Configure TLS certificates for mutual authentication
Before KMIP connections between IBM Db2 and the can occur, both parties must establish a mutual trust relationship by validating their respective digitally signed certificates. This section shows how to create X.509 certificates for IBM Db2 and the KMIP connection pair on the , which they use for TLS communication.
Log in to the application interface with the default Admin users.
Go to PKI > Certificate Authorities and select [ Add CA ].
Specify a Name for the CA, then select [ OK ].
Right-click the new certificate container and select Add Certificate > New Certificate.
Change the Preset drop-down option to Classic and set the Common Name value to Root.
On the Basic Info tab, leave the settings set to the default values.
On the V3 Extensions tab, set the Profile to Certificate Authority and select [ OK ] to save.
To create and configure the TLS certificate for the KMIP connection pair on the , perform the following tasks:
- Generate a private key.
- Construct a CSR.
- Sign the KMIP connection pair.
- Export the certificates.
- Configure the KMIP connection pair.
Go to Administration > Configuration and double-click Network Options. On the TLS/SSL Settings tab, select the Connection drop-down option and select the KMIP connection pair.
Enable the KMIP connection pair if it is not already enabled.
Uncheck Use System/Host API SSL Parameters if it is selected.
In the User Certificates section, select [ Edit ] next to PKI keys.
Select [ Generate ] to create a new PKI key pair.
Select [ Yes ] and bypass the warning about SSL not being functional until new certificates are imported.
On the PKI Parameters window, leave all settings set to the default values and select [ OK ].
The Application Public Keys window should now show that the PKI key pair is Loaded.
On the Application Public Keys window, select [ Request ].
On the Subject DN tab, change the Preset drop-down option to Classic and specify the hostname or IP address of the in the Common Name field.
On the V3 Extensions tab, set the profile to TLS Server Certificate.
On the PKCS #10 Info tab, specify a save location and name for the CSR file and select [ OK ].
When prompted that the certificate signing request was successfully written to the specified location, select [ OK ].
Select [ OK ] in the Application Public Keys window and select [ OK ] in the main Network Options window.
Go to the PKI > Certificate Authorities menu. Right-click the Root CA certificate and select Add Certificate > From Request.
In the file browser, find and select the KMIP connection pair CSR.
Certificate information should populate in the Create X.509 From CSR window.
Leave all settings set to the default values and select [ OK ] to save.
The signed KMIP connection pair certificate should display now under the Root CA certificate in the CA tree.
Right-click each certificate in the certificate tree and select Export > Certificate(s).
On the Export Certificate window for each of them, change the encoding to PEM and specify a save location for the file.
Go to the Administration > Configuration menu and double-click Network Options. On the TLS/SSL Settings tab, select the Connection drop-down option and select the KMIP connection pair.
In the User Certificates section, select [ Edit ] next to Certificates.
In the Certificate Authority window, right-click the KMIP SSL CA X.509 certificate container and select [ Import ].
In the Import Certificates window, select [ Add ] at the bottom of the window. In the file browser, select both the root CA certificate and the signed KMIP connection pair certificate and select [ Open ].
The certificates should now display in the Verified section of the Import Certificates window.
Select [ OK ] to save.
It should now say Signed loaded next to Certificates in the User Certificates section of the Network Options window.
Select [ OK ] to save and finish.