SlideShare a Scribd company logo

2022-Db2-Securing_Your_data_in_motion.pdf

R
Roland Schock

Learn how to setup encrypted access to an IBM Db2 database running under Linux, Unix and Windows. Also details are given how to configure the client side.

Data & Analytics
1 of 32
Download to read offline
Boston, MA Securing your data in motion with TLS Roland Schock Session Code: G10
Agenda • Where to encrypt? What is SSL/TLS? • Learn about IBM GSKit, certificates and self-signed certificates and configure the server side of TLS encryption • Configure the client side of TLS encryption for CLI, ODBC and JDBC • Troubleshooting and verify your configuration, select the right ciphers for encryption • Current issues, open RFEs aka AHA ideas
Moments of Encryption • Encryption during Authentication • Transmission of encrypted login credentials • Encryption in use • Encryption of single columns (by application code) • Encryption in motion • Data transmission over the wire is encrypted • Encryption at rest • Encryption of database and transaction log files on disk, tapes, etc.
Default Configuration • Db2's default configuration is still based on assumptions of Db2 for OS/2. At that time simple configuration was preferred over security. • By default just simple authentication with plain text passwords over the wire • db2 get dbm cfg | fgrep AUTHENTICATION ➔ Default is SERVER • At least switch to AUTHENTICATION=SERVER_ENCRYPT to enforce transmission of encrypted passwords over the wire during Connect • Very old clients (before V9.7) could have issues with SERVER_ENCRYPT as they were not prepared for modern encryption • Data is still transferred unencrypted • Solution: db2 update dbm cfg using AUTHENTICATION=DATA_ENCRYPT (=deprecated) • ➔ Much better: Switch to SSL or TLS session encryption
AUTHENTICATION = SERVER_ENCRYPT • Db2 engine takes care of encryption • Beside db2 update dbm cfg using AUTHENTICATION SERVER_ENCRYPT other params have to be set to close other issues: db2 update dbm cfg using ALTERNATE_AUTH_ENC AES_CMP db2set DB2AUTH=DISABLE_CHGPASS,OSAUTHDB,JCC_ENFORCE_SECMEC, TRUSTEDCLIENT_SRVRENC • DISABLE_CHGPASS disables password change during connect • OSAUTHDB points to local OS for user and group enumeration • JCC_ENFORCE_SECMEC disables passwords in plain text (since Db2 10.5.0.4) • If you still have (very) old clients, set this option temporarily and monitor db2diag.log • db2set DB2AUTH=JCC_NOENFORCE_SECMEC_MSG
Encryption with SSL • SSL is the synonym for encrypted communication via Secure Sockets Layer • SSL 1.0 was never published as standard • SSL 2.0 published February 1995; used until ~2011, deprecated due to security flaws • SSL v3, last version, deprecated, unsafe (e.g. POODLE attack). • TLS stands for Transport Layer Security and is successor of SSL • TLS 1.0 is successor of SSL v3 • TLS 1.1 published April 2006 and also has flaws • TLS 1.2 came in 2008 and was more widely used since the flaws of TLS 1.1 came up • TLS 1.3 is current since August 2018
IBM Global Security Kit (1|2) • Which SSL/TLS version is supported by Db2? • Db2 itself does not provide SSL/TLS encryption but uses IBM Global Security Kit aka GSKit for it • GSKit is the OS extension for encrypted socket communication https://www.ibm.com/docs/en/db2/11.5?topic=encryption-global-security-kit- installation-gskit • GSKit gets automatically installed with server install. It's a separate install for Db2 client code • GSKit has the Highlander principle: There can only be one! • It gets especially interesting, if multiple IBM server products ship GSKit and try to install/use their own: • E.g. IBM Db2, TSM and MQ on a single machine
IBM Global Security Kit (2|2) • GSKit V8 - Instructions to find current installed version details: https://www.ibm.com/support/pages/gskit-v8-instructions-find- current-installed-version-details • GSKit Versions Shipped with Db2: https://www.ibm.com/support/pages/gskit-versions-shipped-db2 • The current GSKit does not support TLS 1.3 yet and hence Db2 can only use up to TLS 1.2 for now • Breaking news: IBM is going to support TLS 1.3 for client/server, HADR, KMIP soon!
Configuration steps for TLS encryption • Create a keyring for the server • Create a certificate for the server (self-signed or CA-signed) • Import the certificate in the keyring of the server
Db2 server side: Create a keyring • User db2inst1: mkdir -p /home/db2inst1/SSL cd /home/db2inst1/SSL • echo "Create a keyring:" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "Db2_keydb.kdb" -pw "passw0rd" -stash • Beware: There is a 32-bit and a 64-bit GSKit. The paths get set by db2profile, but it seems in some versions the 32-bit path is incorrect and returns "error while loading shared directories" • Quick fix: Append /gskit_db2 to the variable LD_LIBRARY_PATH
Db2 server side: Create CA-signed certs • echo "Create certification request to send to Root CA" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -certreq -create -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -san_dnsname "myserver.de" -dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096 -sig_alg SHA256_WITH_RSA -file "MyCertRequest.arm" • echo "Send MyCertRequest.arm to CA to get it signed" • echo "Add certificates of Root CA and any intermediates (otherwise SQL30081N with -414)" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -file CAChain.crt -db "Db2_keydb.kdb" -stashed -format ascii • echo "CA returns: MyServerCert.crt" • echo "Import of MyServerCert.crt in your keyring" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -receive -file MyServerCert.crt -db "Db2_keydb.kdb" -stashed -format ascii
Db2 server side: Create a self-signed certificate • echo "Not required by CA-signed certificate! This is an alternative!" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -create -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -expire 1000 -dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096 -sig_alg SHA256_WITH_RSA • echo "Export of public signature for trust_db of clients" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -extract -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -target "myserver_db2_public_key.arm" -format ascii -fips • Remark for self-signed certificates: • They are as secure as CA-signed certs, but require more work. More servers have to be trusted at clients and updated over time due to expiration. • Transfer of the public server signature to the client has to be secure to prevent man-in-the-middle attacks.
How to verify keyring and certificate? (1|2) • echo "Verify a certificate" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -list -db "Db2_keydb.kdb" -stashed • Certificate found: * Standard, - personal, ! reliable, # secret key ! "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de" ! "CN=ARS Root CA 01,DC=ARS,DC=de" - myserver_db2_4096 • echo "Verify key database" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -list -db "Db2_keydb.kdb" -stashed
How to verify keyring and certificate? (2|2) • echo "Verify a new certificate" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -details -label myserver_db2_4096 -db "Db2_keydb.kdb" -stashed • Label : myserver_db2_4096 Key length : 4096 Version : X509 V3 Serial : 740000007415c7837855d62d17000000000074 Issuer : "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de" Subject : CN=myserver.de,OU=ARS,O=IT,L=Munich,ST=BY,C=DE Not valid before : 17. April 2020 11:50:22 MESZ Not valid after : 20. July 2022 11:50:22 MESZ
Configuration Server • echo "Instance configuration" db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/SSL/Db2_keydb.kdb db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/SSL/Db2_keydb.sth db2 update dbm cfg using SSL_SVR_LABEL myserver_db2_4096 db2 update dbm cfg using SSL_VERSIONS TLSV12 • echo "Insert SSL port in /etc/services file" vi /etc/services REM start notepad c:windowssystem32driversetcservices REM Append a line like: db2c_tlsinst1 50443 • echo "Set SSL_SVCENAME to port name and set DB2COMM" db2 update dbm cfg using SSL_SVCENAME db2c_tlsinst1 db2set DB2COMM=SSL,TCPIP • echo "Check if max_connections <= max_coordagents ➔ Connection Concentrator=OFF" • echo "Restart Instance to bring changes into effect" db2stop && sleep 5 && db2start
Expired Server certificate • Entry in db2diag.log when the CA signed server certificate expires 2022-07-26-11.16.21.218655+120 I6820357A497 LEVEL: Error PID : 6292094 TID : 292736 PROC : db2sysc 0 INSTANCE: db2inst1 NODE : 000 DB : HOSTNAME: myhost EDUID : 292736 EDUNAME: db2agent () 0 FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30 MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the return code "401" in "sqlccSSLSocketSetup". • On client side SQL30081N A communication error has been detected. Communication protocol being used: "SSL". Communication API being used: "SOCKETS". Location where the error was detected: "". Communication function detecting the error: "sqlccSSLSocketSetup". Protocol specific error code(s): "420", "*", "*". SQLSTATE=08001 • Create a new CertRequest, get it signed from your CA and import it with a different label into the server keyring db2 attach to db2inst1 && db2 update dbm cfg using SSL_SVR_LABEL my_new_label IMMEDIATE • DBM Config SSL_SVR_LABEL is online updateable since V11.5.2 Check with db2pd -dbmcfg for current value in memory
HADR and SSL • SSL for HADR has to be configured on the database side • Create keyrings and truststores on both sides, include Client side configuration on the other server and vice versa • In database configuration use label accordingly HADR SSL certificate label (HADR_SSL_LABEL) = my_hadr_certlabel HADR SSL Hostname Validation (HADR_SSL_HOST_VAL) = OFF
Configuration of CLI Client (1|2) • echo "Install GSKit on client machine (Fix central: Tivoli Global Security)" Install the binaries according to Db2 Knowledge Center https://www.ibm.com/docs/en/db2/11.5?topic=gskit-global-installation-instructions • echo "Create a client keyring" mkdir -p ~/SSL && cd ~/SSL /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "client_trust.kdb" -pw "MyPass" -stash • echo "Add the root certificate and any intermediaries (otherwise SQL30081N with -414)" /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kdb" -stashed -file /tmp/CAChain.crt -format ascii -fips • echo "Not required for CA-signed certificates: Import your self-signed certificate" /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kbd" -stashed -label "MyServer" -file /home/db2inst1/SSL/myserver_db2_public_key.arm -format ascii -fips
Configuration of CLI Client (2|2) • Update client instance configuration : db2 update dbm cfg using SSL_CLNT_KEYDB /home/exrsc/SSL/client_trust.kdb db2 update dbm cfg using SSL_CLNT_STASH /home/exrsc/SSL/client_trust.sth For Windows Clients, if Root-CA signature is available in Windows Trust Store: db2 update dbm cfg using SSL_CLNT_KEYDB GSK_MS_CERTIFICATE_STORE db2 update dbm cfg using SSL_CLNT_STASH NULL Set PATH and LIB to the according directories for 32-bit and 64-bit binaries: set PATH=C:PROGRA~1IBMGSKITBIN; C:PROGRA~2IBMGSKITBIN;%PATH% set LIB=C:PROGRA~1IBMGSKITLIB64;C:PROGRA~2IBMGSKITLIB;%LIB% • Catalog your node db2 catalog tcpip node INST1SSL remote myserver.de server 50443 security SSL db2 catalog db SAMPLE at node INST1SSL
JDBC connections • JDBC is simple to configure! Server side configured as above • Trust Store get's created with Java JDK keytool instead of GSKit : (In this example with a self-signed certificate) keytool -importcert -alias MyServer -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file myserver_db2_public_key.arm -noprompt keytool -list -v -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file • JDBC connection string looks like: jdbc:db2://myserver.de:50443/sample:sslConnection=true;sslTrustStoreLocation=MyTrustStore.jks;sslT rustStorePassword=cacerts;sslTrustStoreType=JKS; • Remark: Some applications might use their own JDK and maybe they have a separate trust store then Check with "dir /s /b cacerts" or "find . -name cacerts -type f" in the application directory
IBM Data Server Driver for ODBC and CLI • Small footprint drivers for Db2; just unpack ZIP archive and set paths e.g. for Linux export DB2_CLI_DRIVER_INSTALL_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver export LD_LIBRARY_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib export LIBPATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/bin:$PATH export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/adm:$PATH • Database can get catalogued via db2cli.ini or db2dsdriver.cfg Either use sample templates or db2cli commands: • Examples: db2cli writecfg add -database MYSAMPL -host myserver.de -port 50443 -parameter "SecurityTransportMode=SSL;SSLServerCertificate=/opt/ibm/odbc_cli/clidriver/cfg/mydbclient.kdb" db2cli validate db2cli validate -dsn mysampl -connect -user testuser -passwd 'Nosey*ent_ya' • Trust store must be in CMS format. • Root CAs can be included automatically to keyring, if sent as Trust store .arm file on first connect
Configuration for WAS Liberty profile •
Check usage of secure connections • Which application is now using a TLS connection? SELECT substr( CLIENT_PRDID, 1, 10 ) AS CLIENT_PRDID, substr( APPLICATION_NAME, 1, 20 ) AS APPL_NAME, substr( CLIENT_HOSTNAME, 1, 22 ) AS CLIENTHOST, CLIENT_PROTOCOL AS PROTOCOL, CAST( CURRENT server AS CHAR( 8 )) AS DB_NAME, SUBSTR( EXECUTION_ID, 1, 15 ) AS EXEC_ID, SUBSTR( SESSION_AUTH_ID, 1, 15 ) AS SESSION_AUTHID, COUNT(*) AS COUNT FROM TABLE ( mon_get_connection( NULL, -2 )) GROUP BY CLIENT_PRDID, APPLICATION_NAME, CLIENT_HOSTNAME, CLIENT_PROTOCOL, CURRENT server, EXECUTION_ID, SESSION_AUTH_ID ORDER BY 1,2,3,4,5,6
Ciphers and encryption methods • https://scotthelme.co.uk/https-cheat-sheet/
Ciphers and Db2 (1|2) • During SSL handshake client and server negotiate the most secure encryption method. If no compatible method was found, connection fails. The order of so called Cipher Suites cannot be changed. • If SSL_VERSIONS was set to TLSv12, following SSL_CIPHERSPECS are usable: ▪ TLS_RSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ▪ TLS_RSA_WITH_AES_256_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ▪ TLS_RSA_WITH_AES_256_CBC_SHA ▪ TLS_RSA_WITH_AES_128_GCM_SHA256 ▪ TLS_RSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ▪ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ▪ TLS_RSA_WITH_AES_128_CBC_SHA
Ciphers and Db2 (2|2) • Configure ciphers in Db2 (length max 255 chars): db2 update dbm cfg using SSL_CIPHERSPECS TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 • Whatever Cipher is finally used cannot be retrieved (GSKit doesn't feed this back to Db2)
Support us! (1|2) • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-984 • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-133
Support us! (2|2) • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-952
Technotes • Error ECF_CRYPT_UNEXPECTED_ERROR in db2diag.log: "FIPS: internal test failed, interface disabled" https://www.ibm.com/support/pages/node/6356455 Problem: The internal self-test in GSKit fails when it can't get sufficient entropy via hardware or software RNG (Random Number Generation). This can cause the Db2 instance to stop functioning correctly, and will require a restart of the instance.
Further links • Step-by-Step Instructions to Configure a Secure Database System, Greg Stager: https://www.idug.org/p/bl/ar/blogaid=1121 • Cipher Used? IC85574: INFORMATIONAL MESSAGE ADM7016I LOGGED IN DB2DIAG.LOG EVEN IF DIAGLEVEL=3, https://www.ibm.com/support/pages/apar/IC85574 • SSL/TLS: How to choose your cipher suite https://technology.amis.nl/2017/07/04/ssltls-choose-cipher- suite/
SSL and Db2 on (IBM) Cloud • Supporting links to use Db2 on Cloud with SSL/TLS Short compact configuration guide for Db2 on Cloud: https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-ssl_support How to connect to Db2 on Cloud, connect options https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-connect_options SSL as requirement for IAM-based authentication https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-iam#iam_prereqs If the new token-based authentication with JWT (JSON Web Token) is used, it is strongly suggested to protect the token with TLS https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.admin.s ec.doc/doc/c_token_auth.html
Thank You Speaker: Roland Schock Email Address: roland.schock@arcor.de Session Code: G10 Please fill out your session evaluation before leaving!

Recommended

Solving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration DilemmaSolving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration Dilemma
Randy Goering
 
Sql server performance tuning
Sql server performance tuningSql server performance tuning
Sql server performance tuning
Jugal Shah
 
Presentation db2 best practices for optimal performance
Presentation db2 best practices for optimal performancePresentation db2 best practices for optimal performance
Presentation db2 best practices for optimal performance
solarisyougood
 
DB2 Security Model
DB2 Security ModelDB2 Security Model
DB2 Security Model
uniqueYGB
 
Oracle 10g Performance: chapter 02 aas
Oracle 10g Performance: chapter 02 aasOracle 10g Performance: chapter 02 aas
Oracle 10g Performance: chapter 02 aasKyle Hailey
 
Db2 family and v11.1.4.4
Db2 family and v11.1.4.4Db2 family and v11.1.4.4
Db2 family and v11.1.4.4
ModusOptimum
 
Oracle 12c Multitenant architecture
Oracle 12c Multitenant architectureOracle 12c Multitenant architecture
Oracle 12c Multitenant architecture
naderattia
 
Ceph bluestore-tiering-2018-11-15
Ceph bluestore-tiering-2018-11-15Ceph bluestore-tiering-2018-11-15
Ceph bluestore-tiering-2018-11-15
Jiaying Ren
 

Recommended

Solving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration DilemmaSolving the DB2 LUW Administration Dilemma
Solving the DB2 LUW Administration Dilemma
Randy Goering
 
Sql server performance tuning
Sql server performance tuningSql server performance tuning
Sql server performance tuning
Jugal Shah
 
Presentation db2 best practices for optimal performance
Presentation db2 best practices for optimal performancePresentation db2 best practices for optimal performance
Presentation db2 best practices for optimal performance
solarisyougood
 
DB2 Security Model
DB2 Security ModelDB2 Security Model
DB2 Security Model
uniqueYGB
 
Oracle 10g Performance: chapter 02 aas
Oracle 10g Performance: chapter 02 aasOracle 10g Performance: chapter 02 aas
Oracle 10g Performance: chapter 02 aasKyle Hailey
 
Db2 family and v11.1.4.4
Db2 family and v11.1.4.4Db2 family and v11.1.4.4
Db2 family and v11.1.4.4
ModusOptimum
 
Oracle 12c Multitenant architecture
Oracle 12c Multitenant architectureOracle 12c Multitenant architecture
Oracle 12c Multitenant architecture
naderattia
 
Ceph bluestore-tiering-2018-11-15
Ceph bluestore-tiering-2018-11-15Ceph bluestore-tiering-2018-11-15
Ceph bluestore-tiering-2018-11-15
Jiaying Ren
 
Oracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLONOracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLON
Markus Michalewicz
 
DB2 TABLESPACES
DB2 TABLESPACESDB2 TABLESPACES
DB2 TABLESPACES
Rahul Anand
 
Database Consolidation using the Oracle Multitenant Architecture
Database Consolidation using the Oracle Multitenant ArchitectureDatabase Consolidation using the Oracle Multitenant Architecture
Database Consolidation using the Oracle Multitenant ArchitecturePini Dibask
 
Sql server performance tuning
Sql server performance tuningSql server performance tuning
Sql server performance tuning
ngupt28
 
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guruIBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
Ravikumar Nandigam
 
What’s New in Oracle Database 19c - Part 1
What’s New in Oracle Database 19c - Part 1What’s New in Oracle Database 19c - Part 1
What’s New in Oracle Database 19c - Part 1
Satishbabu Gunukula
 
Oracle statistics by example
Oracle statistics by exampleOracle statistics by example
Oracle statistics by example
Mauro Pagano
 
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RACThe Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
Markus Michalewicz
 
The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - Presentation
Markus Michalewicz
 
DB2 and storage management
DB2 and storage managementDB2 and storage management
DB2 and storage management
Craig Mullins
 
RocksDB Performance and Reliability Practices
RocksDB Performance and Reliability PracticesRocksDB Performance and Reliability Practices
RocksDB Performance and Reliability Practices
Yoshinori Matsunobu
 
Cross Data Center Replication with Redis using Redis Enterprise
Cross Data Center Replication with Redis using Redis EnterpriseCross Data Center Replication with Redis using Redis Enterprise
Cross Data Center Replication with Redis using Redis Enterprise
Cihan Biyikoglu
 
RocksDB detail
RocksDB detailRocksDB detail
RocksDB detail
MIJIN AN
 
Oracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAsOracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAs
Gokhan Atil
 
Webinar | Introduction to Amazon DynamoDB
Webinar | Introduction to Amazon DynamoDBWebinar | Introduction to Amazon DynamoDB
Webinar | Introduction to Amazon DynamoDB
Amazon Web Services
 
Ibm db2
Ibm db2Ibm db2
Ibm db2
aditi212
 
Adapting and adopting spm v04
Adapting and adopting spm v04Adapting and adopting spm v04
Adapting and adopting spm v04
Carlos Sierra
 
Automated master failover
Automated master failoverAutomated master failover
Automated master failover
Yoshinori Matsunobu
 
MySQL Database Architectures - High Availability and Disaster Recovery Solution
MySQL Database Architectures - High Availability and Disaster Recovery SolutionMySQL Database Architectures - High Availability and Disaster Recovery Solution
MySQL Database Architectures - High Availability and Disaster Recovery Solution
Miguel Araújo
 
Sql Server Performance Tuning
Sql Server Performance TuningSql Server Performance Tuning
Sql Server Performance Tuning
Bala Subra
 
IBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptxIBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptx
RaulRamirez547593
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 

More Related Content

What's hot

Oracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLONOracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLON
Markus Michalewicz
 
DB2 TABLESPACES
DB2 TABLESPACESDB2 TABLESPACES
DB2 TABLESPACES
Rahul Anand
 
Database Consolidation using the Oracle Multitenant Architecture
Database Consolidation using the Oracle Multitenant ArchitectureDatabase Consolidation using the Oracle Multitenant Architecture
Database Consolidation using the Oracle Multitenant ArchitecturePini Dibask
 
Sql server performance tuning
Sql server performance tuningSql server performance tuning
Sql server performance tuning
ngupt28
 
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guruIBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
Ravikumar Nandigam
 
What’s New in Oracle Database 19c - Part 1
What’s New in Oracle Database 19c - Part 1What’s New in Oracle Database 19c - Part 1
What’s New in Oracle Database 19c - Part 1
Satishbabu Gunukula
 
Oracle statistics by example
Oracle statistics by exampleOracle statistics by example
Oracle statistics by example
Mauro Pagano
 
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RACThe Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
Markus Michalewicz
 
The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - Presentation
Markus Michalewicz
 
DB2 and storage management
DB2 and storage managementDB2 and storage management
DB2 and storage management
Craig Mullins
 
RocksDB Performance and Reliability Practices
RocksDB Performance and Reliability PracticesRocksDB Performance and Reliability Practices
RocksDB Performance and Reliability Practices
Yoshinori Matsunobu
 
Cross Data Center Replication with Redis using Redis Enterprise
Cross Data Center Replication with Redis using Redis EnterpriseCross Data Center Replication with Redis using Redis Enterprise
Cross Data Center Replication with Redis using Redis Enterprise
Cihan Biyikoglu
 
RocksDB detail
RocksDB detailRocksDB detail
RocksDB detail
MIJIN AN
 
Oracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAsOracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAs
Gokhan Atil
 
Webinar | Introduction to Amazon DynamoDB
Webinar | Introduction to Amazon DynamoDBWebinar | Introduction to Amazon DynamoDB
Webinar | Introduction to Amazon DynamoDB
Amazon Web Services
 
Ibm db2
Ibm db2Ibm db2
Ibm db2
aditi212
 
Adapting and adopting spm v04
Adapting and adopting spm v04Adapting and adopting spm v04
Adapting and adopting spm v04
Carlos Sierra
 
Automated master failover
Automated master failoverAutomated master failover
Automated master failover
Yoshinori Matsunobu
 
MySQL Database Architectures - High Availability and Disaster Recovery Solution
MySQL Database Architectures - High Availability and Disaster Recovery SolutionMySQL Database Architectures - High Availability and Disaster Recovery Solution
MySQL Database Architectures - High Availability and Disaster Recovery Solution
Miguel Araújo
 
Sql Server Performance Tuning
Sql Server Performance TuningSql Server Performance Tuning
Sql Server Performance Tuning
Bala Subra
 

What's hot (20)

Oracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLONOracle RAC 19c and Later - Best Practices #OOWLON
Oracle RAC 19c and Later - Best Practices #OOWLON
 
DB2 TABLESPACES
DB2 TABLESPACESDB2 TABLESPACES
DB2 TABLESPACES
 
Database Consolidation using the Oracle Multitenant Architecture
Database Consolidation using the Oracle Multitenant ArchitectureDatabase Consolidation using the Oracle Multitenant Architecture
Database Consolidation using the Oracle Multitenant Architecture
 
Sql server performance tuning
Sql server performance tuningSql server performance tuning
Sql server performance tuning
 
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guruIBM DB2 LUW UDB DBA Online Training by Etraining.guru
IBM DB2 LUW UDB DBA Online Training by Etraining.guru
 
What’s New in Oracle Database 19c - Part 1
What’s New in Oracle Database 19c - Part 1What’s New in Oracle Database 19c - Part 1
What’s New in Oracle Database 19c - Part 1
 
Oracle statistics by example
Oracle statistics by exampleOracle statistics by example
Oracle statistics by example
 
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RACThe Top 5 Reasons to Deploy Your Applications on Oracle RAC
The Top 5 Reasons to Deploy Your Applications on Oracle RAC
 
The Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - PresentationThe Oracle RAC Family of Solutions - Presentation
The Oracle RAC Family of Solutions - Presentation
 
DB2 and storage management
DB2 and storage managementDB2 and storage management
DB2 and storage management
 
RocksDB Performance and Reliability Practices
RocksDB Performance and Reliability PracticesRocksDB Performance and Reliability Practices
RocksDB Performance and Reliability Practices
 
Cross Data Center Replication with Redis using Redis Enterprise
Cross Data Center Replication with Redis using Redis EnterpriseCross Data Center Replication with Redis using Redis Enterprise
Cross Data Center Replication with Redis using Redis Enterprise
 
RocksDB detail
RocksDB detailRocksDB detail
RocksDB detail
 
Oracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAsOracle Enterprise Manager Cloud Control 13c for DBAs
Oracle Enterprise Manager Cloud Control 13c for DBAs
 
Webinar | Introduction to Amazon DynamoDB
Webinar | Introduction to Amazon DynamoDBWebinar | Introduction to Amazon DynamoDB
Webinar | Introduction to Amazon DynamoDB
 
Ibm db2
Ibm db2Ibm db2
Ibm db2
 
Adapting and adopting spm v04
Adapting and adopting spm v04Adapting and adopting spm v04
Adapting and adopting spm v04
 
Automated master failover
Automated master failoverAutomated master failover
Automated master failover
 
MySQL Database Architectures - High Availability and Disaster Recovery Solution
MySQL Database Architectures - High Availability and Disaster Recovery SolutionMySQL Database Architectures - High Availability and Disaster Recovery Solution
MySQL Database Architectures - High Availability and Disaster Recovery Solution
 
Sql Server Performance Tuning
Sql Server Performance TuningSql Server Performance Tuning
Sql Server Performance Tuning
 

Similar to 2022-Db2-Securing_Your_data_in_motion.pdf

IBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptxIBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptx
RaulRamirez547593
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentationChris Geier
 
Plam16 jan
Plam16 janPlam16 jan
Plam16 jan
Jan Lindström
 
From Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsFrom Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security Enhancements
Ana-Maria Mihalceanu
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
n|u - The Open Security Community
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
Felipe Prado
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
MongoDB
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
Faisal Akber
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Cody Thomas
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Amazon Web Services
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guideJ.D. Wade
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
Slawomir Jasek
 
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Dhruv Sharma
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
CODE BLUE
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
ssuserec53e73
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
 

Similar to 2022-Db2-Securing_Your_data_in_motion.pdf (20)

IBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptxIBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptx
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentation
 
Plam16 jan
Plam16 janPlam16 jan
Plam16 jan
 
From Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsFrom Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security Enhancements
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 

Recently uploaded

Learn SQL from basic queries to Advance queries
Learn SQL from basic queries to Advance queriesLearn SQL from basic queries to Advance queries
Learn SQL from basic queries to Advance queries
manishkhaire30
 
一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理
一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理
一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理
oz8q3jxlp
 
Machine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptxMachine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptx
balafet
 
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
axoqas
 
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
slg6lamcq
 
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
mzpolocfi
 
Nanandann Nilekani's ppt On India's .pdf
Nanandann Nilekani's ppt On India's .pdfNanandann Nilekani's ppt On India's .pdf
Nanandann Nilekani's ppt On India's .pdf
eddie19851
 
原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样
原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样
原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样
u86oixdj
 
Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...
Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...
Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...
Subhajit Sahu
 
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
NABLAS株式会社
 
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
u86oixdj
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
g4dpvqap0
 
Best best suvichar in gujarati english meaning of this sentence as Silk road ...
Best best suvichar in gujarati english meaning of this sentence as Silk road ...Best best suvichar in gujarati english meaning of this sentence as Silk road ...
Best best suvichar in gujarati english meaning of this sentence as Silk road ...
AbhimanyuSinha9
 
Analysis insight about a Flyball dog competition team's performance
Analysis insight about a Flyball dog competition team's performanceAnalysis insight about a Flyball dog competition team's performance
Analysis insight about a Flyball dog competition team's performance
roli9797
 
My burning issue is homelessness K.C.M.O.
My burning issue is homelessness K.C.M.O.My burning issue is homelessness K.C.M.O.
My burning issue is homelessness K.C.M.O.
rwarrenll
 
The Building Blocks of QuestDB, a Time Series Database
The Building Blocks of QuestDB, a Time Series DatabaseThe Building Blocks of QuestDB, a Time Series Database
The Building Blocks of QuestDB, a Time Series Database
javier ramirez
 
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
slg6lamcq
 
Adjusting OpenMP PageRank : SHORT REPORT / NOTES
Adjusting OpenMP PageRank : SHORT REPORT / NOTESAdjusting OpenMP PageRank : SHORT REPORT / NOTES
Adjusting OpenMP PageRank : SHORT REPORT / NOTES
Subhajit Sahu
 
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
axoqas
 
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
ahzuo
 

Recently uploaded (20)

Learn SQL from basic queries to Advance queries
Learn SQL from basic queries to Advance queriesLearn SQL from basic queries to Advance queries
Learn SQL from basic queries to Advance queries
 
一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理
一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理
一比一原版(Deakin毕业证书)迪肯大学毕业证如何办理
 
Machine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptxMachine learning and optimization techniques for electrical drives.pptx
Machine learning and optimization techniques for electrical drives.pptx
 
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
哪里卖(usq毕业证书)南昆士兰大学毕业证研究生文凭证书托福证书原版一模一样
 
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
一比一原版(Adelaide毕业证书)阿德莱德大学毕业证如何办理
 
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
一比一原版(Dalhousie毕业证书)达尔豪斯大学毕业证如何办理
 
Nanandann Nilekani's ppt On India's .pdf
Nanandann Nilekani's ppt On India's .pdfNanandann Nilekani's ppt On India's .pdf
Nanandann Nilekani's ppt On India's .pdf
 
原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样
原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样
原版制作(Deakin毕业证书)迪肯大学毕业证学位证一模一样
 
Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...
Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...
Algorithmic optimizations for Dynamic Levelwise PageRank (from STICD) : SHORT...
 
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
【社内勉強会資料_Octo: An Open-Source Generalist Robot Policy】
 
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
原版制作(swinburne毕业证书)斯威本科技大学毕业证毕业完成信一模一样
 
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
一比一原版(爱大毕业证书)爱丁堡大学毕业证如何办理
 
Best best suvichar in gujarati english meaning of this sentence as Silk road ...
Best best suvichar in gujarati english meaning of this sentence as Silk road ...Best best suvichar in gujarati english meaning of this sentence as Silk road ...
Best best suvichar in gujarati english meaning of this sentence as Silk road ...
 
Analysis insight about a Flyball dog competition team's performance
Analysis insight about a Flyball dog competition team's performanceAnalysis insight about a Flyball dog competition team's performance
Analysis insight about a Flyball dog competition team's performance
 
My burning issue is homelessness K.C.M.O.
My burning issue is homelessness K.C.M.O.My burning issue is homelessness K.C.M.O.
My burning issue is homelessness K.C.M.O.
 
The Building Blocks of QuestDB, a Time Series Database
The Building Blocks of QuestDB, a Time Series DatabaseThe Building Blocks of QuestDB, a Time Series Database
The Building Blocks of QuestDB, a Time Series Database
 
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
一比一原版(UniSA毕业证书)南澳大学毕业证如何办理
 
Adjusting OpenMP PageRank : SHORT REPORT / NOTES
Adjusting OpenMP PageRank : SHORT REPORT / NOTESAdjusting OpenMP PageRank : SHORT REPORT / NOTES
Adjusting OpenMP PageRank : SHORT REPORT / NOTES
 
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
做(mqu毕业证书)麦考瑞大学毕业证硕士文凭证书学费发票原版一模一样
 
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
一比一原版(UIUC毕业证)伊利诺伊大学|厄巴纳-香槟分校毕业证如何办理
 

2022-Db2-Securing_Your_data_in_motion.pdf

  • 1. Boston, MA Securing your data in motion with TLS Roland Schock Session Code: G10
  • 2. Agenda • Where to encrypt? What is SSL/TLS? • Learn about IBM GSKit, certificates and self-signed certificates and configure the server side of TLS encryption • Configure the client side of TLS encryption for CLI, ODBC and JDBC • Troubleshooting and verify your configuration, select the right ciphers for encryption • Current issues, open RFEs aka AHA ideas
  • 3. Moments of Encryption • Encryption during Authentication • Transmission of encrypted login credentials • Encryption in use • Encryption of single columns (by application code) • Encryption in motion • Data transmission over the wire is encrypted • Encryption at rest • Encryption of database and transaction log files on disk, tapes, etc.
  • 4. Default Configuration • Db2's default configuration is still based on assumptions of Db2 for OS/2. At that time simple configuration was preferred over security. • By default just simple authentication with plain text passwords over the wire • db2 get dbm cfg | fgrep AUTHENTICATION ➔ Default is SERVER • At least switch to AUTHENTICATION=SERVER_ENCRYPT to enforce transmission of encrypted passwords over the wire during Connect • Very old clients (before V9.7) could have issues with SERVER_ENCRYPT as they were not prepared for modern encryption • Data is still transferred unencrypted • Solution: db2 update dbm cfg using AUTHENTICATION=DATA_ENCRYPT (=deprecated) • ➔ Much better: Switch to SSL or TLS session encryption
  • 5. AUTHENTICATION = SERVER_ENCRYPT • Db2 engine takes care of encryption • Beside db2 update dbm cfg using AUTHENTICATION SERVER_ENCRYPT other params have to be set to close other issues: db2 update dbm cfg using ALTERNATE_AUTH_ENC AES_CMP db2set DB2AUTH=DISABLE_CHGPASS,OSAUTHDB,JCC_ENFORCE_SECMEC, TRUSTEDCLIENT_SRVRENC • DISABLE_CHGPASS disables password change during connect • OSAUTHDB points to local OS for user and group enumeration • JCC_ENFORCE_SECMEC disables passwords in plain text (since Db2 10.5.0.4) • If you still have (very) old clients, set this option temporarily and monitor db2diag.log • db2set DB2AUTH=JCC_NOENFORCE_SECMEC_MSG
  • 6. Encryption with SSL • SSL is the synonym for encrypted communication via Secure Sockets Layer • SSL 1.0 was never published as standard • SSL 2.0 published February 1995; used until ~2011, deprecated due to security flaws • SSL v3, last version, deprecated, unsafe (e.g. POODLE attack). • TLS stands for Transport Layer Security and is successor of SSL • TLS 1.0 is successor of SSL v3 • TLS 1.1 published April 2006 and also has flaws • TLS 1.2 came in 2008 and was more widely used since the flaws of TLS 1.1 came up • TLS 1.3 is current since August 2018
  • 7. IBM Global Security Kit (1|2) • Which SSL/TLS version is supported by Db2? • Db2 itself does not provide SSL/TLS encryption but uses IBM Global Security Kit aka GSKit for it • GSKit is the OS extension for encrypted socket communication https://www.ibm.com/docs/en/db2/11.5?topic=encryption-global-security-kit- installation-gskit • GSKit gets automatically installed with server install. It's a separate install for Db2 client code • GSKit has the Highlander principle: There can only be one! • It gets especially interesting, if multiple IBM server products ship GSKit and try to install/use their own: • E.g. IBM Db2, TSM and MQ on a single machine
  • 8. IBM Global Security Kit (2|2) • GSKit V8 - Instructions to find current installed version details: https://www.ibm.com/support/pages/gskit-v8-instructions-find- current-installed-version-details • GSKit Versions Shipped with Db2: https://www.ibm.com/support/pages/gskit-versions-shipped-db2 • The current GSKit does not support TLS 1.3 yet and hence Db2 can only use up to TLS 1.2 for now • Breaking news: IBM is going to support TLS 1.3 for client/server, HADR, KMIP soon!
  • 9. Configuration steps for TLS encryption • Create a keyring for the server • Create a certificate for the server (self-signed or CA-signed) • Import the certificate in the keyring of the server
  • 10. Db2 server side: Create a keyring • User db2inst1: mkdir -p /home/db2inst1/SSL cd /home/db2inst1/SSL • echo "Create a keyring:" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "Db2_keydb.kdb" -pw "passw0rd" -stash • Beware: There is a 32-bit and a 64-bit GSKit. The paths get set by db2profile, but it seems in some versions the 32-bit path is incorrect and returns "error while loading shared directories" • Quick fix: Append /gskit_db2 to the variable LD_LIBRARY_PATH
  • 11. Db2 server side: Create CA-signed certs • echo "Create certification request to send to Root CA" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -certreq -create -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -san_dnsname "myserver.de" -dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096 -sig_alg SHA256_WITH_RSA -file "MyCertRequest.arm" • echo "Send MyCertRequest.arm to CA to get it signed" • echo "Add certificates of Root CA and any intermediates (otherwise SQL30081N with -414)" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -file CAChain.crt -db "Db2_keydb.kdb" -stashed -format ascii • echo "CA returns: MyServerCert.crt" • echo "Import of MyServerCert.crt in your keyring" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -receive -file MyServerCert.crt -db "Db2_keydb.kdb" -stashed -format ascii
  • 12. Db2 server side: Create a self-signed certificate • echo "Not required by CA-signed certificate! This is an alternative!" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -create -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -expire 1000 -dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096 -sig_alg SHA256_WITH_RSA • echo "Export of public signature for trust_db of clients" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -extract -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -target "myserver_db2_public_key.arm" -format ascii -fips • Remark for self-signed certificates: • They are as secure as CA-signed certs, but require more work. More servers have to be trusted at clients and updated over time due to expiration. • Transfer of the public server signature to the client has to be secure to prevent man-in-the-middle attacks.
  • 13. How to verify keyring and certificate? (1|2) • echo "Verify a certificate" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -list -db "Db2_keydb.kdb" -stashed • Certificate found: * Standard, - personal, ! reliable, # secret key ! "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de" ! "CN=ARS Root CA 01,DC=ARS,DC=de" - myserver_db2_4096 • echo "Verify key database" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -list -db "Db2_keydb.kdb" -stashed
  • 14. How to verify keyring and certificate? (2|2) • echo "Verify a new certificate" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -details -label myserver_db2_4096 -db "Db2_keydb.kdb" -stashed • Label : myserver_db2_4096 Key length : 4096 Version : X509 V3 Serial : 740000007415c7837855d62d17000000000074 Issuer : "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de" Subject : CN=myserver.de,OU=ARS,O=IT,L=Munich,ST=BY,C=DE Not valid before : 17. April 2020 11:50:22 MESZ Not valid after : 20. July 2022 11:50:22 MESZ
  • 15. Configuration Server • echo "Instance configuration" db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/SSL/Db2_keydb.kdb db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/SSL/Db2_keydb.sth db2 update dbm cfg using SSL_SVR_LABEL myserver_db2_4096 db2 update dbm cfg using SSL_VERSIONS TLSV12 • echo "Insert SSL port in /etc/services file" vi /etc/services REM start notepad c:windowssystem32driversetcservices REM Append a line like: db2c_tlsinst1 50443 • echo "Set SSL_SVCENAME to port name and set DB2COMM" db2 update dbm cfg using SSL_SVCENAME db2c_tlsinst1 db2set DB2COMM=SSL,TCPIP • echo "Check if max_connections <= max_coordagents ➔ Connection Concentrator=OFF" • echo "Restart Instance to bring changes into effect" db2stop && sleep 5 && db2start
  • 16. Expired Server certificate • Entry in db2diag.log when the CA signed server certificate expires 2022-07-26-11.16.21.218655+120 I6820357A497 LEVEL: Error PID : 6292094 TID : 292736 PROC : db2sysc 0 INSTANCE: db2inst1 NODE : 000 DB : HOSTNAME: myhost EDUID : 292736 EDUNAME: db2agent () 0 FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30 MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the return code "401" in "sqlccSSLSocketSetup". • On client side SQL30081N A communication error has been detected. Communication protocol being used: "SSL". Communication API being used: "SOCKETS". Location where the error was detected: "". Communication function detecting the error: "sqlccSSLSocketSetup". Protocol specific error code(s): "420", "*", "*". SQLSTATE=08001 • Create a new CertRequest, get it signed from your CA and import it with a different label into the server keyring db2 attach to db2inst1 && db2 update dbm cfg using SSL_SVR_LABEL my_new_label IMMEDIATE • DBM Config SSL_SVR_LABEL is online updateable since V11.5.2 Check with db2pd -dbmcfg for current value in memory
  • 17. HADR and SSL • SSL for HADR has to be configured on the database side • Create keyrings and truststores on both sides, include Client side configuration on the other server and vice versa • In database configuration use label accordingly HADR SSL certificate label (HADR_SSL_LABEL) = my_hadr_certlabel HADR SSL Hostname Validation (HADR_SSL_HOST_VAL) = OFF
  • 18. Configuration of CLI Client (1|2) • echo "Install GSKit on client machine (Fix central: Tivoli Global Security)" Install the binaries according to Db2 Knowledge Center https://www.ibm.com/docs/en/db2/11.5?topic=gskit-global-installation-instructions • echo "Create a client keyring" mkdir -p ~/SSL && cd ~/SSL /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "client_trust.kdb" -pw "MyPass" -stash • echo "Add the root certificate and any intermediaries (otherwise SQL30081N with -414)" /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kdb" -stashed -file /tmp/CAChain.crt -format ascii -fips • echo "Not required for CA-signed certificates: Import your self-signed certificate" /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kbd" -stashed -label "MyServer" -file /home/db2inst1/SSL/myserver_db2_public_key.arm -format ascii -fips
  • 19. Configuration of CLI Client (2|2) • Update client instance configuration : db2 update dbm cfg using SSL_CLNT_KEYDB /home/exrsc/SSL/client_trust.kdb db2 update dbm cfg using SSL_CLNT_STASH /home/exrsc/SSL/client_trust.sth For Windows Clients, if Root-CA signature is available in Windows Trust Store: db2 update dbm cfg using SSL_CLNT_KEYDB GSK_MS_CERTIFICATE_STORE db2 update dbm cfg using SSL_CLNT_STASH NULL Set PATH and LIB to the according directories for 32-bit and 64-bit binaries: set PATH=C:PROGRA~1IBMGSKITBIN; C:PROGRA~2IBMGSKITBIN;%PATH% set LIB=C:PROGRA~1IBMGSKITLIB64;C:PROGRA~2IBMGSKITLIB;%LIB% • Catalog your node db2 catalog tcpip node INST1SSL remote myserver.de server 50443 security SSL db2 catalog db SAMPLE at node INST1SSL
  • 20. JDBC connections • JDBC is simple to configure! Server side configured as above • Trust Store get's created with Java JDK keytool instead of GSKit : (In this example with a self-signed certificate) keytool -importcert -alias MyServer -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file myserver_db2_public_key.arm -noprompt keytool -list -v -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file • JDBC connection string looks like: jdbc:db2://myserver.de:50443/sample:sslConnection=true;sslTrustStoreLocation=MyTrustStore.jks;sslT rustStorePassword=cacerts;sslTrustStoreType=JKS; • Remark: Some applications might use their own JDK and maybe they have a separate trust store then Check with "dir /s /b cacerts" or "find . -name cacerts -type f" in the application directory
  • 21. IBM Data Server Driver for ODBC and CLI • Small footprint drivers for Db2; just unpack ZIP archive and set paths e.g. for Linux export DB2_CLI_DRIVER_INSTALL_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver export LD_LIBRARY_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib export LIBPATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/bin:$PATH export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/adm:$PATH • Database can get catalogued via db2cli.ini or db2dsdriver.cfg Either use sample templates or db2cli commands: • Examples: db2cli writecfg add -database MYSAMPL -host myserver.de -port 50443 -parameter "SecurityTransportMode=SSL;SSLServerCertificate=/opt/ibm/odbc_cli/clidriver/cfg/mydbclient.kdb" db2cli validate db2cli validate -dsn mysampl -connect -user testuser -passwd 'Nosey*ent_ya' • Trust store must be in CMS format. • Root CAs can be included automatically to keyring, if sent as Trust store .arm file on first connect
  • 22. Configuration for WAS Liberty profile •
  • 23. Check usage of secure connections • Which application is now using a TLS connection? SELECT substr( CLIENT_PRDID, 1, 10 ) AS CLIENT_PRDID, substr( APPLICATION_NAME, 1, 20 ) AS APPL_NAME, substr( CLIENT_HOSTNAME, 1, 22 ) AS CLIENTHOST, CLIENT_PROTOCOL AS PROTOCOL, CAST( CURRENT server AS CHAR( 8 )) AS DB_NAME, SUBSTR( EXECUTION_ID, 1, 15 ) AS EXEC_ID, SUBSTR( SESSION_AUTH_ID, 1, 15 ) AS SESSION_AUTHID, COUNT(*) AS COUNT FROM TABLE ( mon_get_connection( NULL, -2 )) GROUP BY CLIENT_PRDID, APPLICATION_NAME, CLIENT_HOSTNAME, CLIENT_PROTOCOL, CURRENT server, EXECUTION_ID, SESSION_AUTH_ID ORDER BY 1,2,3,4,5,6
  • 24. Ciphers and encryption methods • https://scotthelme.co.uk/https-cheat-sheet/
  • 25. Ciphers and Db2 (1|2) • During SSL handshake client and server negotiate the most secure encryption method. If no compatible method was found, connection fails. The order of so called Cipher Suites cannot be changed. • If SSL_VERSIONS was set to TLSv12, following SSL_CIPHERSPECS are usable: ▪ TLS_RSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ▪ TLS_RSA_WITH_AES_256_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ▪ TLS_RSA_WITH_AES_256_CBC_SHA ▪ TLS_RSA_WITH_AES_128_GCM_SHA256 ▪ TLS_RSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ▪ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ▪ TLS_RSA_WITH_AES_128_CBC_SHA
  • 26. Ciphers and Db2 (2|2) • Configure ciphers in Db2 (length max 255 chars): db2 update dbm cfg using SSL_CIPHERSPECS TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 • Whatever Cipher is finally used cannot be retrieved (GSKit doesn't feed this back to Db2)
  • 27. Support us! (1|2) • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-984 • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-133
  • 28. Support us! (2|2) • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-952
  • 29. Technotes • Error ECF_CRYPT_UNEXPECTED_ERROR in db2diag.log: "FIPS: internal test failed, interface disabled" https://www.ibm.com/support/pages/node/6356455 Problem: The internal self-test in GSKit fails when it can't get sufficient entropy via hardware or software RNG (Random Number Generation). This can cause the Db2 instance to stop functioning correctly, and will require a restart of the instance.
  • 30. Further links • Step-by-Step Instructions to Configure a Secure Database System, Greg Stager: https://www.idug.org/p/bl/ar/blogaid=1121 • Cipher Used? IC85574: INFORMATIONAL MESSAGE ADM7016I LOGGED IN DB2DIAG.LOG EVEN IF DIAGLEVEL=3, https://www.ibm.com/support/pages/apar/IC85574 • SSL/TLS: How to choose your cipher suite https://technology.amis.nl/2017/07/04/ssltls-choose-cipher- suite/
  • 31. SSL and Db2 on (IBM) Cloud • Supporting links to use Db2 on Cloud with SSL/TLS Short compact configuration guide for Db2 on Cloud: https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-ssl_support How to connect to Db2 on Cloud, connect options https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-connect_options SSL as requirement for IAM-based authentication https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-iam#iam_prereqs If the new token-based authentication with JWT (JSON Web Token) is used, it is strongly suggested to protect the token with TLS https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.admin.s ec.doc/doc/c_token_auth.html
  • 32. Thank You Speaker: Roland Schock Email Address: roland.schock@arcor.de Session Code: G10 Please fill out your session evaluation before leaving!