ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

How to configure a secure DB2 Connection in TDM Portal

book

Article ID: 227241

calendar_today

Updated On:

Products

CA Test Data Manager (Data Finder / Grid Tools)

Issue/Introduction

We are implementing a more secure layer for databases and bringing it to TLS 1.2. Also, I have received our new DB2 certificates file, which we may need to align with the keystore.

Note: we are using older DB2 releases: 

  • DB2 v9.7 fp31
  • DB2 v9.7 fp11
  • DB2 v10.5 fp9

Environment

Release : 4.9

Component : TDM Web Portal

Resolution

The supported release of DB2 for TDM 4.9.1 are as follows:

This might work with the older DB2 releases, but Broadcom cannot guarantee your results, since the DB2 releases you are using are not supported.

----------------------------------------------------------------------------------------------

To create a DB2 connection profile in TDM Portal that uses a secured SSL connection, you would need to do the following:

  1. As an Administrator user in TDP Portal, go to the Configuration -> Connection Profile page.
  2. Select the New Profile button
  3. In the Add New Connection Profile page, provide the required information in the following fields:
    • Profile Name - this will be the name you give to your Connection Profile

    • Description - a description to describe this connection profile

    • DBMS - set to DBS, or DB2/AS400

    • Server - provide the name of the server hosting the DB2 database

    • Port - optional, but if you know the listener port the DB2 is using, this would be helpful

    • User Name - user name of the DB2 account

    • Password - password used by this user

    • Additional Connection Properties - This is important, since this sets up the SSL connection parameters used by the DB2 database:
      sslConnection=true;sslTrustStoreLocation=[path to the keystore file or a truststore file];sslTrustStorePassword=[your store password];CryptoProtocolVersion=TLSv1.2;

      where 1) sslTrustStoreLocation=the path to the TrustStore file containing the DB2 certificates
      2) sslTrustStorePassword=is the password needed to access the TrustStore file

As for the embedded Java jre, by default, this version of java only allows for TLS1.2 connections. All other protocols are disabled. If you need to enable an older protocol, for instance, TLS1.1, then you will need to do the following:

  1. Open a Windows File Explorer and navigate to C:\Program Files\CA\CA Test Data Manager Portal\jre\lib\security
  2. Open the java.security file
  3. In a text editor of your choice, such as NotePad++, search for jdk.tls.disabledAlgorithms
  4. Remove the protocol you wish to use from this list, for example, TLS1.1
  5. Save the changes
  6. Restart the CA Test Data Manager Portal service for the change to take effect. The file is read when Tomcat is started.

By the way, this also applies to FDM. You can do similar steps to configure an FDM connection to use SSL when connecting to DB2. If you enable TLS1.1 for the Portal then you will also want to do the same for the embedded jre used by FDM. See KB https://knowledge.broadcom.com/external/article?articleId=222429 

----------------------------------------------------------------------------------------------

If your security team provided you with a TrustStore file, then all you need to know is the password for the file. You can place this file anywhere you wish on the Portal server, as long as the account running the CA Test Data Manager Portal service has read access to the file.

You would then specify the full path to the file, and the password required for accessing the file in the Additional parameters in the Connection Profile configuration.

If you were only given the certificate file, then you can use the Java Keytool command-line utility to generate a TrustStore file and import the certificate into the TrustStore.

  1. Open a Windows command line. (As Administrator if possible)

  2. Navigate to C:\program Files\CA\CA Test Data Manager Portal\jre\bin

  3. Generate the TrustStore file by running the following command:

    keytool -import -file [path\certificate filename] -alias [aliasname for the certificate] -keystore [path/myTrustStorefile] -storetype PKCS12 -storepass [TrustStore_password]

Where:

    • - file [path\certificate filename] is the fully qualified path to the certificate file you wish to import.

    • -alias [aliasname for the certificate] is the alias name given to the certificate. If your certificate contains an alias, you need to use the same alias name.

    • -keystore [path/myTrustStorefile] is the fully qualified path to where you want to place your TrustStore file.

    • -storepass [TrustStore_password] is the password you would like to assign to your TrustStore file, if you want to password-protect the file.

For example:

keytool -import -file "C:/Users/brad/Downloads/new_ca_cert.ce" -alias DB2ServerName -keystore "C:/Program Files/CA/CA Test Data Manager Portal\conf\.truststore" -storetype PKCS12 -storepass CAdemo1234!

If you create the TrustStore file with a password, you will need to record what you made the password, in case you need to import additional certificates in the future.  If you have more than one certificate to import, you will need to run the import file for each certificate, changing the -file and -alias for each of the certificates.