While configuring/troubleshooting a Db2 LUW server in a setup with encrypted connections, we need methods to identify the encryption status and ciphers used.
E.g. Db2 client is connecting to a Db2 LUW server: I have no means to verify, which TLS cipher was negotiated and if TLS11 or SSL or TLS12 was used.
In MON_GET_CONNECTIONS I just get SSL4 in the column CLIENT_PROTOCOL but I cannot see what level/port was used.
We could need a db2diag.log or notification log entry for the connection type and cipher negotiated.
If I use the simpler AUTHENTICATION=SERVER_ENCRYPT, I cannot see, which connection complies or which is using ALTERNATE_AUTH_ENC.
The same issue appears with Db2 Connect servers to host connections. I can only see on Db2 for z/OS, if the Db2 LUW server is using a secured connection.
At least, if Db2 is all delegating to GSKit, there should be a documented way, how to retrieve this information via GSKit.
|Who would benefit from this IDEA?||All Db2 LUW customers configuring and verifying encrypted connections.|
How should it work?
The preferred solution would be a visibility in MON_GET_CONNECTION.
The second option would be a message in notification or db2diag log at verbosity level 3 or 4.
The least level would be a connection trace or via dump in gskit.
|Priority Justification||Ranked medium, as it becomes more and more important to have secured connections and verify the strong ciphers really get used.|
|Client Name||An IBM Champion for his customers|
|IBM's success depends on gathering feedback from customers like yourself. Aha Ideas Portal is the third party tool through which IBM Offering Managers gather feedback from customers such as yourself.|
|IBM is a global organization with business processes, management structures, technical systems and service provider networks that cross borders. As such, the information collected through Aha Ideas Portal (Customer Name, Customer Email Address) will be stored by them in the United States, and handled only as per IBM's instructions and policies. Your data (Name and Email Address) will NOT be shared with other IBM customers.|
|In order to safeguard your information in Aha, do not leave your workstation unattended while using this application, log off after using it, and print only if necessary. If you need to make a hardcopy, remember to pick up the print-out immediately, keep it under lock, and destroy it immediately when no longer needed.|
|NOTICE TO EU RESIDENTS: per EU Data Protection Policy, if you wish to remove your personal information from the IBM ideas portal, please login to the ideas portal using your previously registered information then change your email to "email@example.com" and first name to "anonymous" and last name to "anonymous". This will ensure that IBM will not send any emails to you about all idea submissions|