Learn how to setup encrypted access to an IBM Db2 database running under Linux, Unix and Windows. Also details are given how to configure the client side.
Solving the DB2 LUW Administration DilemmaRandy Goering
As a DB2 LUW Database Administrator you are probably reluctant to or prohibited from granting your users* these permissions because doing so gives them permission to other DB2 administrations tasks like stopping the database. If your users are not allowed to do these tasks then who is? Most likely, you, as the DBA will perform these and other administrative functions for your users. Would you like a way to eliminate these tasks from your daily to-do list? This presentation will discuss how to externalize specific administrative tasks with Stored Procedures, Federated procedures, Administrative SQL routines, and views.
Solving the DB2 LUW Administration DilemmaRandy Goering
As a DB2 LUW Database Administrator you are probably reluctant to or prohibited from granting your users* these permissions because doing so gives them permission to other DB2 administrations tasks like stopping the database. If your users are not allowed to do these tasks then who is? Most likely, you, as the DBA will perform these and other administrative functions for your users. Would you like a way to eliminate these tasks from your daily to-do list? This presentation will discuss how to externalize specific administrative tasks with Stored Procedures, Federated procedures, Administrative SQL routines, and views.
This version of "Oracle Real Application Clusters (RAC) 19c & Later – Best Practices" was first presented in Oracle Open World (OOW) London 2020 and includes content from the OOW 2019 version of the deck. The deck has been updated with the latest information regarding ORAchk as well as upgrade tips & tricks.
Dear Student,
Greetings from Etraining.guru.
We provide THE BEST DB2 LUW/UDB DBA training in the Industry by THE real time expert. Our Trainer comes with 10+ years of IT working experience on open systems of project team sizes ranging from 2 to 70+.
Course Highlights:
****************
(1) 32+ hours of course content:
http://www.etraining.guru/online-training-db2-luw-udb-dba.aspx
(2) 5 free classes on Unix & Shell scripting of topics of student's interest
(3) 10 hours of Free job support. Beyond these hours, job support is provided for a nominal charge of $10/hour
(4) Course fees: $400 for working professionals; $300 for students/job seekers
(5) Class Timing: Flexible, depending upon student's requirement
(6) Email: info@etraining.guru
Please feel free to let us know if any further details needed.
Thanks,
Bhavana
www.etraining.guru
Email:info@etraining.guru
Oracle Database 19c, builds upon key architectural, distributed data and performance innovations established in earlier versions Oracle Database 12c and 18c releases. Oracle 19c has many new features, in this presentation we have covered below areas
Automated Installation, Configuration and Patching
AutoUpgrade and Database Utilities
Session aims at introducing less familiar audience to the Oracle database statistics concept, why statistics are necessary and how the Oracle Cost-Based Optimizer uses them
The Top 5 Reasons to Deploy Your Applications on Oracle RACMarkus Michalewicz
A presentation for developers, DBAs, and managers. This presentation was first presented in course of the AIOUG Maximum Availability Architecture (MAA)-focus month August 2021. The first reason might surprise you!
Oracle RAC is an option to the Oracle Database Enterprise Edition. At least, this is what it is known for. This presentation shows the many ways in which the stack, which is known as Oracle RAC can be used in the most efficient way for various use cases.
Meta/Facebook's database serving social workloads is running on top of MyRocks (MySQL on RocksDB). This means our performance and reliability depends a lot on RocksDB. Not just MyRocks, but also we have other important systems running on top of RocksDB. We have learned many lessons from operating and debugging RocksDB at scale.
In this session, we will offer an overview of RocksDB, key differences from InnoDB, and share a few interesting lessons learned from production.
Cross Data Center Replication with Redis using Redis EnterpriseCihan Biyikoglu
Redis Enterprise comes with a number of Replication technologies tuned for local (LAN) or cross geo (WAN) replication. The talk explains the architecture and capabilities provided for applications looking to deploy across multiple data centers for data locality or for geo-redundency
This webinar discusses Amazon DynamoDB, a NoSQL, highly scalable, SSD-based, zero administration database service in the AWS Cloud. We explain how DynamoDB works and also walk through some best practices and tips to get the most out of the service.
Adapting and adopting SQL Plan Management (SPM) to achieve execution plan stability for sub-second queries on a high-rate OLTP mission-critical application
MySQL Database Architectures - High Availability and Disaster Recovery SolutionMiguel Araújo
MySQL InnoDB ClusterSet brings multi-datacenter capabilities to our solutions and makes it very easy to set up a disaster recovery architecture. Think multiple MySQL InnoDB Clusters into one single database architecture, fully managed from MySQL Shell and with full MySQL Router integration to make it easy to access the entire architecture.
This presentation covers the various solutions of MySQL for High Availability, Replication, and Disaster Recovery, with a special focus on InnoDB ClusterSet:
- The various features of InnoDB Clusterset
- How to setup MySQL InnoDB ClusterSet
- Ways to migrate from an existing MySQL InnoDB Cluster into MySQL InnoDB ClusterSet
- How to deal with various failures
- The various features of router integration make the connection to the database architecture easy.
This session is for you if you want to learn tips and techniques that are used to optimize database development with special emphasis on SQL Server 2005. If you write lot of stored procedures and want to learn the tools of a DBA, this is the session for you. If you are new to SQL Server development environment, you will learn how the various constructs compare to each other and better performance can be produced every time with a brief introduction to understanding Execution Plans.
Training Slides: 302 - Securing Your Cluster With SSLContinuent
Watch this 41min training session on how to secure your Tungsten Cluster with SSL, looking at internal cluster communications as well as how to deploy SSL for the Tungsten Connector. It all starts off with some background information on what SSL is all about.
TOPICS COVERED
- What is SSL?
- Deploying SSL for Cluster communications
- Deploying SSL for Tungsten Connector
This version of "Oracle Real Application Clusters (RAC) 19c & Later – Best Practices" was first presented in Oracle Open World (OOW) London 2020 and includes content from the OOW 2019 version of the deck. The deck has been updated with the latest information regarding ORAchk as well as upgrade tips & tricks.
Dear Student,
Greetings from Etraining.guru.
We provide THE BEST DB2 LUW/UDB DBA training in the Industry by THE real time expert. Our Trainer comes with 10+ years of IT working experience on open systems of project team sizes ranging from 2 to 70+.
Course Highlights:
****************
(1) 32+ hours of course content:
http://www.etraining.guru/online-training-db2-luw-udb-dba.aspx
(2) 5 free classes on Unix & Shell scripting of topics of student's interest
(3) 10 hours of Free job support. Beyond these hours, job support is provided for a nominal charge of $10/hour
(4) Course fees: $400 for working professionals; $300 for students/job seekers
(5) Class Timing: Flexible, depending upon student's requirement
(6) Email: info@etraining.guru
Please feel free to let us know if any further details needed.
Thanks,
Bhavana
www.etraining.guru
Email:info@etraining.guru
Oracle Database 19c, builds upon key architectural, distributed data and performance innovations established in earlier versions Oracle Database 12c and 18c releases. Oracle 19c has many new features, in this presentation we have covered below areas
Automated Installation, Configuration and Patching
AutoUpgrade and Database Utilities
Session aims at introducing less familiar audience to the Oracle database statistics concept, why statistics are necessary and how the Oracle Cost-Based Optimizer uses them
The Top 5 Reasons to Deploy Your Applications on Oracle RACMarkus Michalewicz
A presentation for developers, DBAs, and managers. This presentation was first presented in course of the AIOUG Maximum Availability Architecture (MAA)-focus month August 2021. The first reason might surprise you!
Oracle RAC is an option to the Oracle Database Enterprise Edition. At least, this is what it is known for. This presentation shows the many ways in which the stack, which is known as Oracle RAC can be used in the most efficient way for various use cases.
Meta/Facebook's database serving social workloads is running on top of MyRocks (MySQL on RocksDB). This means our performance and reliability depends a lot on RocksDB. Not just MyRocks, but also we have other important systems running on top of RocksDB. We have learned many lessons from operating and debugging RocksDB at scale.
In this session, we will offer an overview of RocksDB, key differences from InnoDB, and share a few interesting lessons learned from production.
Cross Data Center Replication with Redis using Redis EnterpriseCihan Biyikoglu
Redis Enterprise comes with a number of Replication technologies tuned for local (LAN) or cross geo (WAN) replication. The talk explains the architecture and capabilities provided for applications looking to deploy across multiple data centers for data locality or for geo-redundency
This webinar discusses Amazon DynamoDB, a NoSQL, highly scalable, SSD-based, zero administration database service in the AWS Cloud. We explain how DynamoDB works and also walk through some best practices and tips to get the most out of the service.
Adapting and adopting SQL Plan Management (SPM) to achieve execution plan stability for sub-second queries on a high-rate OLTP mission-critical application
MySQL Database Architectures - High Availability and Disaster Recovery SolutionMiguel Araújo
MySQL InnoDB ClusterSet brings multi-datacenter capabilities to our solutions and makes it very easy to set up a disaster recovery architecture. Think multiple MySQL InnoDB Clusters into one single database architecture, fully managed from MySQL Shell and with full MySQL Router integration to make it easy to access the entire architecture.
This presentation covers the various solutions of MySQL for High Availability, Replication, and Disaster Recovery, with a special focus on InnoDB ClusterSet:
- The various features of InnoDB Clusterset
- How to setup MySQL InnoDB ClusterSet
- Ways to migrate from an existing MySQL InnoDB Cluster into MySQL InnoDB ClusterSet
- How to deal with various failures
- The various features of router integration make the connection to the database architecture easy.
This session is for you if you want to learn tips and techniques that are used to optimize database development with special emphasis on SQL Server 2005. If you write lot of stored procedures and want to learn the tools of a DBA, this is the session for you. If you are new to SQL Server development environment, you will learn how the various constructs compare to each other and better performance can be produced every time with a brief introduction to understanding Execution Plans.
Training Slides: 302 - Securing Your Cluster With SSLContinuent
Watch this 41min training session on how to secure your Tungsten Cluster with SSL, looking at internal cluster communications as well as how to deploy SSL for the Tungsten Connector. It all starts off with some background information on what SSL is all about.
TOPICS COVERED
- What is SSL?
- Deploying SSL for Cluster communications
- Deploying SSL for Tungsten Connector
Security is more critical than ever with new computing environments in the cloud and expanding access to the internet. There are a number of security protection mechanisms available for MongoDB to ensure you have a stable and secure architecture for your deployment. Dave Erickson will walk through general security threats to databases and specifically how they can be mitigated for MongoDB deployments. Rob Moore will then go into depth on the specific topic of setting up and running MongoDB with TLS/SSL and x.509 authentication covering how it works and common errors he's encountered in the field.
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsFaisal Akber
Are you looking to encrypt your data within PostgreSQL? We will review the various options available for encrypting data with PostgreSQL. We will also look at various options available to employ encryption and review various configuration and performance for using encryption.
There are a number of options available when encrypting data with PostgreSQL. When determining the mechanisms to use, it is important to understand the data, the application and how it is being used. We will compare different methods of encrypting data in their feature-sets and performance.
We will try to answer the following questions: Where do I enable the encryption? Where is my data safe and where is it exposed? Why should I use the various encryption modules available?
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSCody Thomas
Kerberos on macOS with and without Active Directory (AD). Where are attacks possible in Kerberos and how does the LKDC (Local Key Distribution Center) come into play.
Presented at Objective By The Sea (OBTS) 3.0 in Maui, Hawaii March 2020
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Amazon Web Services
Through Real AWS Customer Case Studies we will explain how Brocade Virtual Application Delivery Controller (vADC) can: - Simplify complex architectures in AWS - Significantly accelerate application performance and user experience - Provide additional application security over and above AWS ELB – with and without Web Application Firewalls (WAF) - Enable hybrid cloud architectures and cloud bursting - Fix application-level compatibility problems without the need to re-write the apps.
Speaker: Ron Masson System Engineer - Software Networking, Australia/New Zealand, Brocade
Shameful secrets of proprietary network protocolsSlawomir Jasek
There is a big bunch of tools offering HTTP/SSL traffic interception. However, when it comes to penetration tests of specialized embedded software or thick clients, we often encounter proprietary protocols with no documentation at all. Binary TCP connections, unlike anything, impossible to be adapted by a well-known local proxy. Without disassembling the protocol, pentesting the server backend is very limited. Though, based on our experience, it very often hides a shameful secret - completely unsecured mechanisms breaking all secure coding practices.
To demonstrate, we will show a few case-studies - most interesting examples from real-life industry software, which in our opinion are a quintessence of "security by obscurity". We will challenge the security of proprietary protocols in pull printing solutions, FOREX trading software, remote desktops and home automation technologies.
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
Malware analysts normally obtain IP addresses of the malware's command & control (C2) servers by analyzing samples. This approach works in commoditized attacks or campaigns. However, with targeted attacks using APT malware, it's difficult to acquire a sufficient number of samples for organizations other than antivirus companies. As a result, malware C2 IOCs collected by a single organization are just the tip of the iceberg.
For years, I have reversed the C2 protocols of high-profile APT malware families then discovered the active C2 servers on the Internet by emulating the protocols. In this presentation, I will explain how to emulate the protocols of two long-term pieces of malware used by PRC-linked cyber espionage threat actors: Winnti 4.0 and ShadowPad.
Both pieces of malware support multiple C2 protocols like TCP/TLS/HTTP/HTTPS/UDP. It's also common to have different data formats and encoding algorithms per each protocol in one piece of malware. I'll cover the protocol details while referring to unique functions such as server-mode in Winnti 4.0 and multiple protocol listening at a single port in ShadowPad. Additionally, I'll share the findings regarding the Internet-wide C2 scanning and its limitations.
After the presentation, I'll publish over 140 C2 IOCs with the date ranges in which they were discovered. These dates are more helpful than just IP address information since the C2s are typically found on hosted servers, meaning that the C2 could sometimes exist on a specific IP only for a very limited time. 65% of these IOCs have 0 detection on VirusTotal as of the time of this writing.
SSL is an acronym for Secure Sockets Layer. It is a protocol used for authenticating and encrypting web traffic. For web traffic to be authenticated means that your browser is able to verify the identity of the remote server.
Learn SQL from basic queries to Advance queriesmanishkhaire30
Dive into the world of data analysis with our comprehensive guide on mastering SQL! This presentation offers a practical approach to learning SQL, focusing on real-world applications and hands-on practice. Whether you're a beginner or looking to sharpen your skills, this guide provides the tools you need to extract, analyze, and interpret data effectively.
Key Highlights:
Foundations of SQL: Understand the basics of SQL, including data retrieval, filtering, and aggregation.
Advanced Queries: Learn to craft complex queries to uncover deep insights from your data.
Data Trends and Patterns: Discover how to identify and interpret trends and patterns in your datasets.
Practical Examples: Follow step-by-step examples to apply SQL techniques in real-world scenarios.
Actionable Insights: Gain the skills to derive actionable insights that drive informed decision-making.
Join us on this journey to enhance your data analysis capabilities and unlock the full potential of SQL. Perfect for data enthusiasts, analysts, and anyone eager to harness the power of data!
#DataAnalysis #SQL #LearningSQL #DataInsights #DataScience #Analytics
Techniques to optimize the pagerank algorithm usually fall in two categories. One is to try reducing the work per iteration, and the other is to try reducing the number of iterations. These goals are often at odds with one another. Skipping computation on vertices which have already converged has the potential to save iteration time. Skipping in-identical vertices, with the same in-links, helps reduce duplicate computations and thus could help reduce iteration time. Road networks often have chains which can be short-circuited before pagerank computation to improve performance. Final ranks of chain nodes can be easily calculated. This could reduce both the iteration time, and the number of iterations. If a graph has no dangling nodes, pagerank of each strongly connected component can be computed in topological order. This could help reduce the iteration time, no. of iterations, and also enable multi-iteration concurrency in pagerank computation. The combination of all of the above methods is the STICD algorithm. [sticd] For dynamic graphs, unchanged components whose ranks are unaffected can be skipped altogether.
Analysis insight about a Flyball dog competition team's performanceroli9797
Insight of my analysis about a Flyball dog competition team's last year performance. Find more: https://github.com/rolandnagy-ds/flyball_race_analysis/tree/main
The Building Blocks of QuestDB, a Time Series Databasejavier ramirez
Talk Delivered at Valencia Codes Meetup 2024-06.
Traditionally, databases have treated timestamps just as another data type. However, when performing real-time analytics, timestamps should be first class citizens and we need rich time semantics to get the most out of our data. We also need to deal with ever growing datasets while keeping performant, which is as fun as it sounds.
It is no wonder time-series databases are now more popular than ever before. Join me in this session to learn about the internal architecture and building blocks of QuestDB, an open source time-series database designed for speed. We will also review a history of some of the changes we have gone over the past two years to deal with late and unordered data, non-blocking writes, read-replicas, or faster batch ingestion.
Adjusting OpenMP PageRank : SHORT REPORT / NOTESSubhajit Sahu
For massive graphs that fit in RAM, but not in GPU memory, it is possible to take
advantage of a shared memory system with multiple CPUs, each with multiple cores, to
accelerate pagerank computation. If the NUMA architecture of the system is properly taken
into account with good vertex partitioning, the speedup can be significant. To take steps in
this direction, experiments are conducted to implement pagerank in OpenMP using two
different approaches, uniform and hybrid. The uniform approach runs all primitives required
for pagerank in OpenMP mode (with multiple threads). On the other hand, the hybrid
approach runs certain primitives in sequential mode (i.e., sumAt, multiply).
2. Agenda
• Where to encrypt? What is SSL/TLS?
• Learn about IBM GSKit, certificates and self-signed certificates and
configure the server side of TLS encryption
• Configure the client side of TLS encryption for CLI, ODBC and JDBC
• Troubleshooting and verify your configuration, select the right
ciphers for encryption
• Current issues, open RFEs aka AHA ideas
3. Moments of Encryption
• Encryption during Authentication
• Transmission of encrypted login credentials
• Encryption in use
• Encryption of single columns (by application code)
• Encryption in motion
• Data transmission over the wire is encrypted
• Encryption at rest
• Encryption of database and transaction log files on disk, tapes, etc.
4. Default Configuration
• Db2's default configuration is still based on assumptions of Db2 for OS/2.
At that time simple configuration was preferred over security.
• By default just simple authentication with plain text passwords over the wire
• db2 get dbm cfg | fgrep AUTHENTICATION ➔ Default is SERVER
• At least switch to AUTHENTICATION=SERVER_ENCRYPT to enforce transmission of
encrypted passwords over the wire during Connect
• Very old clients (before V9.7) could have issues with SERVER_ENCRYPT as they were
not prepared for modern encryption
• Data is still transferred unencrypted
• Solution: db2 update dbm cfg using AUTHENTICATION=DATA_ENCRYPT (=deprecated)
• ➔ Much better: Switch to SSL or TLS session encryption
5. AUTHENTICATION = SERVER_ENCRYPT
• Db2 engine takes care of encryption
• Beside db2 update dbm cfg using AUTHENTICATION SERVER_ENCRYPT other params
have to be set to close other issues:
db2 update dbm cfg using ALTERNATE_AUTH_ENC AES_CMP
db2set DB2AUTH=DISABLE_CHGPASS,OSAUTHDB,JCC_ENFORCE_SECMEC,
TRUSTEDCLIENT_SRVRENC
• DISABLE_CHGPASS disables password change during connect
• OSAUTHDB points to local OS for user and group enumeration
• JCC_ENFORCE_SECMEC disables passwords in plain text (since Db2 10.5.0.4)
• If you still have (very) old clients, set this option temporarily and monitor
db2diag.log
• db2set DB2AUTH=JCC_NOENFORCE_SECMEC_MSG
6. Encryption with SSL
• SSL is the synonym for encrypted communication via Secure Sockets
Layer
• SSL 1.0 was never published as standard
• SSL 2.0 published February 1995; used until ~2011, deprecated due to security
flaws
• SSL v3, last version, deprecated, unsafe (e.g. POODLE attack).
• TLS stands for Transport Layer Security and is successor of SSL
• TLS 1.0 is successor of SSL v3
• TLS 1.1 published April 2006 and also has flaws
• TLS 1.2 came in 2008 and was more widely used since the flaws of TLS 1.1 came
up
• TLS 1.3 is current since August 2018
7. IBM Global Security Kit (1|2)
• Which SSL/TLS version is supported by Db2?
• Db2 itself does not provide SSL/TLS encryption but uses IBM Global Security Kit
aka GSKit for it
• GSKit is the OS extension for encrypted socket communication
https://www.ibm.com/docs/en/db2/11.5?topic=encryption-global-security-kit-
installation-gskit
• GSKit gets automatically installed with server install. It's a separate install for
Db2 client code
• GSKit has the Highlander principle: There can only be one!
• It gets especially interesting, if multiple IBM server products ship GSKit
and try to install/use their own:
• E.g. IBM Db2, TSM and MQ on a single machine
8. IBM Global Security Kit (2|2)
• GSKit V8 - Instructions to find current installed version details:
https://www.ibm.com/support/pages/gskit-v8-instructions-find-
current-installed-version-details
• GSKit Versions Shipped with Db2:
https://www.ibm.com/support/pages/gskit-versions-shipped-db2
• The current GSKit does not support TLS 1.3 yet and hence Db2 can
only use up to TLS 1.2 for now
• Breaking news: IBM is going to support TLS 1.3 for client/server,
HADR, KMIP soon!
9. Configuration steps for TLS encryption
• Create a keyring for the server
• Create a certificate for the server (self-signed or CA-signed)
• Import the certificate in the keyring of the server
10. Db2 server side: Create a keyring
• User db2inst1:
mkdir -p /home/db2inst1/SSL
cd /home/db2inst1/SSL
• echo "Create a keyring:"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db
"Db2_keydb.kdb" -pw "passw0rd" -stash
• Beware:
There is a 32-bit and a 64-bit GSKit. The paths get set by db2profile, but it
seems in some versions the 32-bit path is incorrect and returns "error while
loading shared directories"
• Quick fix: Append /gskit_db2 to the variable LD_LIBRARY_PATH
11. Db2 server side: Create CA-signed certs
• echo "Create certification request to send to Root CA"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -certreq -create -db "Db2_keydb.kdb"
-stashed -label "myserver_db2_4096" -san_dnsname "myserver.de"
-dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096
-sig_alg SHA256_WITH_RSA -file "MyCertRequest.arm"
• echo "Send MyCertRequest.arm to CA to get it signed"
• echo "Add certificates of Root CA and any intermediates (otherwise SQL30081N with -414)"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -file CAChain.crt
-db "Db2_keydb.kdb" -stashed -format ascii
• echo "CA returns: MyServerCert.crt"
• echo "Import of MyServerCert.crt in your keyring"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -receive
-file MyServerCert.crt -db "Db2_keydb.kdb" -stashed -format ascii
12. Db2 server side: Create a self-signed
certificate
• echo "Not required by CA-signed certificate! This is an alternative!"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -create
-db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -expire 1000
-dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096
-sig_alg SHA256_WITH_RSA
• echo "Export of public signature for trust_db of clients"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -extract -db "Db2_keydb.kdb"
-stashed -label "myserver_db2_4096" -target "myserver_db2_public_key.arm"
-format ascii -fips
• Remark for self-signed certificates:
• They are as secure as CA-signed certs, but require more work. More servers have to be trusted at clients
and updated over time due to expiration.
• Transfer of the public server signature to the client has to be secure to prevent man-in-the-middle
attacks.
13. How to verify keyring and certificate? (1|2)
• echo "Verify a certificate"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -list -db
"Db2_keydb.kdb" -stashed
• Certificate found:
* Standard, - personal, ! reliable, # secret key
! "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de"
! "CN=ARS Root CA 01,DC=ARS,DC=de"
- myserver_db2_4096
• echo "Verify key database"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -list -db
"Db2_keydb.kdb" -stashed
14. How to verify keyring and certificate? (2|2)
• echo "Verify a new certificate"
/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -details -label
myserver_db2_4096 -db "Db2_keydb.kdb" -stashed
• Label : myserver_db2_4096
Key length : 4096
Version : X509 V3
Serial : 740000007415c7837855d62d17000000000074
Issuer : "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de"
Subject : CN=myserver.de,OU=ARS,O=IT,L=Munich,ST=BY,C=DE
Not valid before : 17. April 2020 11:50:22 MESZ
Not valid after : 20. July 2022 11:50:22 MESZ
15. Configuration Server
• echo "Instance configuration"
db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/SSL/Db2_keydb.kdb
db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/SSL/Db2_keydb.sth
db2 update dbm cfg using SSL_SVR_LABEL myserver_db2_4096
db2 update dbm cfg using SSL_VERSIONS TLSV12
• echo "Insert SSL port in /etc/services file"
vi /etc/services
REM start notepad c:windowssystem32driversetcservices
REM Append a line like: db2c_tlsinst1 50443
• echo "Set SSL_SVCENAME to port name and set DB2COMM"
db2 update dbm cfg using SSL_SVCENAME db2c_tlsinst1
db2set DB2COMM=SSL,TCPIP
• echo "Check if max_connections <= max_coordagents ➔ Connection Concentrator=OFF"
• echo "Restart Instance to bring changes into effect"
db2stop && sleep 5 && db2start
16. Expired Server certificate
• Entry in db2diag.log when the CA signed server certificate expires
2022-07-26-11.16.21.218655+120 I6820357A497 LEVEL: Error
PID : 6292094 TID : 292736 PROC : db2sysc 0
INSTANCE: db2inst1 NODE : 000 DB :
HOSTNAME: myhost
EDUID : 292736 EDUNAME: db2agent () 0
FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30
MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the
return code "401" in "sqlccSSLSocketSetup".
• On client side
SQL30081N A communication error has been detected. Communication protocol
being used: "SSL". Communication API being used: "SOCKETS". Location where
the error was detected: "". Communication function detecting the error:
"sqlccSSLSocketSetup". Protocol specific error code(s): "420", "*", "*".
SQLSTATE=08001
• Create a new CertRequest, get it signed from your CA and import it
with a different label into the server keyring
db2 attach to db2inst1 && db2 update dbm cfg using SSL_SVR_LABEL my_new_label IMMEDIATE
• DBM Config SSL_SVR_LABEL is online updateable since V11.5.2
Check with db2pd -dbmcfg for current value in memory
17. HADR and SSL
• SSL for HADR has to be configured on the database side
• Create keyrings and truststores on both sides, include Client side
configuration on the other server and vice versa
• In database configuration use label accordingly
HADR SSL certificate label (HADR_SSL_LABEL) = my_hadr_certlabel
HADR SSL Hostname Validation (HADR_SSL_HOST_VAL) = OFF
18. Configuration of CLI Client (1|2)
• echo "Install GSKit on client machine (Fix central: Tivoli Global Security)"
Install the binaries according to Db2 Knowledge Center
https://www.ibm.com/docs/en/db2/11.5?topic=gskit-global-installation-instructions
• echo "Create a client keyring"
mkdir -p ~/SSL && cd ~/SSL
/home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create
-db "client_trust.kdb" -pw "MyPass" -stash
• echo "Add the root certificate and any intermediaries (otherwise SQL30081N with -414)"
/home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add
-db "client_trust.kdb" -stashed -file /tmp/CAChain.crt -format ascii -fips
• echo "Not required for CA-signed certificates: Import your self-signed certificate"
/home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kbd" -stashed
-label "MyServer" -file /home/db2inst1/SSL/myserver_db2_public_key.arm
-format ascii -fips
19. Configuration of CLI Client (2|2)
• Update client instance configuration :
db2 update dbm cfg using SSL_CLNT_KEYDB /home/exrsc/SSL/client_trust.kdb
db2 update dbm cfg using SSL_CLNT_STASH /home/exrsc/SSL/client_trust.sth
For Windows Clients, if Root-CA signature is available in Windows Trust Store:
db2 update dbm cfg using SSL_CLNT_KEYDB GSK_MS_CERTIFICATE_STORE
db2 update dbm cfg using SSL_CLNT_STASH NULL
Set PATH and LIB to the according directories for 32-bit and 64-bit binaries:
set PATH=C:PROGRA~1IBMGSKITBIN; C:PROGRA~2IBMGSKITBIN;%PATH%
set LIB=C:PROGRA~1IBMGSKITLIB64;C:PROGRA~2IBMGSKITLIB;%LIB%
• Catalog your node
db2 catalog tcpip node INST1SSL remote myserver.de server 50443 security SSL
db2 catalog db SAMPLE at node INST1SSL
20. JDBC connections
• JDBC is simple to configure! Server side configured as above
• Trust Store get's created with Java JDK keytool instead of GSKit :
(In this example with a self-signed certificate)
keytool -importcert -alias MyServer -keystore MyTrustStore.jks -storepass cacerts -storetype jks
-file myserver_db2_public_key.arm -noprompt
keytool -list -v -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file
• JDBC connection string looks like:
jdbc:db2://myserver.de:50443/sample:sslConnection=true;sslTrustStoreLocation=MyTrustStore.jks;sslT
rustStorePassword=cacerts;sslTrustStoreType=JKS;
• Remark:
Some applications might use their own JDK and maybe they have a separate trust store then
Check with "dir /s /b cacerts" or "find . -name cacerts -type f" in the application directory
21. IBM Data Server Driver for ODBC and CLI
• Small footprint drivers for Db2; just unpack ZIP archive and set paths e.g. for Linux
export DB2_CLI_DRIVER_INSTALL_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver
export LD_LIBRARY_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib
export LIBPATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib
export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/bin:$PATH
export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/adm:$PATH
• Database can get catalogued via db2cli.ini or db2dsdriver.cfg
Either use sample templates or db2cli commands:
• Examples:
db2cli writecfg add -database MYSAMPL -host myserver.de -port 50443 -parameter
"SecurityTransportMode=SSL;SSLServerCertificate=/opt/ibm/odbc_cli/clidriver/cfg/mydbclient.kdb"
db2cli validate
db2cli validate -dsn mysampl -connect -user testuser -passwd 'Nosey*ent_ya'
• Trust store must be in CMS format.
• Root CAs can be included automatically to keyring, if sent as Trust store .arm file on first connect
23. Check usage of secure connections
• Which application is now using a TLS connection?
SELECT
substr( CLIENT_PRDID, 1, 10 ) AS CLIENT_PRDID,
substr( APPLICATION_NAME, 1, 20 ) AS APPL_NAME,
substr( CLIENT_HOSTNAME, 1, 22 ) AS CLIENTHOST,
CLIENT_PROTOCOL AS PROTOCOL,
CAST( CURRENT server AS CHAR( 8 )) AS DB_NAME,
SUBSTR( EXECUTION_ID, 1, 15 ) AS EXEC_ID,
SUBSTR( SESSION_AUTH_ID, 1, 15 ) AS SESSION_AUTHID,
COUNT(*) AS COUNT
FROM
TABLE ( mon_get_connection( NULL, -2 ))
GROUP BY
CLIENT_PRDID, APPLICATION_NAME, CLIENT_HOSTNAME,
CLIENT_PROTOCOL, CURRENT server, EXECUTION_ID,
SESSION_AUTH_ID
ORDER BY
1,2,3,4,5,6
25. Ciphers and Db2 (1|2)
• During SSL handshake client and server negotiate the most secure encryption
method. If no compatible method was found, connection fails. The order of
so called Cipher Suites cannot be changed.
• If SSL_VERSIONS was set to TLSv12, following SSL_CIPHERSPECS are usable:
▪ TLS_RSA_WITH_AES_256_GCM_SHA384
▪ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
▪ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
▪ TLS_RSA_WITH_AES_256_CBC_SHA256
▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
▪ TLS_RSA_WITH_AES_256_CBC_SHA
▪ TLS_RSA_WITH_AES_128_GCM_SHA256
▪ TLS_RSA_WITH_AES_128_CBC_SHA256
▪ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
▪ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
▪ TLS_RSA_WITH_AES_128_CBC_SHA
26. Ciphers and Db2 (2|2)
• Configure ciphers in Db2 (length max 255 chars):
db2 update dbm cfg using SSL_CIPHERSPECS TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
• Whatever Cipher is finally used cannot be retrieved (GSKit doesn't
feed this back to Db2)
27. Support us! (1|2)
• https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-984
• https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-133
28. Support us! (2|2)
• https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-952
29. Technotes
• Error ECF_CRYPT_UNEXPECTED_ERROR in db2diag.log: "FIPS:
internal test failed, interface disabled"
https://www.ibm.com/support/pages/node/6356455
Problem:
The internal self-test in GSKit fails when it can't get sufficient
entropy via hardware or software RNG (Random Number
Generation). This can cause the Db2 instance to stop functioning
correctly, and will require a restart of the instance.
30. Further links
• Step-by-Step Instructions to Configure a Secure Database System,
Greg Stager: https://www.idug.org/p/bl/ar/blogaid=1121
• Cipher Used? IC85574: INFORMATIONAL MESSAGE ADM7016I
LOGGED IN DB2DIAG.LOG EVEN IF DIAGLEVEL=3,
https://www.ibm.com/support/pages/apar/IC85574
• SSL/TLS: How to choose your cipher suite
https://technology.amis.nl/2017/07/04/ssltls-choose-cipher-
suite/
31. SSL and Db2 on (IBM) Cloud
• Supporting links to use Db2 on Cloud with SSL/TLS
Short compact configuration guide for Db2 on Cloud:
https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-ssl_support
How to connect to Db2 on Cloud, connect options
https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-connect_options
SSL as requirement for IAM-based authentication
https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-iam#iam_prereqs
If the new token-based authentication with JWT (JSON Web Token) is used, it is strongly
suggested to protect the token with TLS
https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.admin.s
ec.doc/doc/c_token_auth.html
32. Thank You
Speaker: Roland Schock
Email Address: roland.schock@arcor.de
Session Code: G10
Please fill out your session evaluation before leaving!