, which in stored in the SDSNSAMP partitioned data set. For example, to configure<br />
the secure port with a value of 38402, you enter the following code:<br />
DDF LOCATION=DB0T,SECPORT=38402<br />
► Specify the security port during DB2 installation, specify the TCP/IP port number in the<br />
DRDA SECURE PORT field of the Distributed Data Facility Panel 2 (DSNTIP5).<br />
Important: If the value of SECPORT (secure port) is the same as the value of PORT or<br />
RESPORT, DB2 issues an error. If you specify a value of 0 for the SECPORT parameter,<br />
SSL verification support is disabled, and the DDF TCP/IP SQL Listener does not accept<br />
any inbound SSL connections on the secure port.<br />
8.4.3 <strong>IBM</strong> Data Server Driver for JDBC and SQLJ for UNIX environment<br />
configuration to use SSL<br />
When the configuration of the DB2 10 server to use SSL is complete, customize your client<br />
environment to also use SSL. We considered customization of two types of DB2 clients for<br />
Java and non-Java client applications.<br />
To configure connections under the <strong>IBM</strong> Data Server Driver for Java Database Connectivity<br />
(JDBC) and SQL for Java (SQLJ) to use SSL, set the DB2BaseDataSource.sslConnection<br />
property to true. On the SAP J2EE Engine, you can define this setting by appending<br />
sslConnection=true as shown in Example 8-23. This example shows how to change the key<br />
of the secure store (jdbc/pool/T73/URL) by using the SAP GUI configuration tool.<br />
Example 8-23 SSL activation by using the SAP GUI configuration tool<br />
jdbc:db2://p5503p2:59770/T73:deferPrepares=0;sslConnection=true;<br />
Important: On SAP systems (the application servers), you can perform all configuration<br />
steps of SSL by using the SAP J2EE Engine GUI configuration tool.<br />
Also, set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties<br />
to specify the location and the password of the client truststore. By using the GUI<br />
configuration tool, you can add the lines shown in Example 8-24 to the Java parameters<br />
sections for every cluster element (instance, dispatcher, and server) for the application server.<br />
Chapter 8. Security enhancements of DB2 10 for SAP solutions 131