How to Encrypt DB2 Database using Centralized KeyStore

In blog How to Encrypt DB2 database we went through step by step process of configuring DB2 Native Encryption using Local KeyStore. Local KeyStore has overhead of backup and maintenance and in case Local KeyStore is not accessible due to any reason and you are unable to recover it then you cannot access your encrypted database, also restore from encrypted database backups will not be possible. To reduce this overhead you can use Centralized KeyStore. In this blog we will see step by step process to configure DB2 Native Encryption using Centralized KeyStore.

How to Encrypt DB2 Database using Centralized KeyStore?

Step1: Prerequisite - Digital Certificate

You can use self signed digital certificate as well but it is advised to use digital certificated signed by CA when using Centralized KeyStore.

Step 2: Include gskit in LD_LIBRARY_PATH, LIBPATH, SHLIB_PATH environment variable.

Update LD_LIBRARY_PATHLIBPATHSHLIB_PATH to include both 32 and 64 bit gskit path. Update DB2 instance user profile file to include below

PATH=$HOME/sqllib/gskit/bin:$PATH
export PATH
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$HOME/sqllib/lib64/gskit
export LD_LIBRARY_PATH
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$HOME/sqllib/lib32/gskit
export LD_LIBRARY_PATH
LIBPATH=$LIBPATH:$HOME/sqllib/lib64/gskit
export LIBPATH
LIBPATH=$LIBPATH:$HOME/sqllib/lib32/gskit
export LIBPATH
SHLIB_PATH=$SHLIB_PATH:$HOME/sqllib/lib64/gskit
export SHLIB_PATH
SHLIB_PATH=$SHLIB_PATH:$HOME/sqllib/lib32/gskit
export SHLIB_PATH

Step 3: Enable SSL

You can check blog DB2 SSL for detailed instructions on configuring DB2 SSL. Follow below quick step to enable DB2 SSL.
  • Create local keystore
gsk8capicmd_64 -keydb -create -db SSL_Keystore.p12 -pw ssl_p@ss -type pkcs12 -stash
  • Import certificate for SSL into Local KeyStore
gsk8capicmd_64 -cert -import -db ssl_certificate.pfx -pw P@ssw0rd -target SSL_Keystore.p12 -target_stashed
  • Verify certificate import is successful
gsk8capicmd_64 -cert -list -db SSL_Keystore.p12 -stashed
  • Update DBM CFG values
db2 update dbm cfg using SSL_SVR_KEYDB $HOME/.db2_ssl/SSL_Keystore.p12
db2 update dbm cfg using SSL_SVR_STASH $HOME/.db2_ssl/SSL_Keystore.sth
db2 update dbm cfg using SSL_VERSIONS TLSV12
db2 update dbm cfg using SSL_SVCENAME db2i3s
db2 update dbm cfg using SSL_SVR_LABEL db2ssl
  • Update registry vairable
db2set DB2COMM=SSL
  • Restart db2 instance
db2stop
db2start

 Step 4: Configure Encryption using Centralized KeyStore

  • Create local keystore

gsk8capicmd_64 -keydb -create -db TEMP_KeyStore.p12 -pw P@ssw0rd -type pkcs12 -stash

  • Create Master Key

gsk8capicmd_64 -secretkey -create -db TEMP_KeyStore.p12 -stashed -label NPMSTR -size 16

  • Import certificate for encryption into Local KeyStore

gsk8capicmd_64 -cert -import -target TEMP_KeyStore.p12 -target_stashed -db db2_encryption.pfx -pw P@ssw0rd

  • Verify certificate import is successful

gsk8capicmd_64 -cert -list -db TEMP_KeyStore.p12  -stashed

  • Create KMIP Configuration file

$ cat KMIP_KeyStore.cfg
VERSION=1
PRODUCT_NAME=KEYSECURE
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=TRUE
SSL_KEYDB=/home/db2i3/.db2_ssl/SSL_Keystore.p12
SSL_KEYDB_STASH=/home/db2i3/.db2_ssl/SSL_Keystore.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=db2ssl
MASTER_SERVER_HOST=192.168.2.160
MASTER_SERVER_KMIP_PORT=9300
CLONE_SERVER_HOST=192.168.2.170
CLONE_SERVER_KMIP_PORT=9300
CLONE_SERVER_HOST=192.168.2.180
CLONE_SERVER_KMIP_PORT=9300
CLONE_SERVER_HOST=192.168.2.190
CLONE_SERVER_KMIP_PORT=9300
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=TRUE
COMMUNICATION_ERROR_RETRY_TIME=1
UNAVAILABLE_SERVER_BLACKOUT_PERIOD=300
ALL_SERVER_UNAVAILABLE_SLEEP=0
$
  • Migrate Local KeyStore to Centralized KeyStore

db2p12tokmip -from TEMP_KeyStore.p12 -to KMIP_KeyStore.cfg

  • Update DBM CFG values

db2 update dbm cfg using keystore_location /home/db2i3/.Key/KMIP_KeyStore.cfg keystore_type kmip

  • Restart db2 instance
db2stop
db2start

 Step 5: Encrypt Database

To encrypt existing database you need to take backup of existing database and restore it with encrypt option.

db2 backup db TESTDB compress
db2 drop db TESTDB
db2 restore db TESTDB taken at 20201005122701  ENCRYPT without rolling forward without prompting 

You can also create a new database with encryption enabled.

db2 create db ENCDB encrypt

Step 6: Verify Encryption enabled

You can either check Database Configuration (DB CFG)  parameter to check database encryption status or query SYSPROC.ADMIN_GET_ENCRYPTION_INFO() table function to get encryption details.

db2 get db cfg for TESTDB | grep -i ENCRYPT

db2 "SELECT substr(master_key_label,1,40) as MasterKey, substr(KEYSTORE_NAME,1,30) as KeystoreName  FROM TABLE(SYSPROC.ADMIN_GET_ENCRYPTION_INFO())"



If you liked this blog and interested in knowing more about DB2, please subscribe by clicking on Subscribe to ChoudharySumit.com by Email.

No comments:

Post a comment