Using SSL/TLS with an Amazon RDS for Db2 DB instance
SSL is an industry-standard protocol for securing network connections between client and
server. After SSL version 3.0, the name was changed to TLS, but we still often refer to the
protocol as SSL. Amazon RDS supports SSL encryption for Amazon RDS for Db2 DB instances. Using SSL/TLS,
you can encrypt a connection between your application client and your RDS for Db2 DB instance.
SSL/TLS support is available in all AWS Regions for RDS for Db2.
To enable SSL/TLS encryption for an RDS for Db2 DB instance, add the Db2 SSL option to the
parameter group associated with the DB instance. Amazon RDS uses a second port, as required by
Db2, for SSL/TLS connections. Doing this allows both clear text and SSL-encrypted
communication to occur at the same time between a DB instance and a Db2 client. For example,
you can use the port with clear text communication to communicate with other resources
inside a VPC while using the port with SSL-encrypted communication to communicate with
resources outside the VPC.
Creating an SSL/TLS connection
To create an SSL/TLS connection, choose a certificate authority (CA), download a
certificate bundle for all AWS Regions, and add parameters to a custom parameter
group.
Step 1: Choose a CA and
download a certificate
Choose a certificate authority (CA) and download a certificate bundle for all
AWS Regions. For more information, see Using SSL/TLS to encrypt a connection to a DB
instance or cluster.
Step 2: Update parameters in a custom
parameter group
If you're using the Bring Your Own License (BYOL) model for RDS for Db2, modify
the custom parameter group that you created for your IBM Customer ID and your
IBM Site ID. If you're using a different licensing model for RDS for Db2, then follow
the procedure to add parameters to a custom parameter group. For more
information, see Amazon RDS for Db2 licensing options.
You can't modify default parameter groups for RDS for Db2 DB instances. Therefore,
you must create a custom parameter group, modify it, and then attach it to your
RDS for Db2 DB instances. For information about parameter groups, see DB parameter groups for
Amazon RDS DB instances.
Use the parameter settings in the following table.
Parameter |
Value |
DB2COMM |
TCPIP,SSL or SSL |
SSL_SVCENAME |
<any port number except the number used for the non-SSL
port> |
To update parameters in a custom parameter group
-
Create a custom parameter group by running the create-db-parameter-group command.
Include the following required options:
-
--db-parameter-group-name
– A name for the
parameter group that you are creating.
-
--db-parameter-group-family
– The Db2 engine
edition and major version. Valid values: db2-se-11-5
,
db2-ae-11.5
.
-
--description
– A description for this
parameter group.
For more information about creating a DB parameter group, see Creating a DB parameter group in Amazon RDS.
-
Modify the parameters in the custom parameter group that you created by
running the modify-db-parameter-group command.
Include the following required options:
-
--db-parameter-group-name
– The name of the
parameter group that you created.
-
--parameters
– An array of parameter names,
values, and the application methods for the parameter update.
For more information about modifying a parameter group, see Modifying parameters in a DB parameter group in Amazon RDS.
-
Associate the parameter group with your RDS for Db2 DB instance. For more
information, see Associating a DB parameter group with a DB instance in Amazon RDS.
Connect to your Db2 database
server
Instructions for connecting to your Db2 database server are language-specific.
- Java
-
To connect to your Db2 database server using
Java
-
Download the JDBC driver. For more information, see DB2 JDBC Driver Versions and Downloadsin the
IBM Support documentation.
-
Create a shell script file with the following content. This script
adds all certificates from the bundle to a Java
KeyStore.
Verify that keytool
exists on the path in the
script so that the script can locate it. If you use a Db2
client, you can locate the keytool
under
~sqlib/java/jdk64/jre/bin
.
#!/bin/bash
PEM_FILE=$1
PASSWORD=$2
KEYSTORE=$3
# number of certs in the PEM file
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)
for N in $(seq 0 $(($CERTS - 1))); do
ALIAS="${PEM_FILE%.*}-$N"
cat $PEM_FILE |
awk "n==$N { print }; /END CERTIFICATE/ { n++ }" |
keytool -noprompt -import -trustcacerts -alias $ALIAS -keystore $KEYSTORE -storepass $PASSWORD
done
-
To run the shell script and import the PEM file
with the certificate bundle into a Java KeyStore, run
the following command. Replace
shell_file_name.sh
with the name of
your shell script file and password
with
the password for your Java KeyStore.
./shell_file_name.sh
global-bundle.pem password
truststore.jks
-
To connect to your Db2 server, run the following command. Replace
the following placeholders in the example with your RDS for Db2 DB
instance information.
-
ip_address
– The IP
address for your DB instance endpoint.
-
port
– The port number
for the SSL connection. This can be any port number except
the number that's used for the non-SSL port.
-
database_name
– The name
of your database in your DB instance.
-
master_username
– The
master username for your DB instance.
-
master_password
– The
master password for your DB instance.
export trustStorePassword=MyPassword
java -cp ~/dsdriver/jdbc_sqlj_driver/linuxamd64/db2jcc4.jar \
com.ibm.db2.jcc.DB2Jcc -url \
"jdbc:db2://ip_address
:port
/database_name
:\
sslConnection=true;sslTrustStoreLocation=\
~/truststore.jks;\
sslTrustStorePassword=${trustStorePassword};\
sslVersion=TLSv1.2;\
encryptionAlgorithm=2;\
securityMechanism=7;" \
-user master_username
-password master_password
- Node.js
-
To connect to your Db2 database server using
Node.js
-
Install the node-ibm_db driver. For more
information, see Installing the node-ibm_db driver on Linux and
UNIX systems in the IBM Db2
documentation.
-
Create a JavaScript file based on the following
content. Replace the following placeholders in the example with your
RDS for Db2 DB instance information.
-
ip_address
– The IP
address for your DB instance endpoint.
-
master_username
– The
master username for your DB instance.
-
master_password
– The
master password for your DB instance.
-
database_name
– The name
of your database in your DB instance.
-
port
– The port number
for the SSL connection. This can be any port number except
the number that's used for the non-SSL port.
var ibmdb = require("ibm_db");
const hostname = "ip_address
";
const username = "master_username
";
const password = "master_password
";
const database = "database_name
";
const port = "port
";
const certPath = "/root/qa-bundle.pem";
ibmdb.open("DRIVER={DB2};DATABASE=" + database + ";HOSTNAME=" + hostname + ";UID=" + username + ";PWD=" + password + ";PORT=" + port + ";PROTOCOL=TCPIP;SECURITY=SSL;SSLServerCertificate=" + certPath + ";", function (err, conn){
if (err) return console.log(err);
conn.close(function () {
console.log('done');
});
});
-
To run the JavaScript file, run the following
command.
node ssl-test.js
- Python
-
To connect to your Db2 database server using
Python
-
Create a Python file with the following content.
Replace the following placeholders in the example with your RDS for Db2
DB instance information.
-
port
– The port number
for the SSL connection. This can be any port number except
the number that's used for the non-SSL port.
-
master_username
– The
master username for your DB instance.
-
master_password
– The
master password for your DB instance.
-
database_name
– The name
of your database in your DB instance.
-
ip_address
– The IP
address for your DB instance endpoint.
import click
import ibm_db
import sys
port = port
;
master_user_id = "master_username
" # Master id used to create your DB instance
master_password = "master_password
" # Master password used to create your DB instance
db_name = "database_name
" # If not given "db-name'
vpc_customer_private_ip = "ip_address
" # Hosts end points - Customer private IP Addressicert_path = "/root/ssl/global-bundle.pem" # cert path
@click.command()
@click.option("--path", help="certificate path")
def db2_connect(path):
try:
conn = ibm_db.connect(f"DATABASE={db_name};HOSTNAME={vpc_customer_private_ip};PORT={port};
PROTOCOL=TCPIP;UID={master_user_id};PWD={master_password};SECURITY=ssl;SSLServerCertificate={path};", "", "")
try:
ibm_db.exec_immediate(conn, 'create table tablename (a int);')
print("Query executed successfully")
except Exception as e:
print(e)
finally:
ibm_db.close(conn)
sys.exit(1)
except Exception as ex:
print("Trying to connect...")
if __name__ == "__main__":
db2_connect()
-
Create the following shell script, which runs the
Python file you created. Replace
python_file_name.py
with the name of your Python script file.
#!/bin/bash
PEM_FILE=$1
# number of certs in the PEM file
CERTS=$(grep 'END CERTIFICATE' $PEM_FILE| wc -l)
for N in $(seq 0 $(($CERTS - 1))); do
ALIAS="${PEM_FILE%.*}-$N"
cert=`cat $PEM_FILE | awk "n==$N { print }; /END CERTIFICATE/ { n++ }"`
cat $PEM_FILE | awk "n==$N { print }; /END CERTIFICATE/ { n++ }" > $ALIAS.pem
python3 <python_file_name.py
> --path $ALIAS.pem
output=`echo $?`
if [ $output == 1 ]; then
break
fi
done
-
To import the PEM file with the certificate bundle
and run the shell script, run the following command. Replace
shell_file_name.sh
with the name of
your shell script file.
./shell_file_name.sh
global-bundle.pem