1. DB2 Server端设置SSL

实例: db2inst1  机器: testdb.com.cn命令创建称为 keystore.kdb 的密钥数据库以及称为 keystore.sth 的隐藏文件#su - db2isnt1$export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/home/db2inst1/sqllib/gskit/bin $export PATH=$PATH:/home/db2inst1/sqllib/gskit/bin$mkdir ssl创建一个keystore.kdb密钥数据库$/opt/IBM/db2/V10.5/gskit/bin/gsk8capicmd_64 -keydb -create -db /home/db2inst1/ssl/keystore.kdb -pw passw0rd -stash将签署者证书添加到密钥数据库中以下 gsk8capicmd 命令会将该证书从文件导入到称为 keystore.kdb 的密钥数据库中：（label随便取一个就好）$/opt/IBM/db2/V10.5/gskit/bin/gsk8capicmd_64 -cert -create -db "/home/db2inst1/ssl/keystore.kdb" -pw "passw0rd" -label "testdb.com.cn" -dn "CN=testdb.com.cn,O=IBM,OU=DST,L=Wuhan,ST=HB,C=CHINA" -size "2048" -sigalg sha512 -expire 7300CN = common nameO = organizationOU = organization unitL = locationST = State, ProviceC = countryDC = domain componentEMAIL =email address-size "2048"    加密长度-sigalg sha512  加密算法-expire 7300    7300天后过期抽取证书,生成arm文件，用来导入client端$/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -extract -db "/home/db2inst1/ssl/keystore.kdb" -pw "passw0rd" -label "testdb.com.cn" -target "/home/db2inst1/ssl/keystore.arm" -format ascii -fips数据库端，启用密钥数据库配置这里需要申请一个SSL端口 60020$ db2 update dbm cfg using SSL_SVR_KEYDB /home/db2inst1/ssl/keystore.kdb$ db2 update dbm cfg using SSL_SVR_STASH /home/db2inst1/ssl/keystore.sth$ db2 update dbm cfg using SSL_SVR_LABEL cnwbzp1236.cn.dst.ibm.com$ db2 update dbm cfg using SSL_SVCENAME 60020$ db2 update dbm cfg using SSL_VERSIONS TLSV12$ db2 update dbm cfg using SSL_CIPHERSPECS TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384$ db2 update dbm cfg using DIAGLEVEL 4$ db2set DB2COMM=SSL,TCPIP $ db2stop$ db2start查看日志，SSL成功了。2013-03-06-06.52.35.356786-300 I40437A358         LEVEL: InfoPID     : 1126566              TID  : 258       PROC : db2syscINSTANCE: db2inst1             NODE : 000EDUID   : 258                  EDUNAME: db2sysc>FUNCTION: DB2 UDB, common communication, sqlcctcp_start_listen, probe:81MESAGE : DIA3000I "SSL" protocol support was successfully started.通过端口验证$ openssl s_client -connect testdb.com.cn:60020 </dev/null

需要从数据库端拷贝导出的arm文件到客户端# su - db2inst1$ mkdir ssl$ cd ssl生成密钥数据库$/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -keydb -create -db "/home/db2inst2/ssl/keyclient.kdb" -pw "ibm654321" -stash添加arm文件到密钥数据库$/home/db2inst1/sqllib/gskit/bin/gsk8capicmd_64 -cert -add -db "/home/db2inst2/ssl/keyclient.kdb" -pw "ibm654321" -label "SSLLableClt" -file keystore.arm -format ascii -fips客户端启用密钥数据库$db2 update dbm cfg using SSL_CLNT_KEYDB /home/db2inst2/ssl/keyclient.kdb $db2 update dbm cfg using SSL_CLNT_STASH /home/db2inst2/ssl/keyclient.sth需要重新编目节点和数据，指定新的ssl 端口$db2 catalog tcpip node dbug remote testnode server 60020 security ssl$db2 catalog db testdb as samssl at node testnode $db2 terminate连接数据库$db2 connect to samssl user db2inst1 using "server_instance_password"

至此，DB2 SSL配置完成。