8.1.5 Configure a Secure TLS Version (SSL_VERSIONS)

Information

The SSL_VERSIONS database manager configuration parameter controls which versions of the TLS protocol Db2 enables. In Db2 11.5 and earlier, TLS 1.0 and 1.1 are enabled by default if SSL_VERSIONS is not set.

Rationale:

TLS 1.0 and 1.1 are considered insecure and have been deprecated as of Db2 11.5. It is recommended to use TLS 1.2

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following to set SSL_VERSIONS:

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command to enable TLS 1.2 within the Db2 server.

db2 => update dbm cfg using SSL_VERSIONS TLSV12

Db2 must be recycled (db2stop/db2start) for changes to SSL_VERSIONS to take effect.

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: 06ae42c66df346e582dab6218b14235ccaee9e1d9ba0d0edffab59aa015a5e62