Configure TLS certificates for mutual authentication

7min

before kmip connections between ibm db2 and the {{k3}} can occur, both parties must establish a mutual trust relationship by validating their respective digitally signed certificates this section shows how to create x 509 certificates for ibm db2 and the kmip connection pair on the {{k3}} , which they use for tls communication create the ca perform the following steps to create the certificate authority (ca) log in to the {{k3}} application interface by using the default admin users go to pki > certificate authorities and select \[ add ca ] specify a name for the ca, and select \[ ok ] right click the new certificate container and select add certificate > new certificate change the preset drop down option to classic and set the common name value to root on the basic info tab, leave the settings set to the default values on the v3 extensions tab, set the profile to certificate authority and select \[ ok ] to save create the tls certificate to create and configure the tls certificate for the kmip connection pair on the {{k3}} , perform the following tasks generate a private key construct a csr sign the kmip connection pair export the certificates configure the kmip connection pair generate a private key perform the following steps to generate a private key go to administration > configuration and double click network options on the tls/ssl settings tab, select the connection drop down option and select the kmip connection pair enable the kmip connection pair if it is not already enabled uncheck use system/host api ssl parameters if it is selected in the user certificates section, select \[ edit ] next to pki keys select \[ generate ] to create a new pki key pair select \[ yes ] and bypass the warning about ssl not being functional until new certificates are imported on the pki parameters window, leave all settings set to the default values and select \[ ok ] the application public keys window should now show that the pki key pair is loaded construct a csr perform the following steps to construct a certificate signing request (csr) on the application public keys window, select \[ request ] on the subject dn tab, change the preset drop down option to classic and specify the hostname or ip address of the {{k}} in the common name field on the v3 extensions tab, set the profile to tls server certificate on the pkcs #10 info tab, specify a save location and name for the csr file and select \[ ok ] when prompted that the certificate signing request was successfully written to the specified location , select \[ ok ] select \[ ok ] in the application public keys window and select \[ ok ] in the main network options window sign the csr perform the following steps to sign the kmip connection pair csr go to the pki > certificate authorities menu right click the root ca certificate and select add certificate > from request in the file browser, find and select the kmip connection pair csr certificate information should populate in the create x 509 from csr window leave all settings set to the default values and select \[ ok ] to save the signed kmip connection pair certificate should display now under the root ca certificate in the ca tree export all certificates perform the following steps to export all certificates in the ca tree right click each certificate in the certificate tree and select export > certificate(s) on the export certificate window for each of them, change the encoding to pem and specify a save location for the file configure the connection pair perform the following steps to configure the kmip connection pair to use the signed certificate and ca chain go to the administration > configuration menu and double click network options on the tls/ssl settings tab, select the connection drop down option and select the kmip connection pair in the user certificates section, select \[ edit ] next to certificates in the certificate authority window, right click the kmip ssl ca x 509 certificate container and select \[ import ] in the import certificates window, select \[ add ] at the bottom of the window in the file browser, select both the root ca certificate and the signed kmip connection pair certificate and select \[ open ] the certificates should now display in the verified section of the import certificates window select \[ ok ] to save it should now display signed loaded next to certificates in the user certificates section of the network options window select \[ ok ] to save and finish

Before you start

Configure IBM Db2 initially and request a client certificate