Securing communication between SDS VA and its remote DB2 DB Companion Document. Document version 1.0

Size: px

Start display at page:

Download "Securing communication between SDS VA and its remote DB2 DB Companion Document. Document version 1.0"

Berenice Stone
5 years ago
Views:

1 Securing communication between SDS VA and its remote DB2 DB Companion Document Document version 1.0

2 Document change history Changed by Doc Date Changes Version Ramamohan T. Reddy 1.0 2/15/2017 Initial version IBM Security Directory Suite Page 2

3 Contents 1. Introduction SDS VA - Remote Database - Prerequisite Presentation Configuring SSL between SDS VA and its Remote DB2 database Self-signed Certificates CA Signed Certificates Transfer client key database and stash file over to SDS VA DB2 server side configuration update for SSL on Remote system SDS VA Configuration update for SSL using idscfgdb SDS VA Configuration update for SSL for an already configured Remote DB SDS VA Configuration update to switch back to TCPIP (non-ssl) Verification IBM Security Directory Suite Page 3

1. Introduction This companion document provides details for the steps provided in the presentation OpenMic- ISDS801_RemoteDB2ConfigWithSSL_15Feb2017-v1.pdf. 2. SDS 8.0.1 VA - Remote Database - Prerequisite Presentation Please refer: Configuring SDS 8.

4 1. Introduction This companion document provides details for the steps provided in the presentation OpenMic- ISDS801_RemoteDB2ConfigWithSSL_15Feb2017-v1.pdf. 2. SDS VA - Remote Database - Prerequisite Presentation Please refer: Configuring SDS Virtual Appliance with a remote DB2 database provides info on SDS VA Introduction, features and editions. Embedded DB vs Remote DB SDS and Remote Database system requirements Requires DB (FP8 recommended) Download GA level part numbers and Fix packs. SDS Installation DB and Fix Pack Installation on Remote system. Applying DB2 ESE License Remote system db2 instance and database config using provided tool - idscfgremotedb Remote system db2 instance and database config using custom commands Configuration on SDS VA to connect to remote database Data Import / export methods Hints for Migration / Upgrade from Directory Sever V6.* 3. Configuring SSL between SDS VA and its Remote DB2 database Main goal of this document is to configure SDS VA Directory Server (with embedded DB2 client) and Remote DB2 server to use SSL (with TLSv1* secure protocol version) on TCPIP connection: IBM Security Directory Suite Page 4

5 4. Self-signed Certificates On the AIX/Linux/Solaris Remote DB2 server system - login or su into db2 instance: ==> su db2inst1 On the Windows Remote DB2 server system - open a DB2 command window - Administrator: C:\> "C:\Progra~1\IBM\SQLLIB\BIN\db2cwadmin.bat" On the AIX/Linux/Solaris system - Update path to include GSKit binaries $ export PATH=~/sqllib/gskit/bin:$PATH $ which gsk8capicmd_64 /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 $ gsk8capicmd_64 -version GSKCAPICMD IBM IBM Global Security gskcapicmd Licensed Materials - Property of IBM GSKit (C) Copyright IBM Corp.1995, 2015 All Rights Reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM gsk8i (GoldCoast Build) gsk8i_151211/gsk8i_ikm gsk8i_151110/gsk8i_pkg gsk8i_151211/gsk8i_support gsk8i_151218/gsk8i_ssl gsk8i_151214/gsk8i_acme gsk8i_151112/gsk8i_cms gsk8i_151112/gsk8i_doc On the Windows system - Update path to include GSKit binaries C:\> set path=c:\progra~1\ibm\gsk8\bin;%path% C:\Users\db2inst1> echo %PATH% C:\Progra~1\IBM\gsk8\bin; C:\Program Files\IBM\SQLLIB\BIN\..\db2tss\bin; C:\PROGRA~1\IBM\SQLLIB\BIN\..\db2tss\bin; C:\Program Files\IBM\SQLLIB\BIN; C:\Program Files\IBM\SQLLIB\FUNCTION; IBM Security Directory Suite Page 5

6 C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem; C:\Windows\System32\WindowsPowerShell\v1.0\; C:\Program Files\ibm\gsk8\lib64; C:\Program Files (x86)\ibm\gsk8\lib C:\> gsk8capicmd_64 version GSKCAPICMD IBM IBM Global Security gskcapicmd Licensed Materials - Property of IBM GSKit (C) Copyright IBM Corp.1995, 2015 All Rights Reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM gsk8i (GoldCoast Build) gsk8i_151211/gsk8i_ikm gsk8i_151110/gsk8i_pkg gsk8i_151211/gsk8i_support gsk8i_151218/gsk8i_ssl gsk8i_151214/gsk8i_acme gsk8i_151112/gsk8i_cms gsk8i_151112/gsk8i_doc On the AIX/Linux/Solaris system - Create a folder to hold the key databases and extracted certificate files $ mkdir ~/sqllib/security/keystore $ cd ~/sqllib/security/keystore On the Windows system - Create a folder to hold the key databases and extracted certificate files C:\> cd C:\Progra~1\IBM\SQLLIB\security C:\PROGRA~1\IBM\SQLLIB\security> dir Volume in drive C has no label. Volume Serial Number is 70DD-A41B Directory of C:\PROGRA~1\IBM\SQLLIB\security 01/14/ :58 PM <DIR>. 01/14/ :58 PM <DIR>.. 01/14/ :58 PM <DIR> plugin 0 File(s) 0 bytes 3 Dir(s) 23,688,880,128 bytes free IBM Security Directory Suite Page 6

7 C:\PROGRA~1\IBM\SQLLIB\security> mkdir keystore C:\PROGRA~1\IBM\SQLLIB\security> cd keystore Create key database for the DB2 server $ gsk8capicmd_64 -keydb -create -db mydbserver.kdb -pw passwd -stash Create a Self-signed certificate $ gsk8capicmd_64 -cert -create -db mydbserver.kdb -pw passwd -label myselfsigned -dn "cn=dbserverhostname" -size default_cert yes -sig_alg SHA256WithRSA Extract the server s certificate $ gsk8capicmd_64 -cert -extract -db mydbserver.kdb -pw passwd -label myselfsigned -target mydbserver.arm -format ascii Create key database for the DB2 client (SDS VA) $ gsk8capicmd_64 -keydb -create -db mydbclient.kdb -pw passwd -stash Add the extracted server s certificate into the client key database $ gsk8capicmd_64 -cert -add -db mydbclient.kdb -pw passwd -label myselfsigned -file mydbserver.arm -format ascii On AIX/Linux/Solaris - Verify $ ls -l total 88 -rw db2inst1 dbsysadm 88 Feb 10 19:44 mydbclient.crl -rw db2inst1 dbsysadm 5088 Feb 10 19:45 mydbclient.kdb -rw db2inst1 dbsysadm 88 Feb 10 19:44 mydbclient.rdb -rw db2inst1 dbsysadm 129 Feb 10 19:44 mydbclient.sth -rw-r--r-- 1 db2inst1 dbsysadm 1078 Feb 10 19:11 mydbserver.arm -rw db2inst1 dbsysadm 88 Feb 10 19:11 mydbserver.crl -rw db2inst1 dbsysadm 5088 Feb 10 19:11 mydbserver.kdb -rw db2inst1 dbsysadm 88 Feb 10 19:11 mydbserver.rdb -rw db2inst1 dbsysadm 129 Feb 10 19:11 mydbserver.sth IBM Security Directory Suite Page 7

8 $ gsk8capicmd_64 -cert -list -db mydbclient.kdb -pw secret -label myselfsigned! myselfsigned $ gsk8capicmd_64 -cert -details -db mydbclient.kdb -pw secret -label myselfsigned Label : myselfsigned Key Size : 2048 Version : X509 V3 Serial : 42b8f c7 Issuer : CN=dbserverhostname Subject : CN=dbserverhostname Not Before : February 9, :11:36 PM CST Not After : February 10, :11:36 PM CST... On Windows - Verify C:\PROGRA~1\IBM\SQLLIB\security\keystore> dir Volume in drive C has no label. Volume Serial Number is 70DD-A41B Directory of C:\PROGRA~1\IBM\SQLLIB\security\keystore 02/12/ :12 PM <DIR>. 02/12/ :12 PM <DIR>.. 02/12/ :12 PM 88 mydbclient.crl 02/12/ :13 PM 5,088 mydbclient.kdb 02/12/ :12 PM 88 mydbclient.rdb 02/12/ :12 PM 129 mydbclient.sth 02/12/ :12 PM 1,096 mydbserver.arm 02/12/ :11 PM 88 mydbserver.crl 02/12/ :12 PM 5,088 mydbserver.kdb 02/12/ :11 PM 88 mydbserver.rdb 02/12/ :11 PM 129 mydbserver.sth 9 File(s) 11,882 bytes 2 Dir(s) 23,688,904,704 bytes free$ C:\...\keystore> gsk8capicmd_64 -cert -list -db mydbclient.kdb -pw secret Certificates found * default, - personal,! trusted, # secret key! myselfsigned C:\...\keystore> gsk8capicmd_64 -cert -details -db mydbclient.kdb -pw secret -label myselfsigned Label : myselfsigned Key Size : 2048 Version : X509 V3 Serial : 18f01893c64cf327 Issuer : CN=dbserverhostname IBM Security Directory Suite Page 8

9 Subject : CN=dbserverhostname Not Before : February 11, :12:07 PM EST Not After : February 12, :12:07 PM EST CA Signed Certificates On the AIX/Linux/Solaris Remote DB2 server system - login or su into db2 instance: ==> su db2inst1 On the Windows Remote DB2 server system - open a DB2 command window - Administrator: C:\> "C:\Progra~1\IBM\SQLLIB\BIN\db2cwadmin.bat" On the AIX/Linux/Solaris system - Update path to include GSKit binaries $ export PATH=~/sqllib/gskit/bin:$PATH $ which gsk8capicmd_64 /home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 $ gsk8capicmd_64 -version GSKCAPICMD IBM IBM Global Security gskcapicmd Licensed Materials - Property of IBM GSKit (C) Copyright IBM Corp.1995, 2015 All Rights Reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM gsk8i (GoldCoast Build) gsk8i_151211/gsk8i_ikm gsk8i_151110/gsk8i_pkg gsk8i_151211/gsk8i_support gsk8i_151218/gsk8i_ssl gsk8i_151214/gsk8i_acme gsk8i_151112/gsk8i_cms gsk8i_151112/gsk8i_doc On the Windows system - Update path to include GSKit binaries C:\> set path=c:\progra~1\ibm\gsk8\bin;%path% IBM Security Directory Suite Page 9

10 C:\Users\db2inst1> echo %PATH% C:\Progra~1\IBM\gsk8\bin; C:\Program Files\IBM\SQLLIB\BIN\..\db2tss\bin; C:\PROGRA~1\IBM\SQLLIB\BIN\..\db2tss\bin; C:\Program Files\IBM\SQLLIB\BIN; C:\Program Files\IBM\SQLLIB\FUNCTION; C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem; C:\Windows\System32\WindowsPowerShell\v1.0\; C:\Program Files\ibm\gsk8\lib64; C:\Program Files (x86)\ibm\gsk8\lib C:\> gsk8capicmd_64 version GSKCAPICMD IBM IBM Global Security gskcapicmd Licensed Materials - Property of IBM GSKit (C) Copyright IBM Corp.1995, 2015 All Rights Reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM gsk8i (GoldCoast Build) gsk8i_151211/gsk8i_ikm gsk8i_151110/gsk8i_pkg gsk8i_151211/gsk8i_support gsk8i_151218/gsk8i_ssl gsk8i_151214/gsk8i_acme gsk8i_151112/gsk8i_cms gsk8i_151112/gsk8i_doc On the AIX/Linux/Solaris system - Create a folder to hold the key databases and extracted certificate files $ mkdir ~/sqllib/security/cacert_server $ cd ~/sqllib/security/cacert_server On the Windows system - Create a folder to hold the key databases and extracted certificate files C:\> cd C:\Progra~1\IBM\SQLLIB\security C:\PROGRA~1\IBM\SQLLIB\security> dir Volume in drive C has no label. Volume Serial Number is 70DD-A41B Directory of C:\PROGRA~1\IBM\SQLLIB\security IBM Security Directory Suite Page 10

11 01/14/ :58 PM <DIR>. 01/14/ :58 PM <DIR>.. 01/14/ :58 PM <DIR> plugin 0 File(s) 0 bytes 3 Dir(s) 23,688,880,128 bytes free C:\PROGRA~1\IBM\SQLLIB\security> mkdir cacert_server C:\PROGRA~1\IBM\SQLLIB\security> cd cacert_server Create key database for the DB2 server $ gsk8capicmd_64 -keydb -create -db mydbserver.kdb -pw passwd -stash Create a Certificate Signing Request (CSR) for the DB2 Server $ gsk8capicmd_64 -certreq -create -db mydbserver.kdb -stashed -label "mydbservercert" -dn "cn=mydbserver,ou=divisiona,o=acompany" -file mydbservercertreq.arm -sigalg SHA256WithRSA Transfer the CSR mydbservercertreq.arm file to the CA system and get it signed by a CA This is a manual step depending on your CA provided method upload the CSR over to CA. Download signed certificate and also download the Root and any intermediate signer certificate(s) from CA provided Web Interface or some other method. Add Root Signer Certificate to DB2 Server key database $ gsk8capicmd_64 -cert -add -db mydbserver.kdb -stashed -label "Root CA cert" -file rootca.arm -format ascii -trust enable Add Intermediate Signer Certificate to DB2 Server key database $ gsk8capicmd_64 cert -add -db mydbserver.kdb -stashed -label "Intermediate CA cert" -file interca.arm -format ascii -trust enable Receive signed db2 server certificate $ gsk8capicmd_64 -cert -receive -db mydbserver.kdb -stashed -file mydbservercert.arm -default_cert yes On the AIX/Linux/Solaris system - Create a folder to hold the key databases and extracted certificate files $ mkdir ~/sqllib/security/cacert_client IBM Security Directory Suite Page 11

12 $ cd ~/sqllib/security/cacert_client On the Windows system - Create a folder to hold the key databases and extracted certificate files C:\> cd C:\Progra~1\IBM\SQLLIB\security C:\PROGRA~1\IBM\SQLLIB\security> mkdir cacert_client C:\PROGRA~1\IBM\SQLLIB\security> cd cacert_client Create key database for the DB2 server $ gsk8capicmd_64 -keydb -create -db mydbclient.kdb -pw passwd -stash Create a Certificate Signing Request (CSR) for the DB2 Server $ gsk8capicmd_64 -certreq -create -db mydbclient.kdb -stashed -label "mydbclientcert" -dn "cn=mydbclient,ou=divisiona,o=acompany" -file mydbclientcertreq.arm -sigalg SHA256WithRSA Transfer the CSR mydbclientcertreq.arm file to the CA system and get it signed by a CA This is a manual step depending on your CA provided method upload the CSR over to CA. Download signed certificate and also download the Root and any intermediate signer certificate(s) from CA provided Web Interface or some other method. Add Root Signer Certificate to DB2 Client key database $ gsk8capicmd_64 -cert -add -db mydbclient.kdb -stashed -label "Root CA cert" -file rootca.arm -format ascii -trust enable Add Intermediate Signer Certificate to DB2 Client key database $ gsk8capicmd_64 cert -add -db mydbclient.kdb -stashed -label "Intermediate CA cert" -file interca.arm -format ascii -trust enable Receive signed db2 client certificate $ gsk8capicmd_64 -cert -receive -db mydbclient.kdb -stashed -file mydbclientcert.arm -default_cert yes IBM Security Directory Suite Page 12

6. Transfer client key database and stash file over to SDS 8.

Click on Top Menu Configure Directory Suite then Click on

13 6. Transfer client key database and stash file over to SDS VA Connect to Web LMI using browser - Login as admin Click on Top Menu Configure Directory Suite then Click on Custom File Management IBM Security Directory Suite Page 13

14 Click on Certificates folder under All Files Tab -> Then Click on Upload In the resulting File Upload dialog box click on Browse button Navigate and select the mydbclient.kdb and click on Save Configuration button Similarly navigate and select the mydbclient.sth and click on Save Configuration button IBM Security Directory Suite Page 14

15 After completing uploads: 7. DB2 server side configuration update for SSL on Remote system On AIX/Linux/Solaris Remote DB2 server as root user find the current DB2 instance s service port ==> grep db2inst1svc /etc/services db2inst1svc 6512/tcp Find and add / assign an unused port for the purpose of DB2 instance s SSL service port ==> grep -i 6516 /etc/services # No results expected. ==> echo "db2inst1svcssl 6516/tcp" >> /etc/services ==> grep db2inst1svc /etc/services db2inst1svc 6512/tcp db2inst1svcssl 6516/tcp On Windows Remote DB2 server system - open a DB2 command window - Administrator C:\> C:\Progra~1\IBM\SQLLIB\BIN\db2cwadmin.bat C:\> findstr db2inst1svc C:\Windows\System32\drivers\etc\services db2inst1svc 6512/tcp IBM Security Directory Suite Page 15

16 On Windows Find and add / assign an unused port for the purpose of DB2 instance s SSL service port C:\> findstr 6516 C:\Windows\System32\drivers\etc\services C:\> echo db2inst1svcssl 6516/tcp >> C:\Windows\System32\drivers\etc\services C:\> findstr db2inst1svc C:\Windows\System32\drivers\etc\services db2inst1svc 6512/tcp db2inst1svcssl 6516/tcp On AIX/Linux/Solaris - Login or su into db2 instance: ==> su - db2inst1 On Windows Remote DB2 server system - continue on DB2 command window - Administrator C:\> set db2instance=db2inst1 Update DBM CFG configuration SSL key file path parameter for DB2 server - ssl_svr_keydb For Self-signed certificate containing kdb: $ db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/sqllib/security/keystore/mydbserver.kdb DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. For CA signed certificate containing kdb: $ db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/sqllib/security/cacert_server/mydbserver.kdb DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. On Windows use file with full path $ db2 update dbm cfg using SSL_SVR_KEYDB C:\PROGRA~1\IBM\SQLLIB\security\keystore\mydbserver.kdb DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. Update DBM CFG configuration SSL key stash file path parameter for DB2 server - ssl_svr_stash For stash file corresponding to Self-signed certificate containing kdb: $ db2 update dbm cfg using ssl_svr_stash /home/db2inst1/sqllib/security/keystore/mydbserver.sth DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. For CA signed certificate containing kdb: $ db2 update dbm cfg using ssl_svr_stash /home/db2inst1/sqllib/security/cacert_server/mydbserver.sth IBM Security Directory Suite Page 16

17 DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. On Windows use stash file with full path $ db2 update dbm cfg using ssl_svr_stash C:\PROGRA~1\IBM\SQLLIB\security\keystore\mydbserver.sth DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. Update DBM CFG configuration certificate label parameter - ssl_svr_label For Self-signed certificate: $ db2 update dbm cfg using ssl_svr_label myselfsigned DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. For CA signed certificate containing kdb: $ db2 update dbm cfg using ssl_svr_label mydbservercert DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. Update DBM CFG configuration SSL service name parameter - ssl_svcename $ db2 update dbm cfg using ssl_svcename db2inst1svcssl DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. Update DBM CFG configuration Supported SSL versions parameter - ssl_versions $ db2 update dbm cfg using ssl_versions "TLSV12,TLSV1" DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. Set DB2 registry variable DB2COMM value to either SSL (or to include SSL along with TCPIP) $ db2set -all grep DB2COMM [i] DB2COMM=TCPIP $ db2set -i db2inst1 DB2COMM=SSL $ db2set -all grep DB2COMM [i] DB2COMM=SSL Restart DB2 $ db2stop 02/10/ :38: SQL1064N DB2STOP processing was successful. SQL1064N DB2STOP processing was successful. IBM Security Directory Suite Page 17

18 $ db2start 02/10/ :38: SQL1063N DB2START processing was successful. SQL1063N DB2START processing was successful. Verify if the SSL port is listening $ netstat -an egrep "(Local 6516)" Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 *.6516 *.* LISTEN 8. SDS VA Configuration update for SSL using idscfgdb Connect to the SDS VA system on CLI using putty or SSH as admin ==> ssh admin@sds801va1 admin@sds801va1's password: Last login: Sun Jan 15 00:55: Welcome to the IBM Security Directory Suite appliance Enter "help" for a list of available commands sds801va1> Configure the SDS Directory Server to use remote database along with SSL parameters using idscfgdb tool: In the command below SSL options are: -L : Setup SSL communication with Remote Database. -B : kdb file name - uploaded to Certificates folder -H : stash file name - uploaded to Certificates folder Note: Provide file name(s) that are in Certificates folder without any path just as shown above. sds801va1> sds server_tools idscfgdb -I sdsinst1 -a sdsinst1 -t ldapdb -w sdsinst1 -Y -S l /home/sdsinst1 -P mydbserverhost -u db2inst1 -p passwd -L -B mydbclient.kdb -H mydbclient.sth -n DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. GLPWRP123I The program '/opt/ibm/ldap/v8.0.1/sbin/64/idscfgdb' is used with the following arguments '-I sdsinst1 -a sdsinst1 -t ldapdb -w ***** -Y -S l /home/sdsinst1 -P mydbserverhost -u db2inst1 -p ***** -L -B /userdata/directory/certificates/mydbclient.kdb -H /userdata/directory/certificates/mydbclient.sth -n'. You have chosen to perform the following actions: IBM Security Directory Suite Page 18

19 GLPCDB023I Database 'ldapdb' will be configured. GLPCDB035I Adding database 'ldapdb' to directory server instance: GLPCTL011I Stopping database manager for the database instance: GLPCTL012I Stopped database manager for the database instance: GLPCTL008I Starting database manager for database instance: GLPCTL009I Started database manager for database instance: GLPCTL020I Updating the database manager: GLPCTL021I Updated the database manager: GLPCDB005I Configuring database 'ldapdb' for directory server instance: GLPCDB006I Configured database 'ldapdb' for directory server instance: GLPCTL011I Stopping database manager for the database instance: GLPCTL012I Stopped database manager for the database instance: GLPCTL008I Starting database manager for database instance: GLPCTL009I Started database manager for database instance: GLPCDB003I Added database 'ldapdb' to directory server instance: Proceed to start Directory Server. sds801va1> sds server_tools ibmslapd n GLPSRV041I Server starting. GLPCTL113I Largest core file size creation limit for the process (in bytes): '-1'(Soft limit) and '-1'(Hard limit). GLPCTL119I Maximum Data Segment(Kbytes) soft ulimit for the process is -1 and the prescribed minimum is GLPCTL119I Maximum File Size(512 bytes block) soft ulimit for the process is -1 and the prescribed minimum is GLPCTL122I Maximum Open Files soft ulimit for the process is 1024 and the prescribed minimum is 500. GLPCTL119I Maximum Stack Size(Kbytes) soft ulimit for the process is -1 and the prescribed minimum is GLPCTL119I Maximum Virtual Memory(Kbytes) soft ulimit for the process is -1 and the prescribed minimum is from libevent.so. from libtranext.so. IBM Security Directory Suite Page 19

20 from libldaprepl.so. GLPSRV155I The DIGEST-MD5 SASL Bind mechanism is enabled in the configuration file. GLPCOM021I The preoperation plugin is successfully loaded from libdigest.so. from libevent.so. from libtranext.so. GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so. from libpsearch.so. GLPCOM025I The audit plugin is successfully loaded from libldapaudit.so. from libevent.so. GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so. from libpsearch.so. GLPCOM022I The database plugin is successfully loaded from libback-config.so. from libevent.so. from libtranext.so. GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so. from libpsearch.so. GLPCOM022I The database plugin is successfully loaded from libback-rdbm.so. GLPCOM010I Replication plugin is successfully loaded from libldaprepl.so. GLPSRV189I Virtual list view support is enabled. GLPCOM021I The preoperation plugin is successfully loaded from libpta.so. GLPSRV194I The Record Deleted Entries feature is disabled. Deleted entries are immediately removed from the database. GLPSRV207I Group conflict resolution during replication is disabled. GLPSRV221I Replication of security attributes feature is disabled. GLPSRV247I Initializing primary REMOTE database 'ldapdb' and its connections. VAUUID check on the remote database passed. VAUUID check on the remote database passed. GLPRDB126I The directory server will not use DB2 selectivity. GLPSRV015I Server configured to use 636 as the secure port. IBM Security Directory Suite Page 20

21 from libloga.so. from libidsfget.so. GLPSRV232I Pass-through authentication is disabled. GLPSRV234I Pass-through support for compare operations is disabled. GLPCOM003I Non-SSL port initialized to 389. GLPCOM004I SSL port initialized to T19:23: :00 VAUUID check on the remote database passed. GLPRPL137I Restricted Access to the replication topology is set to false. GLPCOM039I Suite B mode is disabled. GLPSSL039I Secure communication using the TLS10 protocol is enabled. GLPSSL039I Secure communication using the TLS11 protocol is enabled. GLPSSL039I Secure communication using the TLS12 protocol is enabled. GLPSRV047W Anonymous binds will be allowed. GLPSRV047W Anonymous binds will be allowed. GLPSRV009I server started. 9. SDS VA Configuration update for SSL for an already configured Remote DB Connect to the SDS VA system on CLI using putty or SSH as admin ==> ssh admin@sds801va1 admin@sds801va1's password: Last login: Sun Jan 15 00:55: Welcome to the IBM Security Directory Suite appliance Enter "help" for a list of available commands sds801va1> Stop Directory Server sds801va1> sds server_tools ibmslapd -k GLPSRV176I Terminated directory server instance 'sdsinst1' normally. Unconfigure remote database configuration (these options leave the data in database intact). sds801va1> sds server_tools idsucfgdb -I sdsinst1 -Y n GLPWRP123I The program '/opt/ibm/ldap/v8.0.1/sbin/64/idsucfgdb' is used with the following arguments '-I sdsinst1 -Y -n'. You have chosen to perform the following actions: IBM Security Directory Suite Page 21

22 GLPUDB017I The database for directory server instance 'sdsinst1' will be unconfigured. GLPUDB018I Database will be left on your system. GLPUDB002I Removing the DB2 database from directory server instance: GLPCTL008I Starting database manager for database instance: GLPCTL009I Started database manager for database instance: GLPUDB005I Unconfiguring database 'ldapdb' for directory server instance: GLPUDB006I Unconfigured database 'ldapdb' for directory server instance: GLPCTL014I Uncataloging database instance node: GLPCTL015I Uncataloged database instance node: GLPCTL011I Stopping database manager for the database instance: GLPCTL012I Stopped database manager for the database instance: GLPUDB003I Removed the DB2 database from directory server instance: On the Remote DB2 server system perform all the steps mentioned in Section DB2 server side configuration update for SSL on Remote system Back to SDS VA configure remote database along with SSL parameters using idscfgdb tool: sds801va1> sds server_tools idscfgdb -I sdsinst1 -a sdsinst1 -t ldapdb -w sdsinst1 -Y -S l /home/sdsinst1 -P mydbserverhost -u db2inst1 -p passwd -L -B mydbclient.kdb -H mydbclient.sth n DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. DB20000I The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully. GLPWRP123I The program '/opt/ibm/ldap/v8.0.1/sbin/64/idscfgdb' is used with the following arguments '-I sdsinst1 -a sdsinst1 -t ldapdb -w ***** -Y -S l /home/sdsinst1 -P mydbserverhost -u db2inst1 -p ***** -L -B /userdata/directory/certificates/mydbclient.kdb -H /userdata/directory/certificates/mydbclient.sth -n'. You have chosen to perform the following actions: GLPCDB023I Database 'ldapdb' will be configured. GLPCDB035I Adding database 'ldapdb' to directory server instance: GLPCTL011I Stopping database manager for the database instance: IBM Security Directory Suite Page 22

23 GLPCTL012I Stopped database manager for the database instance: GLPCTL008I Starting database manager for database instance: GLPCTL009I Started database manager for database instance: GLPCTL020I Updating the database manager: GLPCTL021I Updated the database manager: GLPCDB005I Configuring database 'ldapdb' for directory server instance: GLPCDB006I Configured database 'ldapdb' for directory server instance: GLPCTL011I Stopping database manager for the database instance: GLPCTL012I Stopped database manager for the database instance: GLPCTL008I Starting database manager for database instance: GLPCTL009I Started database manager for database instance: GLPCDB003I Added database 'ldapdb' to directory server instance: Proceed to start Directory Server. sds801va1> sds server_tools ibmslapd n GLPSRV041I Server starting. GLPCTL113I Largest core file size creation limit for the process (in bytes): '-1'(Soft limit) and '-1'(Hard limit). GLPCTL119I Maximum Data Segment(Kbytes) soft ulimit for the process is -1 and the prescribed minimum is GLPCTL119I Maximum File Size(512 bytes block) soft ulimit for the process is -1 and the prescribed minimum is GLPCTL122I Maximum Open Files soft ulimit for the process is 1024 and the prescribed minimum is 500. GLPCTL119I Maximum Stack Size(Kbytes) soft ulimit for the process is -1 and the prescribed minimum is GLPCTL119I Maximum Virtual Memory(Kbytes) soft ulimit for the process is -1 and the prescribed minimum is from libevent.so. from libtranext.so. from libldaprepl.so. GLPSRV155I The DIGEST-MD5 SASL Bind mechanism is enabled in the configuration file. GLPCOM021I The preoperation plugin is successfully loaded from libdigest.so. IBM Security Directory Suite Page 23

24 from libevent.so. from libtranext.so. GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so. from libpsearch.so. GLPCOM025I The audit plugin is successfully loaded from libldapaudit.so. from libevent.so. GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so. from libpsearch.so. GLPCOM022I The database plugin is successfully loaded from libback-config.so. from libevent.so. from libtranext.so. GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so. from libpsearch.so. GLPCOM022I The database plugin is successfully loaded from libback-rdbm.so. GLPCOM010I Replication plugin is successfully loaded from libldaprepl.so. GLPSRV189I Virtual list view support is enabled. GLPCOM021I The preoperation plugin is successfully loaded from libpta.so. GLPSRV194I The Record Deleted Entries feature is disabled. Deleted entries are immediately removed from the database. GLPSRV207I Group conflict resolution during replication is disabled. GLPSRV221I Replication of security attributes feature is disabled. GLPSRV247I Initializing primary REMOTE database 'ldapdb' and its connections. VAUUID check on the remote database passed. VAUUID check on the remote database passed. GLPRDB126I The directory server will not use DB2 selectivity. GLPSRV015I Server configured to use 636 as the secure port. from libloga.so. from libidsfget.so. GLPSRV232I Pass-through authentication is disabled. GLPSRV234I Pass-through support for compare operations is disabled. IBM Security Directory Suite Page 24

25 GLPCOM003I Non-SSL port initialized to 389. GLPCOM004I SSL port initialized to T19:23: :00 VAUUID check on the remote database passed. GLPRPL137I Restricted Access to the replication topology is set to false. GLPCOM039I Suite B mode is disabled. GLPSSL039I Secure communication using the TLS10 protocol is enabled. GLPSSL039I Secure communication using the TLS11 protocol is enabled. GLPSSL039I Secure communication using the TLS12 protocol is enabled. GLPSRV047W Anonymous binds will be allowed. GLPSRV047W Anonymous binds will be allowed. GLPSRV009I server started. 10. SDS VA Configuration update to switch back to TCPIP (non-ssl) Connect to the SDS VA system on CLI using putty or SSH as admin ==> ssh admin@sds801va1 admin@sds801va1's password: Last login: Sun Jan 15 00:55: Welcome to the IBM Security Directory Suite appliance Enter "help" for a list of available commands sds801va1> Stop Directory Server sds801va1> sds server_tools ibmslapd -k GLPSRV176I Terminated directory server instance 'sdsinst1' normally. Unconfigure remote database configuration (these options leave the data in database intact). sds801va1> sds server_tools idsucfgdb -I sdsinst1 -Y n GLPWRP123I The program '/opt/ibm/ldap/v8.0.1/sbin/64/idsucfgdb' is used with the following arguments '-I sdsinst1 -Y -n'. You have chosen to perform the following actions: GLPUDB017I The database for directory server instance 'sdsinst1' will be unconfigured. GLPUDB018I Database will be left on your system. GLPUDB002I Removing the DB2 database from directory server instance: IBM Security Directory Suite Page 25

26 GLPCTL008I Starting database manager for database instance: GLPCTL009I Started database manager for database instance: GLPUDB005I Unconfiguring database 'ldapdb' for directory server instance: GLPUDB006I Unconfigured database 'ldapdb' for directory server instance: GLPCTL014I Uncataloging database instance node: GLPCTL015I Uncataloged database instance node: GLPCTL011I Stopping database manager for the database instance: GLPCTL012I Stopped database manager for the database instance: GLPUDB003I Removed the DB2 database from directory server instance: On the Remote DB2 server system For AIX/Linux/Solaris Login as db2inst1 and set DB2 registry variable DB2COMM to TCPIP followed by db2 restart. ==> su - db2inst1 $ db2set -all grep DB2COMM [i] DB2COMM=SSL $ db2set -i db2inst1 DB2COMM=TCPIP $ db2set -all grep DB2COMM [i] DB2COMM=TCPIP $ db2stop 02/10/ :39: SQL1064N DB2STOP processing was successful. SQL1064N DB2STOP processing was successful. $ db2start 02/10/ :39: SQL1063N DB2START processing was successful. SQL1063N DB2START processing was successful. $ netstat -an egrep "(Local )" Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 *.6512 *.* LISTEN On Windows Remote DB2 server system - on DB2 command window - Administrator C:\> set db2instance=db2inst1 C:\> db2set -all findstr DB2COMM [i] DB2COMM=SSL C:\> db2set -i db2inst1 DB2COMM=SSL IBM Security Directory Suite Page 26

27 C:\> C:\> db2set -all findstr DB2COMM [i] DB2COMM=TCPIP C:\> db2stop SQL1064N DB2STOP processing was successful. C:\> db2start SQL1063N DB2START processing was successful. C:\> netstat -an findstr 6512 tcp4 0 0 *.6512 *.* LISTEN Back to SDS VA configure remote database without SSL parameters using idscfgdb tool: sds801a> sds server_tools idscfgdb -I sdsinst1 -a sdsinst1 -t ldapdb -w sdsinst1 -Y -S l /home/sdsinst1 -P mydbserverhost -u db2inst1 -p passwd n GLPWRP123I The program '/opt/ibm/ldap/v8.0.1/sbin/64/idscfgdb' is used with the following arguments '-I sdsinst1 -a sdsinst1 -t ldapdb -w ***** -Y -S l /home/sdsinst1 -P mydbserverhost -u db2inst1 -p ***** -n'. You have chosen to perform the following actions: GLPCDB023I Database 'ldapdb' will be configured. GLPCDB035I Adding database 'ldapdb' to directory server instance: GLPCTL008I Starting database manager for database instance: GLPCTL009I Started database manager for database instance: GLPCTL020I Updating the database manager: GLPCTL021I Updated the database manager: GLPCDB005I Configuring database 'ldapdb' for directory server instance: GLPCDB006I Configured database 'ldapdb' for directory server instance: GLPCTL011I Stopping database manager for the database instance: GLPCTL012I Stopped database manager for the database instance: GLPCTL008I Starting database manager for database instance: GLPCTL009I Started database manager for database instance: GLPCDB003I Added database 'ldapdb' to directory server instance: IBM Security Directory Suite Page 27

28 Proceed to start Directory Server. sds801va1> sds server_tools ibmslapd n GLPSRV041I Server starting. GLPCTL113I Largest core file size creation limit for the process (in bytes): '-1'(Soft limit) and '-1'(Hard limit). GLPCTL119I Maximum Data Segment(Kbytes) soft ulimit for the process is -1 and the prescribed minimum is GLPCTL119I Maximum File Size(512 bytes block) soft ulimit for the process is -1 and the prescribed minimum is GLPCTL122I Maximum Open Files soft ulimit for the process is 1024 and the prescribed minimum is 500. GLPCTL119I Maximum Stack Size(Kbytes) soft ulimit for the process is -1 and the prescribed minimum is GLPCTL119I Maximum Virtual Memory(Kbytes) soft ulimit for the process is -1 and the prescribed minimum is from libevent.so. from libtranext.so. from libldaprepl.so. GLPSRV155I The DIGEST-MD5 SASL Bind mechanism is enabled in the configuration file. GLPCOM021I The preoperation plugin is successfully loaded from libdigest.so. from libevent.so. from libtranext.so. GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so. from libpsearch.so. GLPCOM025I The audit plugin is successfully loaded from libldapaudit.so. from libevent.so. GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so. from libpsearch.so. GLPCOM022I The database plugin is successfully loaded from libback-config.so. from libevent.so. from libtranext.so. GLPCOM023I The postoperation plugin is successfully loaded from libpsearch.so. IBM Security Directory Suite Page 28

29 from libpsearch.so. GLPCOM022I The database plugin is successfully loaded from libback-rdbm.so. GLPCOM010I Replication plugin is successfully loaded from libldaprepl.so. GLPSRV189I Virtual list view support is enabled. GLPCOM021I The preoperation plugin is successfully loaded from libpta.so. GLPSRV194I The Record Deleted Entries feature is disabled. Deleted entries are immediately removed from the database. GLPSRV207I Group conflict resolution during replication is disabled. GLPSRV221I Replication of security attributes feature is disabled. GLPSRV247I Initializing primary REMOTE database 'ldapdb' and its connections. VAUUID check on the remote database passed. VAUUID check on the remote database passed. GLPRDB126I The directory server will not use DB2 selectivity. GLPSRV015I Server configured to use 636 as the secure port. from libloga.so. from libidsfget.so. GLPSRV232I Pass-through authentication is disabled. GLPSRV234I Pass-through support for compare operations is disabled. GLPCOM003I Non-SSL port initialized to 389. GLPCOM004I SSL port initialized to T19:23: :00 VAUUID check on the remote database passed. GLPRPL137I Restricted Access to the replication topology is set to false. GLPCOM039I Suite B mode is disabled. GLPSSL039I Secure communication using the TLS10 protocol is enabled. GLPSSL039I Secure communication using the TLS11 protocol is enabled. GLPSSL039I Secure communication using the TLS12 protocol is enabled. GLPSRV047W Anonymous binds will be allowed. GLPSRV047W Anonymous binds will be allowed. GLPSRV009I server started. 11. Verification On the remote db system use commands below to verify if SDS VA directory server is connecting to it: (From the command output below, is the IP Address of the SDS VA system.) IBM Security Directory Suite Page 29

30 $ db2 list applications Auth Id Application Appl. Application Id DB # of Name Handle Name Agents DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 DB2INST1 ibmslapd LDAPDB 1 $ netstat -an egrep "Local 6516" Proto Recv-Q Send-Q Local Address Foreign Address State tcp : :* LISTEN tcp : :50097 ESTABLISHED tcp : :50092 ESTABLISHED tcp : :50109 ESTABLISHED tcp : :50091 ESTABLISHED tcp : :50088 ESTABLISHED tcp : :50110 ESTABLISHED tcp : :50089 ESTABLISHED tcp : :50104 ESTABLISHED tcp : :50098 ESTABLISHED tcp : :50087 ESTABLISHED tcp : :50102 ESTABLISHED tcp : :50103 ESTABLISHED tcp : :50105 ESTABLISHED tcp : :50090 ESTABLISHED tcp : :50085 ESTABLISHED tcp : :50100 ESTABLISHED tcp : :50107 ESTABLISHED tcp : :50096 ESTABLISHED tcp : :50101 ESTABLISHED tcp : :50095 ESTABLISHED tcp : :50094 ESTABLISHED tcp : :50111 ESTABLISHED tcp : :50106 ESTABLISHED tcp : :50108 ESTABLISHED tcp : :50099 ESTABLISHED IBM Security Directory Suite Page 30

31 tcp : :50086 ESTABLISHED tcp : :50093 ESTABLISHED $ db2 get dbm cfg grep -i ssl SSL server keydb file (SSL_SVR_KEYDB) = /home/db2inst1/sqllib/security/keystore/mydbserver.kdb SSL server stash file (SSL_SVR_STASH) = /home/db2inst1/sqllib/security/keystore/mydbserver.sth SSL server certificate label (SSL_SVR_LABEL) = myselfsigned SSL service name (SSL_SVCENAME) = db2inst1svcssl SSL cipher specs (SSL_CIPHERSPECS) = SSL versions (SSL_VERSIONS) = TLSV12,TLSV1 SSL client keydb file (SSL_CLNT_KEYDB) = SSL client stash file (SSL_CLNT_STASH) = IBM Security Directory Suite Page 31

Securing communication between SDS VA and its remote DB2 DB

Securing communication between SDS 8.0.1 VA and its remote DB2 DB IBM SECURITY SUPPORT OPEN MIC PRESENTATION Ramamohan T Reddy - Senior Software Engineer / L2 Team Tech Lead - Directory Support Team Brook