Enabling database connection encryption for DB2 for BigFix Inventory

Configure the DB2 database to apply SSL based encryption.

Before you begin

  • DB2 database is configured to enable the connection encryption. For information on IBM TLS configuration process for DB2, refer to https://www.ibm.com/docs/en/db2/11.5?topic=transit-tls-configuration-db2.

  • The extracted public trust certificate should be available in 64-bit encoded .CER format. It can be done by using the command, gsk8capicmd_64 -cert -extract -db "<Server Keystore .kdb file>" -pw "<Server Keystore password>" -label "<label name>" -target "<.cer file name>" -format ascii.

About this task

Once you export the certificate, enable the connection encryption.

Perform the below steps to enable the encryption for DB2:

Procedure

  1. Create <keystore_extension> type TrustStore and import the public certificate into it:
    • Go to BigFix Inventory java directory, <BFI_INSTALL_DIR>/jre/jre/bin
    • Import the certificate into the TrustStore using the command, ./keytool -importcert -file <.cer file location> -keystore <BFI_INSTALL_DIR>/wlp/usr/servers/server1/resources/security/key_bfi_db.<keystore_extension> -alias "bfi_db_cert"
    • Provide a password for this TrustStore.
    • Enter Yes to trust the certificate.
  2. If this is not initial configuration, but BigFix Inventory server is already running, stop the BigFix Inventory server and backup database.yml and server.xml files and remove the original database.yml file. Then start the BigFix Inventory server and enter the connection details by the providing encryption information.

Troubleshooting

About this task

Monitor tema.log to make sure that the connection is established If the application does not start, review the tema.log from the top. In case of configuration issues, the log shows error messages that helps in troubleshooting. For example: For example: 
[3/11/21 14:43:42:658 UTC] 0000002a SystemOut                                                    
O 2021-03-11 14:43:42 ERROR: Cannot connect to the database: Java::ComIbmDb2JccAm::DisconnectNonTransientConnectionException: [jcc]
t4][2043][11550][4.28.11] Exception java.io.FileNotFoundException: Error opening socket to server ***/*** on port 51,001 with message: ***<keystore_extension> (No such file or directory). 
ERRORCODE=-4499, SQLSTATE=08001. 
The next try for 60 seconds. 

[3/11/21 17:02:45:608 UTC] 0000002b SystemOut                                                    
O 2021-03-11 17:02:45 ERROR: Cannot connect to the database: Java::ComIbmDb2JccAm::DisconnectNonTransientConnectionException: [jcc]
[t4][2043][11550][4.28.11] Exception java.io.IOException: Error opening socket to server ***/*** on port 51,001 with message: 
Keystore was tampered with, or password was incorrect. ERRORCODE=-4499, SQLSTATE=08001. 
The next try for 60 seconds.
Note: The <type> and <keystore_extension> parameters that apply to the above commands specifies the following:
<type>
Starting from version 10.0.8.0, the type of the certificate is PKCS12. For earlier versions, it is JCEKS.
<keystore_extension>
Starting from version 10.0.8.0, the name of the keystore file is .p12. For earlier versions, it is .jceks.

Procedure

  1. Make sure that the certificate extracted from DB2 and certificate imported to key_bfi_db.p12 truststore are the same. You can extract both certificates to compare them. Steps to extract DB2 certificate are described here. To extract certificate from key_bfi_db.p12 truststore you following command: 
    './keytool -exportcert -keystore "<BFI_INSTALL_DIR>/wlp/usr/servers/server1/resources/security/key_bfi_db.p12" -alias "bfi_db_cert" > exported.cer'
  2. Make sure that the certificate is valid—check 'valid_from' and 'valid_to' dates.
  3. Make sure the certificate has a valid Subject Name and a valid Subject Alternative Name—they must include the same name that is used in the BigFix Inventory UI.