This IBM® Redpaper publication provides information about how to set up and configure IBM Db2® for z/OS® with Transport Layer Security (TLS), which is the modern version of Secure Sockets Layer (SSL). This configuration is accomplished by using the IBM z/OS Communications Server Application Transparent Transport Layer Security (AT-TLS) services.
This paper also describes the steps for configuring TLS/SSL support for the IBM Data Server Driver Package (DS Driver) for IBM Data Server Provider for .NET, Open Database Connectivity (ODBC), and Call Level Interface clients to access a Db2 for z/OS server. In addition, this paper provides information about configuring that same support for the Java Database Connectivity (JDBC) and Structured Query Language for Java (SQLJ for Type 4 connectivity) clients.
The information that is provided is applicable to Db2 12 for z/OS and Db2 11 for z/OS.
Although we use z/OS V2R4 as the referenced release in this paper, the instructions, except for a TLSv1.3 configuration, are valid for releases as early as z/OS V2R1.
Throughout the paper, we reference z/OS Security Server or IBM Resource Access Control Facility (IBM RACF®) in various contexts. It should be understood that anywhere we mention RACF, it implies any System Authorization Facility (SAF)-compliant external security manager.
The intended audience for this paper includes network administrators, security administrators, and database administrators who want to set up and configure TLS/SSL support for Db2 for z/OS.
This paper presents more information about the more general contents of Security Functions of IBM DB2 10 for z/OS, SG24-7959.
Overview of AT-TLS
Configuring Db2 for z/OS as a server with TLS/SSL support
Configuring Db2 for z/OS as a requester with TLS/SSL support
Configuring Java applications by using IBM DS Driver for JDBC and SQLJ to use TLS/SSL
Configuring the IBM DS Driver non-Java interfaces: Command-line interface, ODBC, and .NET
Configuring remote client applications to use TLS/SSL through a Db2 Connect server for Linux, UNIX, and Windows
Client access to Db2 by using TLS/SSL client authentication
Using the Microsoft truststore
Using the Windows keystore