8.1.10 Enable TLS Communication Between HADR Primary and Standby Instances (HADR_SSL_LABEL)

Information

The HADR_SSL_LABEL database configuration parameter controls whether connections between HADR peers are encrypted, and which certificate is served to an HADR peer when establishing an HADR connection.

Rationale:

To protect database data and log records when they are sent from a primary database to a standby database, the HADR_SSL_LABEL database configuration should be set.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following steps on both the primary and any standby databases to enable TLS encrypted HADR. A server side keystore and stash file (SSL_SVR_KEYDB/SSL_SVR_STASH) must be configured to enable TLS encrypted HADR communication:

Run the following command as the instance owner.

db2 => update db cfg for <database> using HADR_SSL_LABEL <label>

Replace <label> with the name of a certificate present in the server-side keystore (SSL_SVR_KEYDB).

If it is active, HADR must be recycled for changes to the HADR_SSL_LABEL registry variable to take effect.

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: 959c857266258489dc31b4a88fd2b1112b8266ecb9730ec24a9029ce377645d4