Aside from what Brian said, and not to disagree with his approach; but my Agency uses individual key exchanges, sort of.
All of our client machines which call the DB2 z/OS SQL ports directly use TLS, and all the workstations use the local key cache to store their private keys. If you're using Data Studio or a similar product, the cache location (and filename?) has to be specified in the connection definition, and that (probably?) has to be on a local drive.
And if it DOESN'T have to be on a local drive, put it there ANYWAY. Sending a TLS encryption key out repeatedly, even over a local network, is a Really Bad Idea.
Computer Systems Manager
5 Manhattan West
New York, NY 10001
4569 Technology DriveSte 1 Wilmington, NC 28405Phone: (910) 660-8649Fax: (910) 523-5504