8.1.6 Configure Secure TLS Cipher Suites (SSL_CIPHERSPECS)

Information

The SSL_CIPHERSPECS database manager configuration parameter controls which cipher suites are enabled by Db2. If it is unset, Db2 will enable a default list of ciphers.

Rationale:

The default list of ciphers includes SHA1 ciphers, which are considered weak.

In addition, some cipher suites enabled by default do not support perfect forward secrecy. Depending on the security requirements of your organization, it may be necessary to restrict which ciphers are enabled by Db2.

Solution

Perform the following to set SSL_CIPHERSPECS:

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command to enable a specific set of ciphers within
the Db2 server.

db2 => update dbm cfg using SSL_CIPHERSPECS <LIST>

Replace <LIST> with one or multiple of the following cipher suites. If multiple items are specified, separate them with a single comma and no spaces.

TLS_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_GCM_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256

See Also

https://workbench.cisecurity.org/benchmarks/10752

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), CSCv7|14.4

Plugin: Windows

Control ID: d33c47a3bc558f3c5e812680a30c0ae1149f42b31ca41b5e41648a6a746e5529