Information
The SSL_SVR_LABEL database manager configuration parameter controls which certificate Db2 will serve to clients. This certificate must have its associated certificate chain present in the server-side key store and must be associated with a private key.
Rationale:
It is highly recommended to set SSL_SVR_LABEL. Leaving this parameter blank and allowing Db2 to utilize a default certificate will only work with CMS(.KDB) format key stores, and the feature is deprecated.
Solution
Perform the following to set SSL_SVR_LABEL:
Attach to the Db2 instance.
db2 => attach to <db2instance>
Run the following command, where <label> is the name of a certificate present in the server-side key store.
db2 => update dbm cfg using SSL_SVR_LABEL <label>
In Db2 11.5.4 and later, or Db2 11.1.4.5 and later with the DB2_DYNAMIC_SSL_LABEL registry variable set to ON, updating the value of SSL_SVR_LABEL while attached to the instance will cause the certificate served by Db2 to change while instance is running, with no effect on existing connections.
Prior releases of Db2 require an instance recycle (db2stop/db2start) for the change to take effect.
Item Details
Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4, CSCv7|16.5
Control ID: 216b332ee67ca715a642dc5e6c74e6e8df1b2fe89797d6bd53440f381a12c063