Easier Setup of Db2 Native Encryption and SSL During SAP System Installation and Copy
Db2 native encryption has been available since IBM Db2 10.5 Fix Pack 5, and encrypted SSL communication has been possible since IBM Db2 9.7. However, setting up native encryption and encrypted SSL communication involved quite a number of manual steps so far. This has changed with the availability of software provisioning manager (SWPM) 1.0 SP26, which you can use for SAP system installation and copy on IBM Db2. Let me share a few details about what has improved.
About Db2 Native Encryption and Encrypted SSL Communication
If you haven’t used encryption with Db2 so far, here are just a few words about how it works:
As of IBM Db2 9.7, you can encrypt the communication between an SAP application server and an IBM Db2 for Linux, UNIX, and Windows database.
IBM Db2 10.5 Fix Pack 5 has added native database encryption to the Db2 database server. With native database encryption, the database system itself encrypts the data before it calls the underlying file system to write data to disk. This means that not only your current data is protected, but also data in new tablespace containers or tablespaces that you might add in the future.
As of SL Toolset 1.0 SPS 26 (Software Provisioning Manager 1.0 SP 26), you can set up Db2 native encryption for IBM Db2 10.5 Fix Pack 5 and higher, and SSL connections for the client-server communication for Db2 10.5 Fix Pack 10 and higher during SAP system installation and system copy.
Note that setting up SSL communication via SWPM is only available if you’re using AS ABAP. SWPM doesn’t support SSL in AS Java environments.
The installation wizard asks you whether you want to implement encryption:
After you have chosen to set up the encryption features in the dialog above, the software provisioning manager takes away some of the painful steps that you had to perform manually before. Depending on what you’ve selected, in various dialogs you’re prompted to enter data such as:
- The type of keystore you’re using (centralized or local)
- The path to your local keystore files
- Required values for the keystore configuration file parameters
- The key manager product you’re using
- Encryption passwords
- Master key labels
- The encryption standard algorithm and key length for encrypting the database (AES or 3DES)
- The label for the self-signed certificate used for SSL communication
The individual steps in the installation wizard each contain additional information and explanations about the different options you can choose. For example, with this dialog window, you enter the directory where you want to store your local keystore files:
At the end, as usual in the software provisioning manager, you get a summary with all your selections at a glance.
So, for new system installations and for system copies, setting up native database encryption and encrypted SSL communication has become a lot easier. Only for existing systems, you still have to do it manually as described here and here (or if you decide to skip the encryption options in the SWPM, you’re free to manually set it all up later, of course).
What Else Do You Need to Know?
The encryption keys with which user data is encrypted are protected by a master key (“key-encrypting key”) that is stored in a keystore. The data encryption keys are stored and managed by the database, but the master keys and certificates for Db2 native encryption and SSL communication are stored and managed outside the database in a PKCS#12 keystore.
Be careful and make sure you have a backup strategy for your keystore. If you lose the password, the keystore cannot be opened, master keys cannot be retrieved, and the encrypted data becomes inaccessible.
Where’s More Information?
For more details, see Planning Your Encryption Strategy in the installation guide relevant for your release, for example, here. Also check out Overview of Db2 native encryption in the IBM Knowledge Center (IBM website).