Steps listed below can be followed for any Java based tool which will connect with DB2 database with SSL.
To connect to DB2 database with SSL from any java based application you need to have a Java truststore. If you dont have a java truststore, then you can create a new truststore using Java keytool command. keytool command is available in JDK. If you dont have JDK installed on your system download and install JDK. Download Oracle JDK.
Add your JDK Installation path to your PATH environment variable to access keytool command.
For windows:
Search for View Advance System Settings and open it. It will open a screen like below
In this screen click on Environment Variables, which will open below screen
Lookout for Path under System variables and double click on it.
Click on New and add <JDK Installation path>\bin and click on OK button.
For Linux/Unix/Mac:
Add below line to your .bashrc/.profile/.zshrc file
PATH=<JDK Installation path>/bin:$PATH
Once PATH variable is configured, open a cmd or terminal and run below command to create a truststore.
keytool -import -trustcacerts -alias DB2SSL -file dbserver_ssl.crt -keystore db2.jks -storepass *******
Verify certificate is present in truststore using below command
keytool -list -keystore db2.jks
If you get error keytool command not found it means your PATH variable is not configured properly.
DBeaver Configuration:
Below steps and images might slightly differ depending on your version of DBeaver.
Open DBeaver and from Database menu select New Database Connection
Select DB2 for LUW and click on Next button
Enter Host, Port, Database, Username, Password in Main tab
If you want to connect to DB2 database without using SSL and your instance supports non-ssl connection then you can click on Test Connection button to check if you can connect to database.
If Test Connection is successful then click on Finish to save your configuration.
For SSL Connection, click on Driver properties tab
Click on Add user property button, present in bottom left and looks something like below.
Add below property with value
sslConnection : true
sslTrustStoreLocation : truststore
sslTrustStorePassword : truststore password
click on Test Connection button to check if you can connect to database.
If Test Connection is successful then click on Finish to save your configuration.
IBM Data Studio Configuration:
Below steps and images might slightly differ depending on your version of Data Studio version.
Open Data Studio, right click on your project and select New Connection to a Database
Enter Host, Port number, Database, Username, Password in General tab
If you want to connect to DB2 database without using SSL and your instance supports non-ssl connection then you can click on Test Connection button to check if you can connect to database.
If Test Connection is successful then click on Finish to save your configuration.
For SSL Connection, click on Optional tab
Add below property with value
sslConnection : true
sslTrustStoreLocation : truststore
sslTrustStorePassword : truststore password
click on Test Connection button to check if you can connect to database.
If Test Connection is successful then click on Finish to save your configuration.
Note: IBM Data Studio will display your truststore password in plain text.
Known Issues:
You might face below errors while connecting to DB2 database using SSL.
Error: Algorithm HmacPBESHA256 not available
Error: the trustAnchors parameter must be non-empty
Error: Invalid keystore format
All these error indicates that your DBeaver or IBM Data Studio or any other java tool is using older version of Java Environment which only supports truststore in JKS format and not Industry Standard PKCS12.
If you create truststore using latest JDK, then by default it creates your truststore in PKCS12 format. You can verify your trustore format by using command: keytool -list -keystore truststorename
To fix this issue either you can update your DBeaver or IBM Data Studio or you can convert your PKCS12 truststore to JKS format using command:
keytool -importkeystore -srckeystore <PKCS12 TrustStore> -srcstoretype PKCS12 -destkeystore <New TrustStore> -deststoretype JKS
This command will create a new truststore of JKS type, you can use this new truststore in your DBeaver or Data Studio configuration.
Error: unable to find valid certification path to requested target
You might face above error while connecting to DB2 database using SSL with DBeaver.
In recent releases of DBeaver, DBeaver suppress sslTrustStoreLocation driver property and usages System certificate store to look for certificate to connect to DB2 database.
To fix this you need to make changes to DBeaver configuration file dbeaver.ini. This file is present in path C:\Users\<username>\AppData\Local\DBeaver or C:\Program Files\[DBeaver Edition]\dbeaver.ini on windows. For Linux/Unix/Mac check Locate dbeaver.ini
You need to add below line to dbeaver.ini file under -vmargs:
-Djavax.net.ssl.trustStoreType=PKCS12
If you find below option configured in dbeaver.ini file change it to above
-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT
If you liked this blog and interested in knowing more about DB2, please subscribe by clicking on Subscribe to ChoudharySumit.com by Email.
Thank you for sharing the details for SSL connections in DB2. How do we create truststore in this case keystore.jks
ReplyDeleteUse below command: keytool -import -trustcacerts -alias DB2SSL -file dbserver_ssl.crt -keystore db2.jks -storepass *******
ReplyDelete