Information
To enable TLS support in a Db2 client, it is possible to configure a key store in the database manager configuration that will contain root certificates to be used for secure TLS communication between a Db2 client and Db2 server.
Rationale:
On the client side, Db2 requires the root certificates for the server to be available. This can be achieved by configuring a client-side keystore. This parameter is optional and is not needed if clients use the SSLClientKeystoredb or SSLServerCertificate parameters in the db2cli.ini or db2dsdriver.cfg files, or in the connection string.
NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.
Solution
Perform the following to set SSL_CLNT_KEYDB:
Run the following command, where <path> is the fully qualified path to the keystore file:
db2 => update dbm cfg using SSL_CLNT_KEYDB <path>
(Optional) To use the Microsoft certificate store on Windows, set SSL_CLNT_KEYDB to GSK_MS_CERTIFICATE_STORE:
db2 => update dbm cfg using SSL_CLNT_KEYDB GSK_MS_CERTIFICATE_STORE
Restart the client application. If the CLP is being used, run the following command to terminate the background process
db2 => terminate
If a client-side keystore file is being used, ensure that any users running client applications, and administrators have access to the file. Do not grant world readable or world writable permissions on the stash file.