8.1.9 Configure a Client-side Stash File for TLS (SSL_CLNT_STASH)

Information

If a key store file is being used to configure client-side TLS support in a Db2 instance, a stash file should also be configured to allow the Db2 client to be able to read certificates from the keystore. If the Microsoft certificate store is configured on a Windows platform, a stash file is not required.

Rationale:

The database manager configuration does not provide a method for specifying a password for the client-side SSL key store. The Microsoft certificate store does not require a password, so a stash file is not required.

Impact:

Perform the following to determine if SSL_CLNT_STASH is required, and if it is set.

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command:

db2 => get database manager configuration

Locate the value of SSL_CLNT_KEYDB in the output:

SSL client keydb file (SSL_CLNT_KEYDB) =

If the value of SSL_CLNT_KEYDB is not GSK_MS_CERTIFICATE_STORE, locate the value of SSL_CLNT_STASH and ensure SSL_CLNT_STASH is not blank.

SSL client stash file (SSL_CLNT_STASH)=

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following to set SSL_CLNT_STASH:

Run the following command, where is the fully qualified path to the keystore file:

db2 => update dbm cfg using SSL_CLNT_KEYDB <path>

Restart the client application.
If the CLP is being used, run the following command to terminate the background process

db2 => terminate

If a stash file is being used, ensure that any users running client applications, and administrators have access to the file. Do not grant world readable or world writable permissions on the stash file.

If the Microsoft certificate store is being used on Windows, it is not necessary to set SSL_CLNT_STASH.

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Unix

Control ID: ad2ba91abbb7a2939c5d71d32299d3c68cf6289440ab25bbfbb6e5418d5f7b77