SlideShare a Scribd company logo

2022-Db2-Securing_Your_data_in_motion.pdf

R
Roland Schock

Learn how to setup encrypted access to an IBM Db2 database running under Linux, Unix and Windows. Also details are given how to configure the client side.

Data & Analytics
1 of 32
Download to read offline
Boston, MA Securing your data in motion with TLS Roland Schock Session Code: G10
Agenda • Where to encrypt? What is SSL/TLS? • Learn about IBM GSKit, certificates and self-signed certificates and configure the server side of TLS encryption • Configure the client side of TLS encryption for CLI, ODBC and JDBC • Troubleshooting and verify your configuration, select the right ciphers for encryption • Current issues, open RFEs aka AHA ideas
Moments of Encryption • Encryption during Authentication • Transmission of encrypted login credentials • Encryption in use • Encryption of single columns (by application code) • Encryption in motion • Data transmission over the wire is encrypted • Encryption at rest • Encryption of database and transaction log files on disk, tapes, etc.
Default Configuration • Db2's default configuration is still based on assumptions of Db2 for OS/2. At that time simple configuration was preferred over security. • By default just simple authentication with plain text passwords over the wire • db2 get dbm cfg | fgrep AUTHENTICATION ➔ Default is SERVER • At least switch to AUTHENTICATION=SERVER_ENCRYPT to enforce transmission of encrypted passwords over the wire during Connect • Very old clients (before V9.7) could have issues with SERVER_ENCRYPT as they were not prepared for modern encryption • Data is still transferred unencrypted • Solution: db2 update dbm cfg using AUTHENTICATION=DATA_ENCRYPT (=deprecated) • ➔ Much better: Switch to SSL or TLS session encryption
AUTHENTICATION = SERVER_ENCRYPT • Db2 engine takes care of encryption • Beside db2 update dbm cfg using AUTHENTICATION SERVER_ENCRYPT other params have to be set to close other issues: db2 update dbm cfg using ALTERNATE_AUTH_ENC AES_CMP db2set DB2AUTH=DISABLE_CHGPASS,OSAUTHDB,JCC_ENFORCE_SECMEC, TRUSTEDCLIENT_SRVRENC • DISABLE_CHGPASS disables password change during connect • OSAUTHDB points to local OS for user and group enumeration • JCC_ENFORCE_SECMEC disables passwords in plain text (since Db2 10.5.0.4) • If you still have (very) old clients, set this option temporarily and monitor db2diag.log • db2set DB2AUTH=JCC_NOENFORCE_SECMEC_MSG
Encryption with SSL • SSL is the synonym for encrypted communication via Secure Sockets Layer • SSL 1.0 was never published as standard • SSL 2.0 published February 1995; used until ~2011, deprecated due to security flaws • SSL v3, last version, deprecated, unsafe (e.g. POODLE attack). • TLS stands for Transport Layer Security and is successor of SSL • TLS 1.0 is successor of SSL v3 • TLS 1.1 published April 2006 and also has flaws • TLS 1.2 came in 2008 and was more widely used since the flaws of TLS 1.1 came up • TLS 1.3 is current since August 2018
IBM Global Security Kit (1|2) • Which SSL/TLS version is supported by Db2? • Db2 itself does not provide SSL/TLS encryption but uses IBM Global Security Kit aka GSKit for it • GSKit is the OS extension for encrypted socket communication https://www.ibm.com/docs/en/db2/11.5?topic=encryption-global-security-kit- installation-gskit • GSKit gets automatically installed with server install. It's a separate install for Db2 client code • GSKit has the Highlander principle: There can only be one! • It gets especially interesting, if multiple IBM server products ship GSKit and try to install/use their own: • E.g. IBM Db2, TSM and MQ on a single machine
IBM Global Security Kit (2|2) • GSKit V8 - Instructions to find current installed version details: https://www.ibm.com/support/pages/gskit-v8-instructions-find- current-installed-version-details • GSKit Versions Shipped with Db2: https://www.ibm.com/support/pages/gskit-versions-shipped-db2 • The current GSKit does not support TLS 1.3 yet and hence Db2 can only use up to TLS 1.2 for now • Breaking news: IBM is going to support TLS 1.3 for client/server, HADR, KMIP soon!
Configuration steps for TLS encryption • Create a keyring for the server • Create a certificate for the server (self-signed or CA-signed) • Import the certificate in the keyring of the server
Db2 server side: Create a keyring • User db2inst1: mkdir -p /home/db2inst1/SSL cd /home/db2inst1/SSL • echo "Create a keyring:" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "Db2_keydb.kdb" -pw "passw0rd" -stash • Beware: There is a 32-bit and a 64-bit GSKit. The paths get set by db2profile, but it seems in some versions the 32-bit path is incorrect and returns "error while loading shared directories" • Quick fix: Append /gskit_db2 to the variable LD_LIBRARY_PATH
Db2 server side: Create CA-signed certs • echo "Create certification request to send to Root CA" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -certreq -create -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -san_dnsname "myserver.de" -dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096 -sig_alg SHA256_WITH_RSA -file "MyCertRequest.arm" • echo "Send MyCertRequest.arm to CA to get it signed" • echo "Add certificates of Root CA and any intermediates (otherwise SQL30081N with -414)" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -file CAChain.crt -db "Db2_keydb.kdb" -stashed -format ascii • echo "CA returns: MyServerCert.crt" • echo "Import of MyServerCert.crt in your keyring" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -receive -file MyServerCert.crt -db "Db2_keydb.kdb" -stashed -format ascii
Db2 server side: Create a self-signed certificate • echo "Not required by CA-signed certificate! This is an alternative!" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -create -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -expire 1000 -dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096 -sig_alg SHA256_WITH_RSA • echo "Export of public signature for trust_db of clients" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -extract -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -target "myserver_db2_public_key.arm" -format ascii -fips • Remark for self-signed certificates: • They are as secure as CA-signed certs, but require more work. More servers have to be trusted at clients and updated over time due to expiration. • Transfer of the public server signature to the client has to be secure to prevent man-in-the-middle attacks.
How to verify keyring and certificate? (1|2) • echo "Verify a certificate" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -list -db "Db2_keydb.kdb" -stashed • Certificate found: * Standard, - personal, ! reliable, # secret key ! "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de" ! "CN=ARS Root CA 01,DC=ARS,DC=de" - myserver_db2_4096 • echo "Verify key database" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -list -db "Db2_keydb.kdb" -stashed
How to verify keyring and certificate? (2|2) • echo "Verify a new certificate" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -details -label myserver_db2_4096 -db "Db2_keydb.kdb" -stashed • Label : myserver_db2_4096 Key length : 4096 Version : X509 V3 Serial : 740000007415c7837855d62d17000000000074 Issuer : "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de" Subject : CN=myserver.de,OU=ARS,O=IT,L=Munich,ST=BY,C=DE Not valid before : 17. April 2020 11:50:22 MESZ Not valid after : 20. July 2022 11:50:22 MESZ
Configuration Server • echo "Instance configuration" db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/SSL/Db2_keydb.kdb db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/SSL/Db2_keydb.sth db2 update dbm cfg using SSL_SVR_LABEL myserver_db2_4096 db2 update dbm cfg using SSL_VERSIONS TLSV12 • echo "Insert SSL port in /etc/services file" vi /etc/services REM start notepad c:windowssystem32driversetcservices REM Append a line like: db2c_tlsinst1 50443 • echo "Set SSL_SVCENAME to port name and set DB2COMM" db2 update dbm cfg using SSL_SVCENAME db2c_tlsinst1 db2set DB2COMM=SSL,TCPIP • echo "Check if max_connections <= max_coordagents ➔ Connection Concentrator=OFF" • echo "Restart Instance to bring changes into effect" db2stop && sleep 5 && db2start
Expired Server certificate • Entry in db2diag.log when the CA signed server certificate expires 2022-07-26-11.16.21.218655+120 I6820357A497 LEVEL: Error PID : 6292094 TID : 292736 PROC : db2sysc 0 INSTANCE: db2inst1 NODE : 000 DB : HOSTNAME: myhost EDUID : 292736 EDUNAME: db2agent () 0 FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30 MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the return code "401" in "sqlccSSLSocketSetup". • On client side SQL30081N A communication error has been detected. Communication protocol being used: "SSL". Communication API being used: "SOCKETS". Location where the error was detected: "". Communication function detecting the error: "sqlccSSLSocketSetup". Protocol specific error code(s): "420", "*", "*". SQLSTATE=08001 • Create a new CertRequest, get it signed from your CA and import it with a different label into the server keyring db2 attach to db2inst1 && db2 update dbm cfg using SSL_SVR_LABEL my_new_label IMMEDIATE • DBM Config SSL_SVR_LABEL is online updateable since V11.5.2 Check with db2pd -dbmcfg for current value in memory
HADR and SSL • SSL for HADR has to be configured on the database side • Create keyrings and truststores on both sides, include Client side configuration on the other server and vice versa • In database configuration use label accordingly HADR SSL certificate label (HADR_SSL_LABEL) = my_hadr_certlabel HADR SSL Hostname Validation (HADR_SSL_HOST_VAL) = OFF
Configuration of CLI Client (1|2) • echo "Install GSKit on client machine (Fix central: Tivoli Global Security)" Install the binaries according to Db2 Knowledge Center https://www.ibm.com/docs/en/db2/11.5?topic=gskit-global-installation-instructions • echo "Create a client keyring" mkdir -p ~/SSL && cd ~/SSL /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "client_trust.kdb" -pw "MyPass" -stash • echo "Add the root certificate and any intermediaries (otherwise SQL30081N with -414)" /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kdb" -stashed -file /tmp/CAChain.crt -format ascii -fips • echo "Not required for CA-signed certificates: Import your self-signed certificate" /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kbd" -stashed -label "MyServer" -file /home/db2inst1/SSL/myserver_db2_public_key.arm -format ascii -fips
Configuration of CLI Client (2|2) • Update client instance configuration : db2 update dbm cfg using SSL_CLNT_KEYDB /home/exrsc/SSL/client_trust.kdb db2 update dbm cfg using SSL_CLNT_STASH /home/exrsc/SSL/client_trust.sth For Windows Clients, if Root-CA signature is available in Windows Trust Store: db2 update dbm cfg using SSL_CLNT_KEYDB GSK_MS_CERTIFICATE_STORE db2 update dbm cfg using SSL_CLNT_STASH NULL Set PATH and LIB to the according directories for 32-bit and 64-bit binaries: set PATH=C:PROGRA~1IBMGSKITBIN; C:PROGRA~2IBMGSKITBIN;%PATH% set LIB=C:PROGRA~1IBMGSKITLIB64;C:PROGRA~2IBMGSKITLIB;%LIB% • Catalog your node db2 catalog tcpip node INST1SSL remote myserver.de server 50443 security SSL db2 catalog db SAMPLE at node INST1SSL
JDBC connections • JDBC is simple to configure! Server side configured as above • Trust Store get's created with Java JDK keytool instead of GSKit : (In this example with a self-signed certificate) keytool -importcert -alias MyServer -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file myserver_db2_public_key.arm -noprompt keytool -list -v -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file • JDBC connection string looks like: jdbc:db2://myserver.de:50443/sample:sslConnection=true;sslTrustStoreLocation=MyTrustStore.jks;sslT rustStorePassword=cacerts;sslTrustStoreType=JKS; • Remark: Some applications might use their own JDK and maybe they have a separate trust store then Check with "dir /s /b cacerts" or "find . -name cacerts -type f" in the application directory
IBM Data Server Driver for ODBC and CLI • Small footprint drivers for Db2; just unpack ZIP archive and set paths e.g. for Linux export DB2_CLI_DRIVER_INSTALL_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver export LD_LIBRARY_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib export LIBPATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/bin:$PATH export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/adm:$PATH • Database can get catalogued via db2cli.ini or db2dsdriver.cfg Either use sample templates or db2cli commands: • Examples: db2cli writecfg add -database MYSAMPL -host myserver.de -port 50443 -parameter "SecurityTransportMode=SSL;SSLServerCertificate=/opt/ibm/odbc_cli/clidriver/cfg/mydbclient.kdb" db2cli validate db2cli validate -dsn mysampl -connect -user testuser -passwd 'Nosey*ent_ya' • Trust store must be in CMS format. • Root CAs can be included automatically to keyring, if sent as Trust store .arm file on first connect
Configuration for WAS Liberty profile •
Check usage of secure connections • Which application is now using a TLS connection? SELECT substr( CLIENT_PRDID, 1, 10 ) AS CLIENT_PRDID, substr( APPLICATION_NAME, 1, 20 ) AS APPL_NAME, substr( CLIENT_HOSTNAME, 1, 22 ) AS CLIENTHOST, CLIENT_PROTOCOL AS PROTOCOL, CAST( CURRENT server AS CHAR( 8 )) AS DB_NAME, SUBSTR( EXECUTION_ID, 1, 15 ) AS EXEC_ID, SUBSTR( SESSION_AUTH_ID, 1, 15 ) AS SESSION_AUTHID, COUNT(*) AS COUNT FROM TABLE ( mon_get_connection( NULL, -2 )) GROUP BY CLIENT_PRDID, APPLICATION_NAME, CLIENT_HOSTNAME, CLIENT_PROTOCOL, CURRENT server, EXECUTION_ID, SESSION_AUTH_ID ORDER BY 1,2,3,4,5,6
Ciphers and encryption methods • https://scotthelme.co.uk/https-cheat-sheet/
Ciphers and Db2 (1|2) • During SSL handshake client and server negotiate the most secure encryption method. If no compatible method was found, connection fails. The order of so called Cipher Suites cannot be changed. • If SSL_VERSIONS was set to TLSv12, following SSL_CIPHERSPECS are usable: ▪ TLS_RSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ▪ TLS_RSA_WITH_AES_256_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ▪ TLS_RSA_WITH_AES_256_CBC_SHA ▪ TLS_RSA_WITH_AES_128_GCM_SHA256 ▪ TLS_RSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ▪ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ▪ TLS_RSA_WITH_AES_128_CBC_SHA
Ciphers and Db2 (2|2) • Configure ciphers in Db2 (length max 255 chars): db2 update dbm cfg using SSL_CIPHERSPECS TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 • Whatever Cipher is finally used cannot be retrieved (GSKit doesn't feed this back to Db2)
Support us! (1|2) • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-984 • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-133
Support us! (2|2) • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-952
Technotes • Error ECF_CRYPT_UNEXPECTED_ERROR in db2diag.log: "FIPS: internal test failed, interface disabled" https://www.ibm.com/support/pages/node/6356455 Problem: The internal self-test in GSKit fails when it can't get sufficient entropy via hardware or software RNG (Random Number Generation). This can cause the Db2 instance to stop functioning correctly, and will require a restart of the instance.
Further links • Step-by-Step Instructions to Configure a Secure Database System, Greg Stager: https://www.idug.org/p/bl/ar/blogaid=1121 • Cipher Used? IC85574: INFORMATIONAL MESSAGE ADM7016I LOGGED IN DB2DIAG.LOG EVEN IF DIAGLEVEL=3, https://www.ibm.com/support/pages/apar/IC85574 • SSL/TLS: How to choose your cipher suite https://technology.amis.nl/2017/07/04/ssltls-choose-cipher- suite/
SSL and Db2 on (IBM) Cloud • Supporting links to use Db2 on Cloud with SSL/TLS Short compact configuration guide for Db2 on Cloud: https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-ssl_support How to connect to Db2 on Cloud, connect options https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-connect_options SSL as requirement for IAM-based authentication https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-iam#iam_prereqs If the new token-based authentication with JWT (JSON Web Token) is used, it is strongly suggested to protect the token with TLS https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.admin.s ec.doc/doc/c_token_auth.html
Thank You Speaker: Roland Schock Email Address: roland.schock@arcor.de Session Code: G10 Please fill out your session evaluation before leaving!

Recommended

13 permen pu no 10 th 2008 wajib ukl upl
13 permen pu no 10 th 2008 wajib ukl upl13 permen pu no 10 th 2008 wajib ukl upl
13 permen pu no 10 th 2008 wajib ukl uplRina Yuliani
 
CHANGETHIS A Creative Manifesto: Why the Place You Choose to Live is the Most...
CHANGETHIS A Creative Manifesto: Why the Place You Choose to Live is the Most...CHANGETHIS A Creative Manifesto: Why the Place You Choose to Live is the Most...
CHANGETHIS A Creative Manifesto: Why the Place You Choose to Live is the Most...Bernard Moon
 
kupdf.net_sni-03-7112-2005-kkop.pdf
kupdf.net_sni-03-7112-2005-kkop.pdfkupdf.net_sni-03-7112-2005-kkop.pdf
kupdf.net_sni-03-7112-2005-kkop.pdfIrfan Yoga
 
Ecodrain
EcodrainEcodrain
Ecodraininfosanitasi
 
Garis sempadan
Garis sempadanGaris sempadan
Garis sempadanAjeng Syafitri
 
Konsolidasi perpres 54 tahun 2010 dan perubahannya (perubahan keempat)
Konsolidasi perpres 54 tahun 2010 dan perubahannya (perubahan keempat)Konsolidasi perpres 54 tahun 2010 dan perubahannya (perubahan keempat)
Konsolidasi perpres 54 tahun 2010 dan perubahannya (perubahan keempat)Khalid Mustafa
 
Kawasan Siap Bangun dan Lingkungan Siap Bangun
Kawasan Siap Bangun dan Lingkungan Siap BangunKawasan Siap Bangun dan Lingkungan Siap Bangun
Kawasan Siap Bangun dan Lingkungan Siap Bangunindwirahma
 
Rekayasa rawa
Rekayasa rawa Rekayasa rawa
Rekayasa rawa Juleha Usmad
 

Recommended

13 permen pu no 10 th 2008 wajib ukl upl
13 permen pu no 10 th 2008 wajib ukl upl13 permen pu no 10 th 2008 wajib ukl upl
13 permen pu no 10 th 2008 wajib ukl uplRina Yuliani
 
CHANGETHIS A Creative Manifesto: Why the Place You Choose to Live is the Most...
CHANGETHIS A Creative Manifesto: Why the Place You Choose to Live is the Most...CHANGETHIS A Creative Manifesto: Why the Place You Choose to Live is the Most...
CHANGETHIS A Creative Manifesto: Why the Place You Choose to Live is the Most...Bernard Moon
 
kupdf.net_sni-03-7112-2005-kkop.pdf
kupdf.net_sni-03-7112-2005-kkop.pdfkupdf.net_sni-03-7112-2005-kkop.pdf
kupdf.net_sni-03-7112-2005-kkop.pdfIrfan Yoga
 
Ecodrain
EcodrainEcodrain
Ecodraininfosanitasi
 
Garis sempadan
Garis sempadanGaris sempadan
Garis sempadanAjeng Syafitri
 
Konsolidasi perpres 54 tahun 2010 dan perubahannya (perubahan keempat)
Konsolidasi perpres 54 tahun 2010 dan perubahannya (perubahan keempat)Konsolidasi perpres 54 tahun 2010 dan perubahannya (perubahan keempat)
Konsolidasi perpres 54 tahun 2010 dan perubahannya (perubahan keempat)Khalid Mustafa
 
Kawasan Siap Bangun dan Lingkungan Siap Bangun
Kawasan Siap Bangun dan Lingkungan Siap BangunKawasan Siap Bangun dan Lingkungan Siap Bangun
Kawasan Siap Bangun dan Lingkungan Siap Bangunindwirahma
 
Rekayasa rawa
Rekayasa rawa Rekayasa rawa
Rekayasa rawa Juleha Usmad
 
Undang-undang No. 26 Tahun 2007 tentang Penataan Rruang
Undang-undang No. 26 Tahun 2007 tentang Penataan RruangUndang-undang No. 26 Tahun 2007 tentang Penataan Rruang
Undang-undang No. 26 Tahun 2007 tentang Penataan RruangJoy Irman
 
Instrumen Lengkap Pengendalian Pemanfaatan Ruang
Instrumen Lengkap Pengendalian Pemanfaatan RuangInstrumen Lengkap Pengendalian Pemanfaatan Ruang
Instrumen Lengkap Pengendalian Pemanfaatan RuangMusnanda Satar
 
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...Penataan Ruang
 
Sni 03-1733-2004-tata-cara-perencanaan-lingkungan
Sni 03-1733-2004-tata-cara-perencanaan-lingkunganSni 03-1733-2004-tata-cara-perencanaan-lingkungan
Sni 03-1733-2004-tata-cara-perencanaan-lingkunganVermona Lumban Gaol
 
Sni 03 1733-2004 v.2 tata cara perencanaan lingkungan perumahan di perkotaan
Sni 03 1733-2004 v.2 tata cara perencanaan lingkungan perumahan di perkotaanSni 03 1733-2004 v.2 tata cara perencanaan lingkungan perumahan di perkotaan
Sni 03 1733-2004 v.2 tata cara perencanaan lingkungan perumahan di perkotaanArdita Putri Usandy
 
Materi Teknis Revisi Pedoman Penyusunan Rencana Tata Ruang Perspektif Bencana
Materi Teknis Revisi Pedoman Penyusunan Rencana Tata Ruang Perspektif BencanaMateri Teknis Revisi Pedoman Penyusunan Rencana Tata Ruang Perspektif Bencana
Materi Teknis Revisi Pedoman Penyusunan Rencana Tata Ruang Perspektif BencanaNur Hilaliyah
 
1 laporan pendahuluan rtdr kp rengasdengklok
1 laporan pendahuluan rtdr kp rengasdengklok1 laporan pendahuluan rtdr kp rengasdengklok
1 laporan pendahuluan rtdr kp rengasdengklokmuhfidzilla
 
Pemanfaatan air permukaan swd
Pemanfaatan air permukaan swdPemanfaatan air permukaan swd
Pemanfaatan air permukaan swdkimul_wasdal
 
Review RTRW kota semarang
Review RTRW kota semarangReview RTRW kota semarang
Review RTRW kota semarangShahnaz Acrydiena
 
bahan-banten-revisi.ppt
bahan-banten-revisi.pptbahan-banten-revisi.ppt
bahan-banten-revisi.pptSamsul78
 
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...Penataan Ruang
 
Draft raperda revisi rtrw kota bandung
Draft raperda revisi rtrw kota bandungDraft raperda revisi rtrw kota bandung
Draft raperda revisi rtrw kota bandungRamadhani Pratama
 
Laboratorium Uji Tanah - Soil Boring
Laboratorium Uji Tanah - Soil BoringLaboratorium Uji Tanah - Soil Boring
Laboratorium Uji Tanah - Soil BoringReski Aprilia
 
Karakteistik, analisis dan recomendasi tapak
Karakteistik, analisis dan recomendasi tapakKarakteistik, analisis dan recomendasi tapak
Karakteistik, analisis dan recomendasi tapakrangga1261
 
Anlok central place theory
Anlok central place theoryAnlok central place theory
Anlok central place theoryHimpunan Mahasiswa Planologi ITS
 
1. PermenLHK 18 Tahun 2021 tentang Sertifikasi Kompetensi Amdal, LPJP Amdal, ...
1. PermenLHK 18 Tahun 2021 tentang Sertifikasi Kompetensi Amdal, LPJP Amdal, ...1. PermenLHK 18 Tahun 2021 tentang Sertifikasi Kompetensi Amdal, LPJP Amdal, ...
1. PermenLHK 18 Tahun 2021 tentang Sertifikasi Kompetensi Amdal, LPJP Amdal, ...rizkyanjana
 
Analisis kemampuan lahan
Analisis kemampuan lahanAnalisis kemampuan lahan
Analisis kemampuan lahanibram77
 
Arsitektur Kota
Arsitektur KotaArsitektur Kota
Arsitektur KotaAdhimastra Ketut
 
Permen pu no. 5 tahun 2008 tentang rth
Permen pu no. 5 tahun 2008 tentang rthPermen pu no. 5 tahun 2008 tentang rth
Permen pu no. 5 tahun 2008 tentang rthjamestravolta
 
Makalah perkerasan jalan TEKNIK PIPIL
Makalah perkerasan jalan TEKNIK PIPILMakalah perkerasan jalan TEKNIK PIPIL
Makalah perkerasan jalan TEKNIK PIPILefdharey
 
IBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptxIBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptxRaulRamirez547593
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 

More Related Content

What's hot

Undang-undang No. 26 Tahun 2007 tentang Penataan Rruang
Undang-undang No. 26 Tahun 2007 tentang Penataan RruangUndang-undang No. 26 Tahun 2007 tentang Penataan Rruang
Undang-undang No. 26 Tahun 2007 tentang Penataan RruangJoy Irman
 
Instrumen Lengkap Pengendalian Pemanfaatan Ruang
Instrumen Lengkap Pengendalian Pemanfaatan RuangInstrumen Lengkap Pengendalian Pemanfaatan Ruang
Instrumen Lengkap Pengendalian Pemanfaatan RuangMusnanda Satar
 
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...Penataan Ruang
 
Sni 03-1733-2004-tata-cara-perencanaan-lingkungan
Sni 03-1733-2004-tata-cara-perencanaan-lingkunganSni 03-1733-2004-tata-cara-perencanaan-lingkungan
Sni 03-1733-2004-tata-cara-perencanaan-lingkunganVermona Lumban Gaol
 
Sni 03 1733-2004 v.2 tata cara perencanaan lingkungan perumahan di perkotaan
Sni 03 1733-2004 v.2 tata cara perencanaan lingkungan perumahan di perkotaanSni 03 1733-2004 v.2 tata cara perencanaan lingkungan perumahan di perkotaan
Sni 03 1733-2004 v.2 tata cara perencanaan lingkungan perumahan di perkotaanArdita Putri Usandy
 
Materi Teknis Revisi Pedoman Penyusunan Rencana Tata Ruang Perspektif Bencana
Materi Teknis Revisi Pedoman Penyusunan Rencana Tata Ruang Perspektif BencanaMateri Teknis Revisi Pedoman Penyusunan Rencana Tata Ruang Perspektif Bencana
Materi Teknis Revisi Pedoman Penyusunan Rencana Tata Ruang Perspektif BencanaNur Hilaliyah
 
1 laporan pendahuluan rtdr kp rengasdengklok
1 laporan pendahuluan rtdr kp rengasdengklok1 laporan pendahuluan rtdr kp rengasdengklok
1 laporan pendahuluan rtdr kp rengasdengklokmuhfidzilla
 
Pemanfaatan air permukaan swd
Pemanfaatan air permukaan swdPemanfaatan air permukaan swd
Pemanfaatan air permukaan swdkimul_wasdal
 
bahan-banten-revisi.ppt
bahan-banten-revisi.pptbahan-banten-revisi.ppt
bahan-banten-revisi.pptSamsul78
 
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...Penataan Ruang
 
Draft raperda revisi rtrw kota bandung
Draft raperda revisi rtrw kota bandungDraft raperda revisi rtrw kota bandung
Draft raperda revisi rtrw kota bandungRamadhani Pratama
 
Laboratorium Uji Tanah - Soil Boring
Laboratorium Uji Tanah - Soil BoringLaboratorium Uji Tanah - Soil Boring
Laboratorium Uji Tanah - Soil BoringReski Aprilia
 
Karakteistik, analisis dan recomendasi tapak
Karakteistik, analisis dan recomendasi tapakKarakteistik, analisis dan recomendasi tapak
Karakteistik, analisis dan recomendasi tapakrangga1261
 
1. PermenLHK 18 Tahun 2021 tentang Sertifikasi Kompetensi Amdal, LPJP Amdal, ...
1. PermenLHK 18 Tahun 2021 tentang Sertifikasi Kompetensi Amdal, LPJP Amdal, ...1. PermenLHK 18 Tahun 2021 tentang Sertifikasi Kompetensi Amdal, LPJP Amdal, ...
1. PermenLHK 18 Tahun 2021 tentang Sertifikasi Kompetensi Amdal, LPJP Amdal, ...rizkyanjana
 
Analisis kemampuan lahan
Analisis kemampuan lahanAnalisis kemampuan lahan
Analisis kemampuan lahanibram77
 
Permen pu no. 5 tahun 2008 tentang rth
Permen pu no. 5 tahun 2008 tentang rthPermen pu no. 5 tahun 2008 tentang rth
Permen pu no. 5 tahun 2008 tentang rthjamestravolta
 
Makalah perkerasan jalan TEKNIK PIPIL
Makalah perkerasan jalan TEKNIK PIPILMakalah perkerasan jalan TEKNIK PIPIL
Makalah perkerasan jalan TEKNIK PIPILefdharey
 

What's hot (20)

Undang-undang No. 26 Tahun 2007 tentang Penataan Rruang
Undang-undang No. 26 Tahun 2007 tentang Penataan RruangUndang-undang No. 26 Tahun 2007 tentang Penataan Rruang
Undang-undang No. 26 Tahun 2007 tentang Penataan Rruang
 
Instrumen Lengkap Pengendalian Pemanfaatan Ruang
Instrumen Lengkap Pengendalian Pemanfaatan RuangInstrumen Lengkap Pengendalian Pemanfaatan Ruang
Instrumen Lengkap Pengendalian Pemanfaatan Ruang
 
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
 
Sni 03-1733-2004-tata-cara-perencanaan-lingkungan
Sni 03-1733-2004-tata-cara-perencanaan-lingkunganSni 03-1733-2004-tata-cara-perencanaan-lingkungan
Sni 03-1733-2004-tata-cara-perencanaan-lingkungan
 
Sni 03 1733-2004 v.2 tata cara perencanaan lingkungan perumahan di perkotaan
Sni 03 1733-2004 v.2 tata cara perencanaan lingkungan perumahan di perkotaanSni 03 1733-2004 v.2 tata cara perencanaan lingkungan perumahan di perkotaan
Sni 03 1733-2004 v.2 tata cara perencanaan lingkungan perumahan di perkotaan
 
Materi Teknis Revisi Pedoman Penyusunan Rencana Tata Ruang Perspektif Bencana
Materi Teknis Revisi Pedoman Penyusunan Rencana Tata Ruang Perspektif BencanaMateri Teknis Revisi Pedoman Penyusunan Rencana Tata Ruang Perspektif Bencana
Materi Teknis Revisi Pedoman Penyusunan Rencana Tata Ruang Perspektif Bencana
 
1 laporan pendahuluan rtdr kp rengasdengklok
1 laporan pendahuluan rtdr kp rengasdengklok1 laporan pendahuluan rtdr kp rengasdengklok
1 laporan pendahuluan rtdr kp rengasdengklok
 
Pemanfaatan air permukaan swd
Pemanfaatan air permukaan swdPemanfaatan air permukaan swd
Pemanfaatan air permukaan swd
 
Review RTRW kota semarang
Review RTRW kota semarangReview RTRW kota semarang
Review RTRW kota semarang
 
bahan-banten-revisi.ppt
bahan-banten-revisi.pptbahan-banten-revisi.ppt
bahan-banten-revisi.ppt
 
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
Pedoman Penyusunan Rencana Detail Tata Ruang dan Peraturan Zonasi Kabupaten/K...
 
Draft raperda revisi rtrw kota bandung
Draft raperda revisi rtrw kota bandungDraft raperda revisi rtrw kota bandung
Draft raperda revisi rtrw kota bandung
 
Laboratorium Uji Tanah - Soil Boring
Laboratorium Uji Tanah - Soil BoringLaboratorium Uji Tanah - Soil Boring
Laboratorium Uji Tanah - Soil Boring
 
Karakteistik, analisis dan recomendasi tapak
Karakteistik, analisis dan recomendasi tapakKarakteistik, analisis dan recomendasi tapak
Karakteistik, analisis dan recomendasi tapak
 
Anlok central place theory
Anlok central place theoryAnlok central place theory
Anlok central place theory
 
1. PermenLHK 18 Tahun 2021 tentang Sertifikasi Kompetensi Amdal, LPJP Amdal, ...
1. PermenLHK 18 Tahun 2021 tentang Sertifikasi Kompetensi Amdal, LPJP Amdal, ...1. PermenLHK 18 Tahun 2021 tentang Sertifikasi Kompetensi Amdal, LPJP Amdal, ...
1. PermenLHK 18 Tahun 2021 tentang Sertifikasi Kompetensi Amdal, LPJP Amdal, ...
 
Analisis kemampuan lahan
Analisis kemampuan lahanAnalisis kemampuan lahan
Analisis kemampuan lahan
 
Arsitektur Kota
Arsitektur KotaArsitektur Kota
Arsitektur Kota
 
Permen pu no. 5 tahun 2008 tentang rth
Permen pu no. 5 tahun 2008 tentang rthPermen pu no. 5 tahun 2008 tentang rth
Permen pu no. 5 tahun 2008 tentang rth
 
Makalah perkerasan jalan TEKNIK PIPIL
Makalah perkerasan jalan TEKNIK PIPILMakalah perkerasan jalan TEKNIK PIPIL
Makalah perkerasan jalan TEKNIK PIPIL
 

Similar to 2022-Db2-Securing_Your_data_in_motion.pdf

IBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptxIBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptxRaulRamirez547593
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLContinuent
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentationChris Geier
 
From Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsFrom Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsAna-Maria Mihalceanu
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsFaisal Akber
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSCody Thomas
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Amazon Web Services
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guideJ.D. Wade
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsSlawomir Jasek
 
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...Dhruv Sharma
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...CODE BLUE
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultOlinData
 

Similar to 2022-Db2-Securing_Your_data_in_motion.pdf (20)

IBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptxIBM Spectrum Protect Secure Communication overview.pptx
IBM Spectrum Protect Secure Communication overview.pptx
 
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSLTraining Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
 
Kerberos presentation
Kerberos presentationKerberos presentation
Kerberos presentation
 
Plam16 jan
Plam16 janPlam16 jan
Plam16 jan
 
From Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security EnhancementsFrom Java 17 to 21- A Showcase of JDK Security Enhancements
From Java 17 to 21- A Showcase of JDK Security Enhancements
 
Basics of ssl
Basics of sslBasics of ssl
Basics of ssl
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption OptionsPostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
PostgresOpen 2013 A Comparison of PostgreSQL Encryption Options
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
 
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
Accelerating and Securing your Applications in AWS. In-depth look at Solving ...
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
Shameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocolsShameful secrets of proprietary network protocols
Shameful secrets of proprietary network protocols
 
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
Setting up CDP (Cisco Discovery Protocol) between Cisco IOS and VMware Virtua...
 
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
[cb22] Tracking the Entire Iceberg - Long-term APT Malware C2 Protocol Emulat...
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
fengmei.ppt
fengmei.pptfengmei.ppt
fengmei.ppt
 
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vaultIssuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
 

Recently uploaded

VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...Suhani Kapoor
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptxAnupama Kate
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfMarinCaroMartnezBerg
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfRachmat Ramadhan H
 
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxBPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxMohammedJunaid861692
 
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecureCall me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecurePooja Nehwal
 
Generative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusGenerative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusTimothy Spann
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAroojKhan71
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxolyaivanovalion
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxolyaivanovalion
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxolyaivanovalion
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionfulawalesam
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998YohFuh
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfLars Albertsson
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiSuhani Kapoor
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysismanisha194592
 
B2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxB2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxStephen266013
 

Recently uploaded (20)

VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
VIP High Class Call Girls Jamshedpur Anushka 8250192130 Independent Escort Se...
 
100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx100-Concepts-of-AI by Anupama Kate .pptx
100-Concepts-of-AI by Anupama Kate .pptx
 
FESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdfFESE Capital Markets Fact Sheet 2024 Q1.pdf
FESE Capital Markets Fact Sheet 2024 Q1.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdfMarket Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
Market Analysis in the 5 Largest Economic Countries in Southeast Asia.pdf
 
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptxBPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
BPAC WITH UFSBI GENERAL PRESENTATION 18_05_2017-1.pptx
 
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% SecureCall me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
Call me @ 9892124323 Cheap Rate Call Girls in Vashi with Real Photo 100% Secure
 
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
꧁❤ Aerocity Call Girls Service Aerocity Delhi ❤꧂ 9999965857 ☎️ Hard And Sexy ...
 
Generative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and MilvusGenerative AI on Enterprise Cloud with NiFi and Milvus
Generative AI on Enterprise Cloud with NiFi and Milvus
 
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al BarshaAl Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
Al Barsha Escorts $#$ O565212860 $#$ Escort Service In Al Barsha
 
BigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptxBigBuy dropshipping via API with DroFx.pptx
BigBuy dropshipping via API with DroFx.pptx
 
Mature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptxMature dropshipping via API with DroFx.pptx
Mature dropshipping via API with DroFx.pptx
 
CebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptxCebaBaby dropshipping via API with DroFX.pptx
CebaBaby dropshipping via API with DroFX.pptx
 
Week-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interactionWeek-01-2.ppt BBB human Computer interaction
Week-01-2.ppt BBB human Computer interaction
 
Sampling (random) method and Non random.ppt
Sampling (random) method and Non random.pptSampling (random) method and Non random.ppt
Sampling (random) method and Non random.ppt
 
RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998RA-11058_IRR-COMPRESS Do 198 series of 1998
RA-11058_IRR-COMPRESS Do 198 series of 1998
 
Schema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdfSchema on read is obsolete. Welcome metaprogramming..pdf
Schema on read is obsolete. Welcome metaprogramming..pdf
 
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service BhilaiLow Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
Low Rate Call Girls Bhilai Anika 8250192130 Independent Escort Service Bhilai
 
April 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's AnalysisApril 2024 - Crypto Market Report's Analysis
April 2024 - Crypto Market Report's Analysis
 
B2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docxB2 Creative Industry Response Evaluation.docx
B2 Creative Industry Response Evaluation.docx
 

2022-Db2-Securing_Your_data_in_motion.pdf

  • 1. Boston, MA Securing your data in motion with TLS Roland Schock Session Code: G10
  • 2. Agenda • Where to encrypt? What is SSL/TLS? • Learn about IBM GSKit, certificates and self-signed certificates and configure the server side of TLS encryption • Configure the client side of TLS encryption for CLI, ODBC and JDBC • Troubleshooting and verify your configuration, select the right ciphers for encryption • Current issues, open RFEs aka AHA ideas
  • 3. Moments of Encryption • Encryption during Authentication • Transmission of encrypted login credentials • Encryption in use • Encryption of single columns (by application code) • Encryption in motion • Data transmission over the wire is encrypted • Encryption at rest • Encryption of database and transaction log files on disk, tapes, etc.
  • 4. Default Configuration • Db2's default configuration is still based on assumptions of Db2 for OS/2. At that time simple configuration was preferred over security. • By default just simple authentication with plain text passwords over the wire • db2 get dbm cfg | fgrep AUTHENTICATION ➔ Default is SERVER • At least switch to AUTHENTICATION=SERVER_ENCRYPT to enforce transmission of encrypted passwords over the wire during Connect • Very old clients (before V9.7) could have issues with SERVER_ENCRYPT as they were not prepared for modern encryption • Data is still transferred unencrypted • Solution: db2 update dbm cfg using AUTHENTICATION=DATA_ENCRYPT (=deprecated) • ➔ Much better: Switch to SSL or TLS session encryption
  • 5. AUTHENTICATION = SERVER_ENCRYPT • Db2 engine takes care of encryption • Beside db2 update dbm cfg using AUTHENTICATION SERVER_ENCRYPT other params have to be set to close other issues: db2 update dbm cfg using ALTERNATE_AUTH_ENC AES_CMP db2set DB2AUTH=DISABLE_CHGPASS,OSAUTHDB,JCC_ENFORCE_SECMEC, TRUSTEDCLIENT_SRVRENC • DISABLE_CHGPASS disables password change during connect • OSAUTHDB points to local OS for user and group enumeration • JCC_ENFORCE_SECMEC disables passwords in plain text (since Db2 10.5.0.4) • If you still have (very) old clients, set this option temporarily and monitor db2diag.log • db2set DB2AUTH=JCC_NOENFORCE_SECMEC_MSG
  • 6. Encryption with SSL • SSL is the synonym for encrypted communication via Secure Sockets Layer • SSL 1.0 was never published as standard • SSL 2.0 published February 1995; used until ~2011, deprecated due to security flaws • SSL v3, last version, deprecated, unsafe (e.g. POODLE attack). • TLS stands for Transport Layer Security and is successor of SSL • TLS 1.0 is successor of SSL v3 • TLS 1.1 published April 2006 and also has flaws • TLS 1.2 came in 2008 and was more widely used since the flaws of TLS 1.1 came up • TLS 1.3 is current since August 2018
  • 7. IBM Global Security Kit (1|2) • Which SSL/TLS version is supported by Db2? • Db2 itself does not provide SSL/TLS encryption but uses IBM Global Security Kit aka GSKit for it • GSKit is the OS extension for encrypted socket communication https://www.ibm.com/docs/en/db2/11.5?topic=encryption-global-security-kit- installation-gskit • GSKit gets automatically installed with server install. It's a separate install for Db2 client code • GSKit has the Highlander principle: There can only be one! • It gets especially interesting, if multiple IBM server products ship GSKit and try to install/use their own: • E.g. IBM Db2, TSM and MQ on a single machine
  • 8. IBM Global Security Kit (2|2) • GSKit V8 - Instructions to find current installed version details: https://www.ibm.com/support/pages/gskit-v8-instructions-find- current-installed-version-details • GSKit Versions Shipped with Db2: https://www.ibm.com/support/pages/gskit-versions-shipped-db2 • The current GSKit does not support TLS 1.3 yet and hence Db2 can only use up to TLS 1.2 for now • Breaking news: IBM is going to support TLS 1.3 for client/server, HADR, KMIP soon!
  • 9. Configuration steps for TLS encryption • Create a keyring for the server • Create a certificate for the server (self-signed or CA-signed) • Import the certificate in the keyring of the server
  • 10. Db2 server side: Create a keyring • User db2inst1: mkdir -p /home/db2inst1/SSL cd /home/db2inst1/SSL • echo "Create a keyring:" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "Db2_keydb.kdb" -pw "passw0rd" -stash • Beware: There is a 32-bit and a 64-bit GSKit. The paths get set by db2profile, but it seems in some versions the 32-bit path is incorrect and returns "error while loading shared directories" • Quick fix: Append /gskit_db2 to the variable LD_LIBRARY_PATH
  • 11. Db2 server side: Create CA-signed certs • echo "Create certification request to send to Root CA" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -certreq -create -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -san_dnsname "myserver.de" -dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096 -sig_alg SHA256_WITH_RSA -file "MyCertRequest.arm" • echo "Send MyCertRequest.arm to CA to get it signed" • echo "Add certificates of Root CA and any intermediates (otherwise SQL30081N with -414)" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -file CAChain.crt -db "Db2_keydb.kdb" -stashed -format ascii • echo "CA returns: MyServerCert.crt" • echo "Import of MyServerCert.crt in your keyring" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -receive -file MyServerCert.crt -db "Db2_keydb.kdb" -stashed -format ascii
  • 12. Db2 server side: Create a self-signed certificate • echo "Not required by CA-signed certificate! This is an alternative!" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -create -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -expire 1000 -dn "CN=myserver.de,O=IT,OU=ARS,L=Munich,ST=BY,C=DE" -size 4096 -sig_alg SHA256_WITH_RSA • echo "Export of public signature for trust_db of clients" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -extract -db "Db2_keydb.kdb" -stashed -label "myserver_db2_4096" -target "myserver_db2_public_key.arm" -format ascii -fips • Remark for self-signed certificates: • They are as secure as CA-signed certs, but require more work. More servers have to be trusted at clients and updated over time due to expiration. • Transfer of the public server signature to the client has to be secure to prevent man-in-the-middle attacks.
  • 13. How to verify keyring and certificate? (1|2) • echo "Verify a certificate" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -list -db "Db2_keydb.kdb" -stashed • Certificate found: * Standard, - personal, ! reliable, # secret key ! "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de" ! "CN=ARS Root CA 01,DC=ARS,DC=de" - myserver_db2_4096 • echo "Verify key database" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -list -db "Db2_keydb.kdb" -stashed
  • 14. How to verify keyring and certificate? (2|2) • echo "Verify a new certificate" /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -details -label myserver_db2_4096 -db "Db2_keydb.kdb" -stashed • Label : myserver_db2_4096 Key length : 4096 Version : X509 V3 Serial : 740000007415c7837855d62d17000000000074 Issuer : "CN=ARS Manual Issuing CA 01,DC=ARS,DC=de" Subject : CN=myserver.de,OU=ARS,O=IT,L=Munich,ST=BY,C=DE Not valid before : 17. April 2020 11:50:22 MESZ Not valid after : 20. July 2022 11:50:22 MESZ
  • 15. Configuration Server • echo "Instance configuration" db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/SSL/Db2_keydb.kdb db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/SSL/Db2_keydb.sth db2 update dbm cfg using SSL_SVR_LABEL myserver_db2_4096 db2 update dbm cfg using SSL_VERSIONS TLSV12 • echo "Insert SSL port in /etc/services file" vi /etc/services REM start notepad c:windowssystem32driversetcservices REM Append a line like: db2c_tlsinst1 50443 • echo "Set SSL_SVCENAME to port name and set DB2COMM" db2 update dbm cfg using SSL_SVCENAME db2c_tlsinst1 db2set DB2COMM=SSL,TCPIP • echo "Check if max_connections <= max_coordagents ➔ Connection Concentrator=OFF" • echo "Restart Instance to bring changes into effect" db2stop && sleep 5 && db2start
  • 16. Expired Server certificate • Entry in db2diag.log when the CA signed server certificate expires 2022-07-26-11.16.21.218655+120 I6820357A497 LEVEL: Error PID : 6292094 TID : 292736 PROC : db2sysc 0 INSTANCE: db2inst1 NODE : 000 DB : HOSTNAME: myhost EDUID : 292736 EDUNAME: db2agent () 0 FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30 MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the return code "401" in "sqlccSSLSocketSetup". • On client side SQL30081N A communication error has been detected. Communication protocol being used: "SSL". Communication API being used: "SOCKETS". Location where the error was detected: "". Communication function detecting the error: "sqlccSSLSocketSetup". Protocol specific error code(s): "420", "*", "*". SQLSTATE=08001 • Create a new CertRequest, get it signed from your CA and import it with a different label into the server keyring db2 attach to db2inst1 && db2 update dbm cfg using SSL_SVR_LABEL my_new_label IMMEDIATE • DBM Config SSL_SVR_LABEL is online updateable since V11.5.2 Check with db2pd -dbmcfg for current value in memory
  • 17. HADR and SSL • SSL for HADR has to be configured on the database side • Create keyrings and truststores on both sides, include Client side configuration on the other server and vice versa • In database configuration use label accordingly HADR SSL certificate label (HADR_SSL_LABEL) = my_hadr_certlabel HADR SSL Hostname Validation (HADR_SSL_HOST_VAL) = OFF
  • 18. Configuration of CLI Client (1|2) • echo "Install GSKit on client machine (Fix central: Tivoli Global Security)" Install the binaries according to Db2 Knowledge Center https://www.ibm.com/docs/en/db2/11.5?topic=gskit-global-installation-instructions • echo "Create a client keyring" mkdir -p ~/SSL && cd ~/SSL /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "client_trust.kdb" -pw "MyPass" -stash • echo "Add the root certificate and any intermediaries (otherwise SQL30081N with -414)" /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kdb" -stashed -file /tmp/CAChain.crt -format ascii -fips • echo "Not required for CA-signed certificates: Import your self-signed certificate" /home/exrsc/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "client_trust.kbd" -stashed -label "MyServer" -file /home/db2inst1/SSL/myserver_db2_public_key.arm -format ascii -fips
  • 19. Configuration of CLI Client (2|2) • Update client instance configuration : db2 update dbm cfg using SSL_CLNT_KEYDB /home/exrsc/SSL/client_trust.kdb db2 update dbm cfg using SSL_CLNT_STASH /home/exrsc/SSL/client_trust.sth For Windows Clients, if Root-CA signature is available in Windows Trust Store: db2 update dbm cfg using SSL_CLNT_KEYDB GSK_MS_CERTIFICATE_STORE db2 update dbm cfg using SSL_CLNT_STASH NULL Set PATH and LIB to the according directories for 32-bit and 64-bit binaries: set PATH=C:PROGRA~1IBMGSKITBIN; C:PROGRA~2IBMGSKITBIN;%PATH% set LIB=C:PROGRA~1IBMGSKITLIB64;C:PROGRA~2IBMGSKITLIB;%LIB% • Catalog your node db2 catalog tcpip node INST1SSL remote myserver.de server 50443 security SSL db2 catalog db SAMPLE at node INST1SSL
  • 20. JDBC connections • JDBC is simple to configure! Server side configured as above • Trust Store get's created with Java JDK keytool instead of GSKit : (In this example with a self-signed certificate) keytool -importcert -alias MyServer -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file myserver_db2_public_key.arm -noprompt keytool -list -v -keystore MyTrustStore.jks -storepass cacerts -storetype jks -file • JDBC connection string looks like: jdbc:db2://myserver.de:50443/sample:sslConnection=true;sslTrustStoreLocation=MyTrustStore.jks;sslT rustStorePassword=cacerts;sslTrustStoreType=JKS; • Remark: Some applications might use their own JDK and maybe they have a separate trust store then Check with "dir /s /b cacerts" or "find . -name cacerts -type f" in the application directory
  • 21. IBM Data Server Driver for ODBC and CLI • Small footprint drivers for Db2; just unpack ZIP archive and set paths e.g. for Linux export DB2_CLI_DRIVER_INSTALL_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver export LD_LIBRARY_PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib export LIBPATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/lib export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/bin:$PATH export PATH=$HOME/db2_cli_odbc_driver/odbc_cli/clidriver/adm:$PATH • Database can get catalogued via db2cli.ini or db2dsdriver.cfg Either use sample templates or db2cli commands: • Examples: db2cli writecfg add -database MYSAMPL -host myserver.de -port 50443 -parameter "SecurityTransportMode=SSL;SSLServerCertificate=/opt/ibm/odbc_cli/clidriver/cfg/mydbclient.kdb" db2cli validate db2cli validate -dsn mysampl -connect -user testuser -passwd 'Nosey*ent_ya' • Trust store must be in CMS format. • Root CAs can be included automatically to keyring, if sent as Trust store .arm file on first connect
  • 22. Configuration for WAS Liberty profile •
  • 23. Check usage of secure connections • Which application is now using a TLS connection? SELECT substr( CLIENT_PRDID, 1, 10 ) AS CLIENT_PRDID, substr( APPLICATION_NAME, 1, 20 ) AS APPL_NAME, substr( CLIENT_HOSTNAME, 1, 22 ) AS CLIENTHOST, CLIENT_PROTOCOL AS PROTOCOL, CAST( CURRENT server AS CHAR( 8 )) AS DB_NAME, SUBSTR( EXECUTION_ID, 1, 15 ) AS EXEC_ID, SUBSTR( SESSION_AUTH_ID, 1, 15 ) AS SESSION_AUTHID, COUNT(*) AS COUNT FROM TABLE ( mon_get_connection( NULL, -2 )) GROUP BY CLIENT_PRDID, APPLICATION_NAME, CLIENT_HOSTNAME, CLIENT_PROTOCOL, CURRENT server, EXECUTION_ID, SESSION_AUTH_ID ORDER BY 1,2,3,4,5,6
  • 24. Ciphers and encryption methods • https://scotthelme.co.uk/https-cheat-sheet/
  • 25. Ciphers and Db2 (1|2) • During SSL handshake client and server negotiate the most secure encryption method. If no compatible method was found, connection fails. The order of so called Cipher Suites cannot be changed. • If SSL_VERSIONS was set to TLSv12, following SSL_CIPHERSPECS are usable: ▪ TLS_RSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 ▪ TLS_RSA_WITH_AES_256_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ▪ TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ▪ TLS_RSA_WITH_AES_256_CBC_SHA ▪ TLS_RSA_WITH_AES_128_GCM_SHA256 ▪ TLS_RSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ▪ TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ▪ TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ▪ TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ▪ TLS_RSA_WITH_AES_128_CBC_SHA
  • 26. Ciphers and Db2 (2|2) • Configure ciphers in Db2 (length max 255 chars): db2 update dbm cfg using SSL_CIPHERSPECS TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 • Whatever Cipher is finally used cannot be retrieved (GSKit doesn't feed this back to Db2)
  • 27. Support us! (1|2) • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-984 • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-133
  • 28. Support us! (2|2) • https://ibm-data-and-ai.ideas.aha.io/ideas/DB24LUW-I-952
  • 29. Technotes • Error ECF_CRYPT_UNEXPECTED_ERROR in db2diag.log: "FIPS: internal test failed, interface disabled" https://www.ibm.com/support/pages/node/6356455 Problem: The internal self-test in GSKit fails when it can't get sufficient entropy via hardware or software RNG (Random Number Generation). This can cause the Db2 instance to stop functioning correctly, and will require a restart of the instance.
  • 30. Further links • Step-by-Step Instructions to Configure a Secure Database System, Greg Stager: https://www.idug.org/p/bl/ar/blogaid=1121 • Cipher Used? IC85574: INFORMATIONAL MESSAGE ADM7016I LOGGED IN DB2DIAG.LOG EVEN IF DIAGLEVEL=3, https://www.ibm.com/support/pages/apar/IC85574 • SSL/TLS: How to choose your cipher suite https://technology.amis.nl/2017/07/04/ssltls-choose-cipher- suite/
  • 31. SSL and Db2 on (IBM) Cloud • Supporting links to use Db2 on Cloud with SSL/TLS Short compact configuration guide for Db2 on Cloud: https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-ssl_support How to connect to Db2 on Cloud, connect options https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-connect_options SSL as requirement for IAM-based authentication https://cloud.ibm.com/docs/Db2onCloud?topic=Db2onCloud-iam#iam_prereqs If the new token-based authentication with JWT (JSON Web Token) is used, it is strongly suggested to protect the token with TLS https://www.ibm.com/support/knowledgecenter/SSEPGG_11.5.0/com.ibm.db2.luw.admin.s ec.doc/doc/c_token_auth.html
  • 32. Thank You Speaker: Roland Schock Email Address: roland.schock@arcor.de Session Code: G10 Please fill out your session evaluation before leaving!