Configure TLS certificates for mutual authentication

Before KMIP connections between IBM Db2 and the KMES Series 3 can occur, both parties must establish a mutual trust relationship by validating their respective digitally signed certificates. This section shows how to create X.509 certificates for IBM Db2 and the KMIP connection pair on the KMES Series 3, which they use for TLS communication.

Create the CA

Perform the following steps to create the certificate authority (CA):

Go to PKI> Certificate Authorities and select [ Add CA ].

Specify a Name for the CA, and select [ OK ].

Right-click the new certificate container and select Add Certificate > New Certificate.

Change the Preset drop-down option to Classic and set the Common Name value to Root.

On the Basic Info tab, leave the settings set to the default values.

On the V3 Extensions tab, set the Profile to Certificate Authority and select [ OK ] to save.

Create the TLS certificate

To create and configure the TLS certificate for the KMIP connection pair on the KMES Series 3, perform the following tasks:

Generate a private key.
Construct a CSR.
Sign the KMIP connection pair.
Export the certificates.
Configure the KMIP connection pair.

Generate a private key

Perform the following steps to generate a private key:

Go to Administration> Configuration and double-click Network Options. On the TLS/SSL Settings tab, select the Connection drop-down option and select the KMIP connection pair.

Enable the KMIP connection pair if it is not already enabled.

Uncheck Use System/Host API SSL Parameters if it is selected.

In the User Certificates section, select [ Edit ] next to PKI keys.

Select [ Generate ] to create a new PKI key pair.

Select [ Yes ] and bypass the warning about SSL not being functional until new certificates are imported.

On the PKI Parameters window, leave all settings set to the default values and select [ OK ].

The Application Public Keys window should now show that the PKI key pair is Loaded.

Construct a CSR

Perform the following steps to construct a Certificate Signing Request (CSR):

On the Application Public Keys window, select [ Request ].

On the Subject DN tab, change the Preset drop-down option to Classic and specify the hostname or IP address of the KMES in the Common Name field.

On the V3 Extensions tab, set the profile to TLS Server Certificate.

On the PKCS #10 Info tab, specify a save location and name for the CSR file and select [ OK ].

When prompted that the certificate signing request was successfully written to the specified location, select [ OK ].

Select [ OK ] in the Application Public Keys window and select [ OK ] in the main Network Options window.

Sign the CSR

Perform the following steps to sign the KMIP connection pair CSR:

Go to the PKI > Certificate Authorities menu. Right-click the Root CA certificate and select Add Certificate > From Request.

In the file browser, find and select the KMIP connection pair CSR.

Certificate information should populate in the Create X.509 From CSR window.

Leave all settings set to the default values and select [ OK ] to save.

The signed KMIP connection pair certificate should display now under the Root CA certificate in the CA tree.

Export all certificates

Perform the following steps to export all certificates in the CA tree:

Right-click each certificate in the certificate tree and select Export > Certificate(s).

On the Export Certificate window for each of them, change the encoding to PEM and specify a save location for the file.

Configure the connection pair

Perform the following steps to configure the KMIP connection pair to use the signed certificate and CA chain:

Go to the Administration > Configuration menu and double-click Network Options. On the TLS/SSL Settings tab, select the Connection drop-down option and select the KMIP connection pair.

In the User Certificates section, select [ Edit ] next to Certificates.

In the Certificate Authority window, right-click the KMIP SSL CA X.509 certificate container and select [ Import ].

In the Import Certificates window, select [ Add ] at the bottom of the window. In the file browser, select both the root CA certificate and the signed KMIP connection pair certificate and select [ Open ].

The certificates should now display in the Verified section of the Import Certificates window.

Select [ OK ] to save.

It should now display Signed loaded next to Certificates in the User Certificates section of the Network Options window.

Select [ OK ] to save and finish.

Overview

Certificate Authority

Cloud key management

Code signing

Credential management

Certificate management

Data protection

Data storage

Database

Endpoint management

DNS

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

Secure printing

SSH

Virtualization

VPN

Configure TLS certificates for mutual authentication

Create the CA

Create the TLS certificate

Generate a private key

Construct a CSR

Sign the CSR

Export all certificates

Configure the connection pair

Overview

Certificate Authority

Cloud key management

Code signing

Credential management

Certificate management

Data protection

Data storage

Database

Endpoint management

DNS

Generic

IT automation and orchestration

Key management

Privileged access management

Secrets management

Secure printing

SSH

Virtualization

VPN

Documentation Index

​Create the CA

​Create the TLS certificate

​Generate a private key

​Construct a CSR

​Sign the CSR

​Export all certificates

​Configure the connection pair

Create the CA

Create the TLS certificate

Generate a private key

Construct a CSR

Sign the CSR

Export all certificates

Configure the connection pair