DB2 - L

 View Only
  • 1.  TLS setting in Data Studio

    Posted Nov 02, 2022 02:35 PM
    Is there a way to specify the TLS setting in Data Studio?


  • 2.  RE: TLS setting in Data Studio

    Posted Nov 03, 2022 01:07 AM
    Yes, you'll need to specify these in the 'Driver Properties' options tab when specifying the 'Connection Parameters'.

    Screenshots for reference:
    Driver Properties for TLS
    Additional TLS parameters can be specified in the 'Optional' tab:
    Driver Properties for TLS (optional)

    Rohan Pradhan

  • 3.  RE: TLS setting in Data Studio

    Posted Nov 03, 2022 09:37 AM
    thank you very much for the information!
    I need to specify TLSv.2


  • 4.  RE: TLS setting in Data Studio

    Posted Nov 03, 2022 02:30 PM

    First, from my understanding, 
    The acceptable TLS or SSL version or level that is accepted by mainframe Db2 is specified in the mainframe policy agent (the thing that does the encryption on the mainframe side).  
    You do NOT specify the TLS version in the Data Studio.
    Bsically, when the client connects to the mainframe Db2... the Policy Agent only accepts the TLS versions that it accepts!  So if it only allows v1.2 then your client can only use V1.2  They figure it out between themselves.

    The policy agent started task is often seen with jobname like PAGENT or *PAGENT*
    If you dig in through the control cards... you will see evidence as to what TLS Version is being used or allowed to be used.
    > hopefully... you will eventually find a control card with TTLSConnectionAdvancedParms with has TLSV1.2 with value "On"

    > the started task job JCL with have DD of name STDEVN DD which points to a PDS member (or a unix file) with a series of ctlcards.  If you just dig in and follow the path... one of them will be for "TTLSCONFIG" and that will have the TLS details.  

    SECOND.  from the Data Studio side.  The example from Rohan is assuming you have a "truststore" with the certificate(s).  I bet that works.... but I think my scenario below is a bit easier.

    The mainframe cert is signed by a certificate authority (CA).  
    One just needs the public cert of the CA and then tell the JDBC driver used by Data Studio about the location of the public cert. 
    Basically, in the db config driver properties, in the "optional" tab, I specify this property

    This avoids the need to create a keystore on my machine.

    THIRD, my experience with the different driver types in Data Studio is that if you use
    IBM Data Server Driver for JDBC and SQLJ (JDBC 4.) 
    then you must explicitly add optional property 
    (essentially, it goes beside the sslCertLocation property)

    The only diff with the 
    IBM Data Server Driver for JDBC and SQLJ (JDBC 4.) using SSL connectivity Default
    is that that this driver type apparently assumes and dynamically adds the property

    = - = - = - =

    Some of the above is documented in the IDUG content blog as an article about how I enabled SSL on my Db2.  Since I wrote the blog last year... I have continued to learn more about network encryption... but I think it is basically correct!



    Brian Laube Manulife Financial

    Db2 Z DBA (mostly)

  • 5.  RE: TLS setting in Data Studio

    Posted Nov 03, 2022 04:08 PM

    Aside from what Brian said, and not to disagree with his approach; but my Agency uses individual key exchanges, sort of. 


    All of our client machines which call the DB2 z/OS SQL ports directly use TLS, and all the workstations use the local key cache to store their private keys.  If you're using Data Studio or a similar product, the cache location (and filename?) has to be  specified  in the connection definition, and that (probably?) has to be on a local drive. 


    And if it DOESN'T have to be on a local drive, put it there ANYWAY.  Sending a TLS encryption key out repeatedly, even over a local network, is a Really Bad Idea.





    Philip Sevetson

    Computer Systems Manager


    5 Manhattan West

    New York, NY 10001


    917-991-7052 m

    212-857-1659 f



  • 6.  RE: TLS setting in Data Studio

    Posted Nov 03, 2022 04:09 PM
    The TLS version is normally negotiated "under the covers" between the Java Runtime Environment on the client side (here: IBM Data Studio) and the server (here: Policy Agent on z/OS) and you can expect that TLSv1.2 or TLSv1.3 is used. Policy Agent can require a minimum TLS level (specified in the TTLSRules). On the client side you could use the Db2 JDBC property "sslVersion" to request a TLS level. That works with Data Studio as well but I think this option is really rarely used.
    Best regards

    Christoph Theisen
    Rocket Software Inc.