In blog How to Encrypt DB2 database we went through step by step process of configuring DB2 Native Encryption using Local KeyStore. Local KeyStore has overhead of backup and maintenance and in case Local KeyStore is not accessible due to any reason and you are unable to recover it then you cannot access your encrypted database, also restore from encrypted database backups will not be possible. To reduce this overhead you can use Centralized KeyStore. In this blog we will see step by step process to configure DB2 Native Encryption using Centralized KeyStore.
How to Encrypt DB2 Database using Centralized KeyStore?
Step1: Prerequisite - Digital Certificate
You can use self signed digital certificate as well but it is advised to use digital certificated signed by CA when using Centralized KeyStore.
Step 2: Include gskit in LD_LIBRARY_PATH, LIBPATH, SHLIB_PATH environment variable.
export PATH
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$HOME/sqllib/lib64/gskit
export LD_LIBRARY_PATH
LD_LIBRARY_PATH=$LD_LIBRARY_PATH:$HOME/sqllib/lib32/gskit
export LD_LIBRARY_PATH
LIBPATH=$LIBPATH:$HOME/sqllib/lib64/gskit
export LIBPATH
LIBPATH=$LIBPATH:$HOME/sqllib/lib32/gskit
export LIBPATH
SHLIB_PATH=$SHLIB_PATH:$HOME/sqllib/lib64/gskit
export SHLIB_PATH
SHLIB_PATH=$SHLIB_PATH:$HOME/sqllib/lib32/gskit
export SHLIB_PATH
- Create local keystore
gsk8capicmd_64 -keydb -create -db SSL_Keystore.p12 -pw ssl_p@ss -type pkcs12 -stash
- Import certificate for SSL into Local KeyStore
gsk8capicmd_64 -cert -import -db ssl_certificate.pfx -pw P@ssw0rd -target SSL_Keystore.p12 -target_stashed
- Verify certificate import is successful
gsk8capicmd_64 -cert -list -db SSL_Keystore.p12 -stashed
- Update DBM CFG values
db2 update dbm cfg using SSL_SVR_KEYDB $HOME/.db2_ssl/SSL_Keystore.p12
db2 update dbm cfg using SSL_SVR_STASH $HOME/.db2_ssl/SSL_Keystore.sth
db2 update dbm cfg using SSL_VERSIONS TLSV12
db2 update dbm cfg using SSL_SVCENAME db2i3s
db2 update dbm cfg using SSL_SVR_LABEL db2ssl
- Update registry vairable
db2set DB2COMM=SSL
- Restart db2 instance
db2stop
db2start
Step 4: Configure Encryption using Centralized KeyStore
- Create local keystore
gsk8capicmd_64 -keydb -create -db TEMP_KeyStore.p12 -pw P@ssw0rd -type pkcs12 -stash
- Create Master Key
gsk8capicmd_64 -secretkey -create -db TEMP_KeyStore.p12 -stashed -label NPMSTR -size 16
- Import certificate for encryption into Local KeyStore
gsk8capicmd_64 -cert -import -target TEMP_KeyStore.p12 -target_stashed -db db2_encryption.pfx -pw P@ssw0rd
- Verify certificate import is successful
gsk8capicmd_64 -cert -list -db TEMP_KeyStore.p12 -stashed
- Create KMIP Configuration file
$ cat KMIP_KeyStore.cfgVERSION=1PRODUCT_NAME=KEYSECUREALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=TRUESSL_KEYDB=/home/db2i3/.db2_ssl/SSL_Keystore.p12SSL_KEYDB_STASH=/home/db2i3/.db2_ssl/SSL_Keystore.sthSSL_KMIP_CLIENT_CERTIFICATE_LABEL=db2sslMASTER_SERVER_HOST=192.168.2.160MASTER_SERVER_KMIP_PORT=9300CLONE_SERVER_HOST=192.168.2.170CLONE_SERVER_KMIP_PORT=9300CLONE_SERVER_HOST=192.168.2.180CLONE_SERVER_KMIP_PORT=9300CLONE_SERVER_HOST=192.168.2.190CLONE_SERVER_KMIP_PORT=9300ALLOW_NONCRITICAL_BASIC_CONSTRAINT=TRUECOMMUNICATION_ERROR_RETRY_TIME=1UNAVAILABLE_SERVER_BLACKOUT_PERIOD=300ALL_SERVER_UNAVAILABLE_SLEEP=0$
- Migrate Local KeyStore to Centralized KeyStore
db2p12tokmip -from TEMP_KeyStore.p12 -to KMIP_KeyStore.cfg
- Update DBM CFG values
db2 update dbm cfg using keystore_location /home/db2i3/.Key/KMIP_KeyStore.cfg keystore_type kmip
- Restart db2 instance
db2stop
db2start
Step 5: Encrypt Database
No comments:
Post a comment