8.1.2 Configure a Server-side Stash File for TLS (SSL_SVR_STASH)

Information

If a key store file is being used to configure TLS support in a Db2 instance, a stash file must also be configured to allow the Db2 server to be able to read certificates from the keystore. If the Microsoft certificate store is configured on a Windows platform, a stash file is not required.

Rationale:

Db2 does not have a method for an operator to enter a password for a server-side SSL key store, so a stash file must be used to provide the password to Db2. The Microsoft certificate store does not require a password, so a stash file is not required.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following to set SSL_SVR_STASH:

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command, where <path> is the fully qualified path to the keystore file:

db2 => update dbm cfg using SSL_SVR_STASH <path>

If a stash file is being used, ensure only the instance owner and administrators have access to the file.

Do not grant world readable or world writable permissions on the stash file.
If the Microsoft certificate store is being used on Windows, it is not necessary to set SSL_SVR_STASH.

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: b321936ae6513c9238a9e0dcfffe96cfbedfa4321877a42e7f82cdc50b28c894