Information
The HADR_SSL_LABEL database configuration parameter controls whether connections between HADR peers are encrypted, and which certificate is served to an HADR peer when establishing an HADR connection.
Rationale:
To protect database data and log records when they are sent from a primary database to a standby database, the HADR_SSL_LABEL database configuration should be set.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Perform the following steps on both the primary and any standby databases to enable TLS encrypted HADR. A server side keystore and stash file (SSL_SVR_KEYDB/SSL_SVR_STASH) must be configured to enable TLS encrypted HADR communication:
Run the following command as the instance owner.
db2 => update db cfg for <database> using HADR_SSL_LABEL <label>
Replace <label> with the name of a certificate present in the server-side keystore (SSL_SVR_KEYDB).
If it is active, HADR must be recycled for changes to the HADR_SSL_LABEL registry variable to take effect.