Enable SSL for DB2 HADR Communication

In blog DB2 SSL we went through importance of SSL and steps to configure SSL for DB2 communication both at DB2 Server side and client side. In this blog we will go through steps to configure SSL for DB2 HADR communication. If you want you can configure SSL for both DB2 client and server communication as well as for HADR communication or only for HADR communication also. If you have not read blog DB2 SSL, I highly recommend to go through it first before moving into detailed steps to configure SSL for DB2 HADR communication.

In this blog we will use 2 Local KeyStore, one for Primary and other for Standby. We will consider a 2 node HADR setup with below configuration. In case you have more than 1 Standby nodes then you need to perform below steps on all other Standby nodes as well.

Primary Node : db2test1, Instance : db2i1

DB2 HADR Configuration










Standby Node : db2test2, Instance : db2i1

DB2 HADR Configuration










Step 1: Create Local KeyStore

Before creating Local KeyStore, create a folder to keep Local KeyStore and restrict access by changing permission to 700.

db2test1:

Create Folder for Local KeyStore











db2test2:

Create Folder for Local KeyStore











Create Local KeyStore on db2test1 and db2test2:

gsk8capicmd_64 -keydb -create -db "TESTDB_HADR_SSL.ps12" -pw "P@ssw0rd_Db@i#" -type pkcs12 -stash

Create Local KeyStore






Create Local KeyStore






Step 2: Create Self Signed Digital Certificate

We will user Self signed digital certificate, you can also use CA signed digital certificate.

db2inst1:

gsk8capicmd_64 -cert -create -db "TESTDB_HADR_SSL.ps12" -stashed -label "TESTDB_HADR_SSL_PRIMARY" -dn "CN=db2test1"

Create Self Signed Digital Certificate



db2inst2:

gsk8capicmd_64 -cert -create -db "TESTDB_HADR_SSL.ps12" -stashed -label "TESTDB_HADR_SSL_STANDBY" -dn "CN=db2test2"

Create Self Signed Digital Certificate



Verify Certificate in KeyStore on db2test1 and db2test2:

gsk8capicmd_64 -cert -list -db TESTDB_HADR_SSL.ps12 -stashed

Verify Certificate in KeyStore




Verify Certificate in KeyStore





Step 3: Extract Certificate from Keystore

Certificate public key will get exported to a certificate file which will be used for adding public key to other nodes in HADR setup.

db2inst1:

gsk8capicmd_64 -cert -extract -db TESTDB_HADR_SSL.ps12 -stashed -label TESTDB_HADR_SSL_PRIMARY -target TESTDB_HADR_SSL_PRIMARY.crt

Extract certificate from KeyStore







db2inst2:

gsk8capicmd_64 -cert -extract -db TESTDB_HADR_SSL.ps12 -stashed -label TESTDB_HADR_SSL_STANDBY -target TESTDB_HADR_SSL_STANDBY.crt

Extract certificate from KeyStore







Step 4: SCP extracted certificate file to other nodes in HADR setup

db2inst1:

scp TESTDB_HADR_SSL_PRIMARY.crt db2i1@db2test2:/dbdata/db2i1/.SSL/

SCP extracted certificate file





db2inst2:

scp TESTDB_HADR_SSL_STANDBY.crt db2i1@db2test1:/dbdata/db2i1/.SSL/

SCP extracted certificate file




Verify certificate files

Verify Certificate file
Verify Certificate file






Step 5: Add extracted certificate file of db2test1 in local KeyStore of db2test2 and vice versa.

db2inst1:

 gsk8capicmd_64 -cert -add -db TESTDB_HADR_SSL.ps12 -stashed -label TESTDB_HADR_SSL_STANDBY -file TESTDB_HADR_SSL_STANDBY.crt 

gsk8capicmd_64 -cert -list -db TESTDB_HADR_SSL.ps12 -stashed

Add extracted certificate file







db2inst2:

gsk8capicmd_64 -cert -add -db TESTDB_HADR_SSL.ps12 -stashed -label TESTDB_HADR_SSL_PRIMARY -file TESTDB_HADR_SSL_PRIMARY.crt

gsk8capicmd_64 -cert -list -db TESTDB_HADR_SSL.ps12 -stashed

Add extracted certificate file







Step 6: Update DBM CFG.

Update DBM CFG parameter SSL_SVR_KEYDB, SSL_SVR_STASH on both db2test1, db2test2. To configure SSL for HADR communication, there is no need to configure DBM parameters like SSL_VERSIONS, SSL_SVCENAME, SSL_SVR_LABEL, also no need to set db2 registry variable DB2COMM=SSL

db2 update dbm cfg using SSL_SVR_KEYDB /dbdata/db2i1/.SSL/TESTDB_HADR_SSL.ps12

db2 update dbm cfg using SSL_SVR_STASH /dbdata/db2i1/.SSL/TESTDB_HADR_SSL.sth

Update DBM CFG SSL_SVR_KEYDB, SSL_SVR_STASH











Update DBM CFG SSL_SVR_KEYDB, SSL_SVR_STASH











Step 7: Stop HADR and restart instance.

Stop HADR on both Primary and Standby nodes and restart instance.

db2test1:

db2 stop hadr on db TESTDB
db2 deactivate db TESTDB
db2stop
db2start

Stop HADR and restart instance










db2test2:

On standby node, first deactivate database and then stop HADR, else you might get error SQL1769N Reason code 2.

db2 deactivate db TESTDB
db2 stop hadr on db TESTDB
db2stop
db2start

Stop HADR And restart Instance















Step 7: Update DB CFG and start HADR.

Update DB CFG parameter HADR_SSL_LABEL with label used for creating self signed digital certificate in step 2.

db2inst1:

db2 update db cfg for testdb using HADR_SSL_LABEL TESTDB_HADR_SSL_PRIMARY
db2 start hadr on db TESTDB as primary

Update DB CFG and Start HADR












db2inst2:

db2 update db cfg for testdb using HADR_SSL_LABEL TESTDB_HADR_SSL_STANDBY
db2 start hadr on db TESTDB as standby

Update DB CFG and Start HADR












Check HADR Status

db2pd -hadr -db testdb

Check HADR Status

















































With this both database in HADR setup started using SSL for HADR communication and this can be confirmed by checking HADR_FLAGS = SSL_PROTOCOL in HADR status. 


If you liked this blog and interested in knowing more about DB2, please subscribe by clicking on Subscribe to ChoudharySumit.com by Email.

No comments:

Post a comment