Configuring Secure Communication to IBM DB2 with a Native

advertisement
Configuring Secure Communication to IBM DB2
with a Native Connection
© 2014 Informatica Corporation. No part of this document may be reproduced or transmitted in any form, by any
means (electronic, photocopying, recording or otherwise) without prior consent of Informatica Corporation. All other
company and product names may be trade names or trademarks of their respective owners and/or copyrighted
materials of such owners.
Abstract
You can enable secure communication with SSL encryption from PowerCenter to third-party databases, such as IBM
DB2. This article describes how you can configure secure communication from PowerCenter to IBM DB2 with a native
connection on UNIX.
Supported Versions
•
PowerCenter 9.6.x
Table of Contents
Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Prerequisites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Step 1. Create a Key Database in the Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Step 2. Install the Server SSL Certificate Within the Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Step 3. Update the DBM Parameters of the Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Step 4. Catalog Database Information with Secure Communication. . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Step 5. Verify SSL Connectivity from the Client System to IBM DB2 . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Step 6. Configure IBM DB2 Connection from PowerCenter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Overview
You can enable secure communication from PowerCenter to third-party databases, such as IBM DB2. When you read
or write data to a third-party database, you can secure the communication with SSL encryption provided by the thirdparty database. In PowerCenter, you can configure secure communication to IBM DB2 when you run a mapping with
IBM DB2 sources or targets.
To configure secure communication to IBM DB2 on the UNIX machine on which you install the IBM DB2 client, perform
the following tasks:
1.
Create a key database in the client.
2.
Install the server SSL certificate within the client.
3.
Update the DBM parameters of the client.
4.
Catalog database information with secure communication.
5.
Verify SSL connectivity from the client system to IBM DB2.
6.
Create the IBM DB2 connection in PowerCenter and run the mapping.
Prerequisites
Before you configure a key database in the client, verify the prerequisites for install. Verify that the machine where the
Integration Service runs meet the install requirements to run GSKit.
1.
Install IBM DB2 client with the db2setup utility on the machine on which the Integration Service runs.
2.
Install IBM Global Security Kit (GSKit) version 8 on the machine on which the Integration Service runs.
2
GSKit is a library and a set of command-line tools that provides SSL implementation, key management, and
FIPS certification. Ensure that you use version 8 of the IBM GSKit because it can integrate with cryptographic
devices that support the PKCS#11 industry standard. The previous GSKit versions, such as 7, might not
contain all the required options and commands.
3.
Set the PATH and LD_LIBRARY_PATH environment variables with the IBM GSKit version 8 installation
location with the following values:
setenv IBM_GSK_HOME <location_of_GSK_installation>
setenv PATH ${PATH}:${IBM_GSK_HOME}/bin
setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:${IBM_GSK_HOME}/lib64
For example, you can set the following environment variables:
setenv IBM_GSK_HOME /usr/local/ibm/gsk8_64
setenv PATH ${PATH}:${IBM_GSK_HOME}/bin
setenv LD_LIBRARY_PATH ${LD_LIBRARY_PATH}:${IBM_GSK_HOME}/lib64
Step 1. Create a Key Database in the Client
GSKit stores public and private keys and certificates in a key database. A key database consists of a file with a .kdb
extension and up to three other files with .sth, .rdb, and .crl extensions.
1.
Ask your database administrator to provide you with the DB2 server SSL certificate.
For example, your database administrator can provide you with the certificate file mydbserver.arm.
2.
At the command prompt, enter the command to create a folder to store the SSL-related files as follows:
mkdir <user_home>/<folder_name>
For example, to create a folder called SSL, enter the following command:
mkdir /usr/home/SSL
3.
At the command prompt, enter the following command to generate the client key database in the SSL folder:
<fullpath_to_the_gsk8capicmd_utility> -keydb -create -db "<database_name>" -pw "<password>"
-stash
where gsk8capicmd_64 is the GSKit command-line tool for 64-bit platforms. The -db parameter indicates the
file name for the new key database. The -pw parameter indicates the password that protects the key
database file. The -stash parameter indicates to the GSKit to save the specified key database password
locally in the .sth file. Use the -stash parameter to avoid entering the password again at the command prompt
at a later stage.
For example, enter the following command:
${IBM_GSK_HOME}/bin/gsk8capicmd_64 -keydb -create -db "mydbclient.kdb" -pw
"myClientPassw0rd" -stash
Step 2. Install the Server SSL Certificate Within the Client
Enter the command for adding the DB2 server SSL certificate to the client key database as follows:
<fullpath_to_the_gsk8capicmd_utility> -cert -add -db "<database_name>" -pw "<password>" -label
"<label_name>" -file <Server_SSL_certificate_name> -format <format> -fips
where fips is the certified encryption type.
For example, enter the following command:
${IBM_GSK_HOME}/bin/gsk8capicmd_64 -cert -add -db "mydbclient.kdb" -pw "myClientPassw0rd" -label
"myselfsignedClnt" -file mydbserver.arm -format ascii -fips
3
Step 3. Update the DBM Parameters of the Client
1.
Update the DBM parameter with the client key database with the following command:
db2 update dbm cfg using SSL_CLNT_KEYDB <USER_HOME>/SSL/mydbclient.kdb
For example, enter the following command:
db2 update dbm cfg using SSL_CLNT_KEYDB /usr/home/SSL/mydbclient.kdb
2.
Update the DBM parameter with the client stash file with the following command:
db2 update dbm cfg using SSL_CLNT_STASH <USER_HOME>/SSL/mydbclient.sth
For example, enter the following command:
db2 update dbm cfg using SSL_CLNT_STASH /usr/home/SSL/mydbclient.sth
Step 4. Catalog Database Information with Secure
Communication
1.
You can catalog the IBM DB2 host with the SSL port with the following command:
db2 catalog tcpip node <node_name> remote <host_name> server <port> SECURITY SSL
For example, you can enter the following command:
db2 catalog tcpip node mydb2node remote dbhost.informatica.com server 60000 security SSL
In the preceding command, mydb2node is the alias for the database host.
2.
You can catalog the IBM DB2 database with the following command:
db2 catalog database <database_name> as <database_alias> at node <node_name> authentication
server
For example, you can enter the following command:
db2 catalog database db2v10db as mydb2db at node mydb2node authentication server
Step 5. Verify SSL Connectivity from the Client System to IBM
DB2
You can optionally verify the SSL connectivity from the client machine to IBM DB2 with the following command:
db2 connect to <database_alias> user <username> using <password>
For example, enter the following command:
db2 connect to mydb2db user db2 using db2
Step 6. Configure IBM DB2 Connection from PowerCenter
1.
Log in to the Workflow Manager.
2.
Click Connections > Relational.
The Relational Connection Browser dialog box appears.
3.
Click New.
The Select Subtype dialog box appears.
4.
4
Select IBM DB2 from the Select Subtype list.
5.
Click OK.
The Connection Object Definition dialog box appears.
6.
Enter the connection properties, such as user name and password. Verify that the connection string is the
catalog entry for the database alias that you created, such as mydb2db.
7.
Click OK.
The database connection appears in the Relational Connection Browser list.
Select the IBM DB2 connection to run the mapping with secure communication in PowerCenter.
Authors
Anju Andrews
Lead QA Engineer
Sujitha Alexander
Technical Writer
5
Download