Secure IBM i with JDBC over SSL
The focus on security in IT environments continues to grow each year. Pressure to adequately secure sensitive business data is constantly reinforced by many factors such as legislative requirements (HIPAA, SOX), security standards (PCI DSS), news articles on data breaches that ruin a company's reputation, and more. Consequently, businesses focus heavily on securing the data in their DB environments by defining and implementing security policies that control who is and is not authorized to sensitive data. An area of security sometimes overlooked is the connection between a JDBC client and server. If the JDBC connection is not properly secured, a breach of sensitive data can occur within the IT environment. One solution is to utilize JDBC over Secure Sockets Layer (SSL)/Transport Layer Security (TLS).
This article provides the basic steps to configure the IBM Developer Kit for Java JDBC driver (Native) or the IBM Toolbox for Java JDBC driver (Toolbox) to utilize an SSL connection. The environment consists of one IBM i where the database resides (server) and another IBM i where the program runs (client).
IBM i Requirements
For an IBM i product to communicate over SSL as a server or as a client, it must be running IBM i 5.4 or later and have the following applications installed:
|Digital Certificate Manager
|5770-SS1 Option 34
|IBM TCP/IP Connectivity Utilities for i
(Base TCP/IP support)
|IBM HTTP Server for i (for access to Digital Certificate Manager)
After installation, start the *ADMIN HTTP server using
STRTCPSVR SERVER(*HTTP) HTTPSVR(*ADMIN)
To communicate over SSL as a client on a release prior to V7R1M0, reference the IBM i InfoCenter for a list of the required PTFs.
Setting Up Digital Certificates on IBM i
Digital Certificate Manager (DCM) lets you manage digital certificates for your network and use SSL to enable secure communications for many applications. A digital certificate is an electronic credential that you can use to establish proof of identity in an electronic transaction. DCM lets you manage certificates that you obtain from any Certificate Authority (CA). If you choose to use a default trusted CA, you don’t need to create your own CA, nor export/import the CA certificate between the server and client.
In this example, we use DCM to create and operate our own local CA to sign certificates. Note that the profile accessing DCM needs to have *SECADM and *ALLOBJ authority. Reference Digital Certificate Manager for more detailed information.
When setting up certificates for the Native JDBC driver, the steps listed below must be done on both the server and client systems. If you’re using the Toolbox JDBC driver, the steps must be done on the server system only.
- Open a Web browser and enter http://your_system:2001/ to load the IBM System Director Navigator for i5/OS Web console. From the welcome page, take the “IBM i Tasks Page” link and select “Digital Certificate Manager.”
- Use the “Create New Certificate Store” link to create the *SYSTEM certificate store. Specify “No - Do not create a certificate in the certificate store.” If *SYSTEM is not listed, a certificate store already exists on your system. In that case, skip to step 4.
- Use the “Create a Certificate Authority (CA)” link to create a CA. When you get to the step regarding the *OBJECTSIGNING store, click “Cancel” so the store isn’t created.
- Use the “Select a Certificate Store” button to open the *SYSTEM Certificate Store.
- Select the “Manage Certificates>View certificate” links to ensure the CA has LOCAL_CERTIFICATE_AUTHORITY listed.
- Use the “Create Certificate” link to create a Server or client certificate. Use the “Local Certificate Authority (CA)” button to sign the certificate and assign the certificate to the following servers:
- Native: i5/OS DDM/DRDA Server - TCP/IP application
- Toolbox: Database Server, Signon Server
NOTE: If the Local CA isn’t listed, you may need to log out of DCM and log back in for recent changes to appear.
- Use the “Export certificate” link to export the CA to a file. Specify a name of /tmp/certServer.arm (on the server) and /tmp/certClient.arm (on the client).
- Continue to the following appropriate section for either the Native JDBC driver or the Toolbox JDBC driver.