Thursday, 14 May 2015

Continuing to learn - IBM BPM and IBM Business Monitor to DB2 via SSL/TLS

I've written a couple of posts on the WebSphere User Group blog here: -



My next trick will be to force WebSphere Application Server (WAS) to use a specific encryption standard, namely TLS version 1.2.

In DB2, this can be enforced as follows: -

db2 update dbm config using SSL_VERSIONS TLSV12

for version 1.2 or: -

db2 update dbm config using SSL_VERSIONS TLSV1

for version 1.0, or: -

db2 update dbm config using SSL_VERSIONS NULL

to revert back to SSL.

...
If you set the parameter to null or TLSv1, the parameter enables support for TLS version 1.0 (RFC2246) and TLS version 1.1 (RFC4346).

Note: During SSL handshake, the client and the server negotiate and find the most secure version to use either TLS version 1.0 or TLS version 1.1. If there is no compatible version between the client and the server, the connection fails. If the client supports TLS version 1.0 and TLS version 1.1, but the server support TLS version 1.0 only, then TLS version 1.0 is used.
If you set the parameter to TLSv12 (RFC5246), the parameter enables support for TLS version 1.2. This setting is required to comply with NIST SP 800-131A.

If you set the parameter to TLSv12 and TLSv1, the parameter enables support for TLS version 1.2 with the option to fall back on TLS version 1.0 and 1.1.
...

All of the SSL-related settings can be queried thusly: -

db2 get dbm config | grep SSL

 SSL server keydb file                   (SSL_SVR_KEYDB) = /home/db2inst1/keystore.kdb
 SSL server stash file                   (SSL_SVR_STASH) = /home/db2inst1/keystore.sth
 SSL server certificate label            (SSL_SVR_LABEL) = bpm856.uk.ibm.com
 SSL service name                         (SSL_SVCENAME) = db2c_ssl
 SSL cipher specs                      (SSL_CIPHERSPECS) = 
 SSL versions                             (SSL_VERSIONS) = 
 SSL client keydb file                  (SSL_CLNT_KEYDB) = 
 SSL client stash file                  (SSL_CLNT_STASH) = 

Note that we also have SSL_CIPHERSPECS to specify the cipher specifications that one wishes to use, as per this: -


and: -

No comments: