Monitoring SSL enabled Db2 by using Instana

Co-Authors: Padmini K Vipin Menon

Instana and Db2

Instana is a fully automated application performance management (APM) solution and the monitoring of Db2LUW database server been on its offering from quite a while. Our previous blog had a glimpse of how multi instance and multi database can be monitored. Since, Db2LUW supports different ways of connectivity, This blog focuses on how a secure connection using SSL can be established for monitoring. The scope of this blog is confined to Db2LUW. For more information on Instana and its wider scope, see IBM Instana Observability.

Why SSL?

SSL stands for Secure Sockets Layer and is an authentication protocol for creating a secure environment for the client-server interactions and enabling communication privacy. SSL enables client and server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery. SSL-enabled client applications use standard encryption techniques to help ensure secure communication.

Db2, the database product from IBM supports SSL. To ensure complete end-to-end security, exchange the usernames and passwords, transmit all database information, including sensitive data and metadata through an SSL connection. Let us look at the steps to enable SSL between the Db2 database server and client applications. For more information about Db2, see IBM Db2.

Enabling SSL in Db2

Db2 relies on Global Security Kit (GSKit) for implementing SSL. GSKit is included in the IBM DB2 ESE software installation kit or can be freely downloaded from the official IBM downloads page. For installation instructions, see IBM Global Security Kit global installation instructions overview.

To setup Db2, follow the instructions documented in Db2 installation methods. For information on official IBM documentation on enabling SSL for Db2, see Secure Sockets Layer (SSL) support.

The next step would be to create a valid certificate using the default Global Security Kit provided by IBM.

For demonstration purpose, let’s assume there is an instance owner by name db2inst1

To create key database on the Db2 server instance, do the following steps:

1. Go to the instance owner home folder. Create a directory `certs` and navigate to it as shown in the following Fig 1:

Fig 1

2. To create the key database and set up digital certificates, use the following command as shown in the Fig 2:

gsk8capicmd_64 -keydb -create -db "myserver.kdb" -pw "password" -stash
where,
-keydb : Work with key database
-create : Create a key database
-db : Name of the file that is used as a key database
-pw : Password to the key database
-stash : This option will create a stash file in the same location as the key database

Fig 2

3. Add the certificate to the key database. In this example, a self signed certificate is used. For the production system and the systems accessed publicly, it is advised to sign the certificate through popular signature authorities. You can create the self signed certificate by using the following command as shown in Fig 3:

gsk8capicmd_64 -cert -create -db "myserver.kdb" -pw "password" -label "selfsigned" -dn "CN=myhost.mycompany.com O=myOrganization, OU=myOrganizationUnit, L=myLocation, ST=ON, C=CA"

where,
-cert : Command for certificates.
-create : Creates the certificate.
-db : Indicates which database the certificate will be stored in.
-pw : Password for the key store. When the hyphen (-) is used an interactive prompt will appear for password.
-label : Label for the certificate to uniquely identify the certificate in the key database.
-dn : The X.500 distinguished name that will identify the certificate. Only a CN (common name) value is required. Other information can be added to the DN (distinguish name), such as O for an organization, C for a country, and so on. Ensure that the common name in the certificate matches the fully qualified domain name of the database instance server.
-size : Size of the key in bits (Optional).
-sigalg : Signature algorithm used for the certificate (Optional).

Fig 3

4. Extract the certificate file that is distributed to the clients to enable them to establish the SSL connection (in this case, Instana is the client ). Create the file and store it as server.arm by using the following command as shown in Fig 4:

gsk8capicmd_64 -cert -extract -db "myserver.kdb" -pw "password" -label "myselfsigned" -target "server.arm" -format ascii -fips

Fig 4

5. Enable the SSL on the server by using the following commands in sequence as shown in Fig 5:

db2 update dbm cfg using SSL_SVR_KEYDB "/dbdata/db2inst1/certs/myserver.kdb"
db2 update dbm cfg using SSL_SVR_STASH "/dbdata/db2inst1/certs/myserver.sth"
db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
db2 update dbm cfg using SSL_SVCENAME 50443
db2 update dbm cfg using SSL_VERSIONS TLSv12
db2set -i db2inst1 DB2COMM=SSL

Where,
SSL_SVCENAME indicates the port to be used for SSL. In this example, the port is 50443. SSL_VERSIONS is the SSL version to be used (TLSv12 and TLSv13 commonly known as SSL 1.2 and SSL 1.3 respectively).
DB2COMM is the communication model DB2COMM=SSL enables strict SSL.
DB2COMM=SSL,TCPIP enables SSL and normal TCP/IP based communication.

Fig 5

6. Stop and start the database manager by using the following commands as shown in Fig 6:

Fig 6

7. Verify the SSL configuration with the db2 “GET DATABASE MANAGER CONFIGURATION” command, which gives you the details of the SSL configurations set up as shown in Fig 7:

Fig 7

Db2LUW server is now successfully configured to use SSL for communication.

Configuring Instana agent with SSL

After successfully configuring the Db2LUW server, run the following command to import the certificate to Java keystore in the system where Instana agent is configured:

Note : You must have $JAVA_HOME/bin in your $PATH variable to use the keytool command.

keytool -import -trustcacerts -alias myalias -file mydbserver.arm -keystore db2client.jks

After importing the certificate, locate the following Instana agents configuration.yaml file in <instana installation>/instana-agent/etc/instana folder and update the sslTrustStorePassword and sslTrustStoreLocation properties as shown:

# DB2
  com.instana.plugin.db2:
  remote:
    - host: 'TESTUSER.fyre.ibm.com'
    port: '50443'
    user: 'db2inst1'
    password: 'database_password'
    availabilityZone: 'DB2 Standard'
    poll_rate: 30 # seconds
    sslTrustStorePassword: 'ssl_truststore_password'
    sslTrustStoreLocation: '/Users/testuser/db2client.jks'
    custom_polling:

Conclusion

With the settings described in this blog, the Instana agent can communicate using the SSL protocol with the Db2 server by exchanging information in a secure context. Only the connectivity context gets altered here, whereas the capabilities of the sensor, such as monitoring and alerting remains the same as the capabilities of a normal sensor.

Reference

https://www.ibm.com/docs/en/ias?topic=package-secure-sockets-layer-ssl