Configuring Secure Communication to IBM DB2 with a Native Connection © 2014 Informatica Corporation. No part of this document may be reproduced or transmitted in any form, by any means (electronic, photocopying, recording or otherwise) without prior consent of Informatica Corporation. All other company and product names may be trade names or trademarks of their respective owners and/or copyrighted materials of such owners. Abstract You can enable secure communication with SSL encryption from PowerCenter to third-party databases, such as IBM DB2. This article describes how you can configure secure communication from PowerCenter to IBM DB2 with a native connection on UNIX. Supported Versions • PowerCenter 9.6.x Table of Contents Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Step 1. Create a Key Database in the Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Step 2. Install the Server SSL Certificate Within the Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Step 3. Update the DBM Parameters of the Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Step 4. Catalog Database Information with Secure Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Step 5. Verify SSL Connectivity from the Client System to IBM DB2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Step 6. Configure IBM DB2 Connection from PowerCenter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 Overview You can enable secure communication from PowerCenter to third-party databases, such as IBM DB2. When you read or write data to a third-party database, you can secure the communication with SSL encryption provided by the thirdparty database. In PowerCenter, you can configure secure communication to IBM DB2 when you run a mapping with IBM DB2 sources or targets. To configure secure communication to IBM DB2 on the UNIX machine on which you install the IBM DB2 client, perform the following tasks: 1. Create a key database in the client. 2. Install the server SSL certificate within the client. 3. Update the DBM parameters of the client. 4. Catalog database information with secure communication. 5. Verify SSL connectivity from the client system to IBM DB2. 6. Create the IBM DB2 connection in PowerCenter and run the mapping. Prerequisites Before you configure a key database in the client, verify the prerequisites for install. Verify that the machine where the Integration Service runs meet the install requirements to run GSKit. 1. Install IBM DB2 client with the db2setup utility on the machine on which the Integration Service runs. 2. Install IBM Global Security Kit (GSKit) version 8 on the machine on which the Integration Service runs. 2 GSKit is a library and a set of command-line tools that provides SSL implementation, key management, and FIPS certification. Ensure that you use version 8 of the IBM GSKit because it can integrate with cryptographic devices that support the PKCS#11 industry standard. The previous GSKit versions, such as 7, might not contain all the required options and commands. 3. Set the PATH and LD_LIBRARY_PATH environment variables with the IBM GSKit version 8 installation location with the following values: setenv IBM_GSK_HOME <location_of_GSK_installation> setenv PATH ${PATH}:${IBM_GSK_HOME}/bin setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:${IBM_GSK_HOME}/lib64 For example, you can set the following environment variables: setenv IBM_GSK_HOME /usr/local/ibm/gsk8_64 setenv PATH ${PATH}:${IBM_GSK_HOME}/bin setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:${IBM_GSK_HOME}/lib64 Step 1. Create a Key Database in the Client GSKit stores public and private keys and certificates in a key database. A key database consists of a file with a .kdb extension and up to three other files with .sth, .rdb, and .crl extensions. 1. Ask your database administrator to provide you with the DB2 server SSL certificate. For example, your database administrator can provide you with the certificate file mydbserver.arm. 2. At the command prompt, enter the command to create a folder to store the SSL-related files as follows: mkdir <user_home>/<folder_name> For example, to create a folder called SSL, enter the following command: mkdir /usr/home/SSL 3. At the command prompt, enter the following command to generate the client key database in the SSL folder: <fullpath_to_the_gsk8capicmd_utility> -keydb -create -db "<database_name>" -pw "<password>" -stash where gsk8capicmd_64 is the GSKit command-line tool for 64-bit platforms. The -db parameter indicates the file name for the new key database. The -pw parameter indicates the password that protects the key database file. The -stash parameter indicates to the GSKit to save the specified key database password locally in the .sth file. Use the -stash parameter to avoid entering the password again at the command prompt at a later stage. For example, enter the following command: ${IBM_GSK_HOME}/bin/gsk8capicmd_64 -keydb -create -db "mydbclient.kdb" -pw "myClientPassw0rd" -stash Step 2. Install the Server SSL Certificate Within the Client Enter the command for adding the DB2 server SSL certificate to the client key database as follows: <fullpath_to_the_gsk8capicmd_utility> -cert -add -db "<database_name>" -pw "<password>" -label "<label_name>" -file <Server_SSL_certificate_name> -format <format> -fips where fips is the certified encryption type. For example, enter the following command: ${IBM_GSK_HOME}/bin/gsk8capicmd_64 -cert -add -db "mydbclient.kdb" -pw "myClientPassw0rd" -label "myselfsignedClnt" -file mydbserver.arm -format ascii -fips 3 Step 3. Update the DBM Parameters of the Client 1. Update the DBM parameter with the client key database with the following command: db2 update dbm cfg using SSL_CLNT_KEYDB <USER_HOME>/SSL/mydbclient.kdb For example, enter the following command: db2 update dbm cfg using SSL_CLNT_KEYDB /usr/home/SSL/mydbclient.kdb 2. Update the DBM parameter with the client stash file with the following command: db2 update dbm cfg using SSL_CLNT_STASH <USER_HOME>/SSL/mydbclient.sth For example, enter the following command: db2 update dbm cfg using SSL_CLNT_STASH /usr/home/SSL/mydbclient.sth Step 4. Catalog Database Information with Secure Communication 1. You can catalog the IBM DB2 host with the SSL port with the following command: db2 catalog tcpip node <node_name> remote <host_name> server <port> SECURITY SSL For example, you can enter the following command: db2 catalog tcpip node mydb2node remote dbhost.informatica.com server 60000 security SSL In the preceding command, mydb2node is the alias for the database host. 2. You can catalog the IBM DB2 database with the following command: db2 catalog database <database_name> as <database_alias> at node <node_name> authentication server For example, you can enter the following command: db2 catalog database db2v10db as mydb2db at node mydb2node authentication server Step 5. Verify SSL Connectivity from the Client System to IBM DB2 You can optionally verify the SSL connectivity from the client machine to IBM DB2 with the following command: db2 connect to <database_alias> user <username> using <password> For example, enter the following command: db2 connect to mydb2db user db2 using db2 Step 6. Configure IBM DB2 Connection from PowerCenter 1. Log in to the Workflow Manager. 2. Click Connections > Relational. The Relational Connection Browser dialog box appears. 3. Click New. The Select Subtype dialog box appears. 4. 4 Select IBM DB2 from the Select Subtype list. 5. Click OK. The Connection Object Definition dialog box appears. 6. Enter the connection properties, such as user name and password. Verify that the connection string is the catalog entry for the database alias that you created, such as mydb2db. 7. Click OK. The database connection appears in the Relational Connection Browser list. Select the IBM DB2 connection to run the mapping with secure communication in PowerCenter. Authors Anju Andrews Lead QA Engineer Sujitha Alexander Technical Writer 5