Using Fortanix Data Security Manager with IBM Db2

1.0 Introduction

This article describes how to integrate Fortanix-Data-Security-Manager (DSM) with IBM Db2 Using KMIP.

IBM Db2® is a family of hybrid data management products offering a complete suite of AI-empowered capabilities designed to help you manage both structured and unstructured data on-premises as well as in private and public cloud environments. Db2 is built on an intelligent common SQL engine designed for scalability and flexibility.

It also contains the information that a user requires to:

• Configuration on IBM Db2

• Rotating Master Key in Fortanix DSM with Db2

2.0 Why use Fortanix DSM with IBM Db2?

Db2® native encryption uses a two-tier approach to data encryption. Data is encrypted with a Data Encryption Key (DEK), which is in turn encrypted with a Master Key (MK). The encrypted DEK is stored with the data, while the MK is stored in a keystore external to Db2.

Db2 native encryption ensures that the DEK is never exposed outside of the encrypted database, transaction log, or backup file. There are no interfaces provided to access the DEK in either its clear text or encrypted form. As the MK is stored in a different location from the encrypted data, the chance of the encrypted DEK being concurrently exposed with the MK used to encrypt it is very unlikely. Since the risk of the DEK being exposed is extremely low, the need to rotate it is negligible. The rotation of the MK, which is used to protect the DEK, can be done efficiently without the need to decrypt and re-encrypt the data.

The Db2 database system supports SSL, which means that a Db2 client application that also supports SSL can connect to a Db2 database by using an SSL socket. CLI, CLP, and .NET Data Provider client applications and applications that use the IBM® Data Server Driver for JDBC and SQLJ (type 4 connections) support SSL.

3.0 Prerequisites

Ensure the following:

• Fortanix DSM

• IBM Db2 11.5 and higher

• Access to create a certificate for the KMIP Server

4.0 Configure Fortanix DSM

A Fortanix DSM service must be configured, and the URL must be accessible. To create a Fortanix DSM account and group, refer to the following sections:

4.1 Signing Up

To get started with the Fortanix DSM cloud service, you must register an account at <Your_DSM_Service_URL>. For example, https://eu.smartkey.io.

For detailed steps on how to set up the Fortanix DSM, refer to the User's Guide: Sign Up for Fortanix Data Security Manager SaaS documentation.

4.2 Creating an Account

Access <Your_DSM_Service_URL> in a web browser and enter your credentials to log in to Fortanix DSM.

For more information on how to set up an account in Fortanix DSM, refer to the User's Guide: Getting Started with Fortanix Data Security Manager - UI.

4.3 Creating a Group

Perform the following steps to create a group in the Fortanix DSM:

1. In the DSM left navigation panel, click the Groups menu item, and then click the + button to create a new group.

   

2. On the Adding new group page, do the following:

   1. Title: Enter a name for your group.

   2. Description (optional): Enter a short description of the group.

3. Click SAVE to create the new group.

The new group is added to the Fortanix DSM successfully.

4.4 Creating an Application

Perform the following steps to create an application (app) in the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the + button to create a new app.

   

2. On the Adding new app page, do the following:

   1. App name: Enter the name for your application.

   2. ADD DESCRIPTION (optional): Enter a short description of the application.

   3. Authentication method: Select the default API Key as the authentication method from the drop down menu. For more information on these authentication methods, refer to the User's Guide: Authentication.

   4. Assigning the new app to groups: Select the group created in Section 4.3: Creating a Group from the list.

3. Click SAVE to add the new application.

The new application is added to the Fortanix DSM successfully.

4.5 Copying the App UUID

Perform the following steps to copy the app UUID from the Fortanix DSM:

1. In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.

2. From the top of the app’s page, click the copy icon next to the app UUID to copy it to use in Section 5.4: Add Client Certificate and Key to SSL Keystore as the value of Common Name (CN) to generate the self-signed certificate and a private key.

5.0 Configuration on IBM Db2

5.1 Create Folders for Certificates and Configuration File

Perform the following steps to create the folder for certificates and configuration files:

1. Log in to the IBM Db2 machine as the DB user.

   

2. Create the following two folders:

   1. KMIP: to store the configuration files.

   2. SDKMS_Certs: to store the certificates.

3. Change directory to SDKMS_Certs and run the following command to generate a self-signed certificate:

   openssl req -newkey rsa:2048 -nodes -keyout private.key -x509 -days 365 -out certificate.crt

   

   

5.2 Updating the Authentication Method

Perform the following steps to change the authentication method:

1. Go to the detailed view of the app created in Section 4.4: Creating an Application and click Change authentication method and select the Certificate option to change the authentication method to Certificate.

2. Click SAVE.

3. On the Add certificate dialog box, click UPLOAD NEW CERTIFICATE to upload the certificate file or paste the content of the certificate generated in Section 5.1: Create Folders for Certificates and Configuration File.

4. Select both check boxes to confirm your understanding of the action.

5. Click UPDATE to save the changes.

5.3 Updating the Certificate in Fortanix DSM

Perform the following steps to update the certificate in the authentication method:

1. Change the configuration from the default REST API to KMIP.

2. Import the private key and certificate into the SSL keystore. You must combine the private key and certificate into one file.

   NOTE

   • The certificate should come first, followed by the private key.

   • Label this entry; it will be used in the KMIP configuration file. Make a note of the label.

   • Adjust the path of the sdkms.pem file based on your setup.

   cat certificate.crt private.key > sdkms.pem

   

3. Run the following command to verify that the private key matches the certificate:

   openssl x509 -noout -modulus -in certificate.crt | openssl md5

5.4 Create the SDKMS-KMIP.P12 and Stashed File

Run the following command to create the .p12 and stashed file:

gsk8capicmd_64 -keydb -create -db "sdkms-kmip.p12" -pw "sdkms-kmip.pWd" -type pkcs12 -stash

In case you get an error as the gsk8capicmd_64 command is not found, you need to export the libraries for gsk8capicmd_64 from sqllib.

Linux Environments:

export LD_LIBRARY_PATH=$HOME/sqllib/lib64/gskit:$LIBPATH
export PATH=$HOME/sqllib/gskit/bin:$PATH

Re-run the above command to create .p12 and stash file.

The sdkms-kmip.p12 and sdkms-kmip.sth files are created.

5.5 Add Client Certificate and Key to SSL Keystore

Perform the following steps to add a client certificate and key to the SSL keystore:

1. Run the following command to add the client certificate and key to the SSL keystore:

   gsk8capicmd_64 -cert -add -db "sdkms-kmip.p12" -stashed -label "sdkms_app_cert" -file "sdkms.pem"

2. Obtain the CA certificate from your Fortanix DSM installation and copy it to a file named CA.pem. If the CA certificate includes a chain, then the complete chain including the DSM TLS cert must be copied into CA.pem file. You can download the chain from the Fortanix DSM UI by navigating to the DSM URL and viewing the certificates.

3. run the following command in the IBM shell to create the CA.pem file:

   touch CA.pem

4. Perform vi on CA.pem file and then paste the certificate information. The CA.pem file will contain the following:

   • DSM certificate

   • Intermediate CA certificate (if available)

   • Root CA certificate

     

5.6 Import CA Certificate into SSL Keystore

Run the following command to import CA Certificate into the SSL keystore:

gsk8capicmd_64 -cert -add -db "sdkms-kmip.p12" -stashed -label "trustedCA" -file CA.pem

5.7 List Certificate in the Keystore

Run the following command to list and verify the certificate in your keystore:

gsk8capicmd_64 -cert -list -db sdkms-kmip.p12 -stashed

Create a KMIP configuration file in the KMIP folder. The following is a sample kmip.cfg configuration file:

---------------------------
VERSION=1
PRODUCT_NAME=OTHER
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=/database/config/db2inst1/SDKMS_Certs/sdkms-kmip.p12
SSL_KEYDB_STASH=/database/config/db2inst1/SDKMS_Certs/sdkms-kmip.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=sdkms_app_cert
MASTER_SERVER_HOST=<fortanix_dsm_hostname>   					
MASTER_SERVER_KMIP_PORT=5696		
------------------------------	

5.8 Configure a Db2 Instance to Use a Keystore

Perform the following steps to configure a Db2 instance to use a keystore:

1. Set two database manager configuration parameters: keystore_type and keystore_location.

2. Run the following command to set the keystore_type to KMIP for centralized keystore and the keystore_location to the absolute path of the keystore configuration file:

   db2 update dbm cfg using keystore_location /mnt/blumeta0/home/db2inst1/KMIP/kmip.cfg keystore_type kmip

   

3. Run the following command to restart the Db2 instance for the changes to take effect:

   db2stop
   db2start

   

4. Run the following command to verify that the Db2 manager configuration. Look at value of keystore type and keystore location:

   db2 get dbm cfg

   

5.9 Renewing the Fortanix DSM Db2 App Certificate

Perform the following steps to renew the Fortanix DSM Db2 app certificate:

1. Run the following command using the existing private key to renew the certificate:

   openssl req -key private.key -new -x509 -days 700 -out renewcertificate.crt

   

   

2. In the DSM left navigation panel, click the Apps menu item, and click the app created in Section 4.4: Creating an Application to go to the detailed view of the app.

3. In the INFO tab, click UPDATE to upload a new certificate.

   

4. Run the following command to import the private key and certificate into the SSL key store. Combine the private key and certificate into one file:

   cat renewcertificate.crt private.key > sdkms.pem

5. Optional - Run the following commands to verify that the private key matches the certificate and CSR.

   openssl x509 -noout -modulus -in certificate.crt | openssl md5
   openssl x509 -noout -modulus -in renewcertificate.crt | openssl md5

6. Optional - Run the following commands to remove the existing sdkms.pem entry from the current p12 file:

   gsk8capicmd_64 -cert -delete -db "sdkms-kmip.p12" -stashed -label "sdkms_app_cert"

7. Run the following commands to add the client certificate and key to the SSL keystore:

   gsk8capicmd_64 -cert -add -db "sdkms-kmip.p12" -stashed -label "sdkms_app_cert" -file "sdkms.pem"

   NOTE

   The database should be able to communicate with Fortanix DSM using the new certificate. The db2stop and db2start commands may be needed to apply the changes.

8. Run the following command to delete the existing CA.pem from the p12 file:

   NOTE

   Importing a CA certificate is an optional step and is only needed if there is a change in the Fortanix DSM CA cert.

   gsk8capicmd_64 -cert -delete -db "sdkms-kmip.p12" -stashed -label "trustedCA" -file CA.pem

9. Run the following command to list and verify the certificates in your keystore:

   gsk8capicmd_64 -cert -list -db sdkms-kmip.p12 -stashed

5.10 Updating Certificate in IBM Db2 Keystore

Perform the following steps to update the certificate in IBM Db2 keystore:

1. Run the following command to verify the certificate in the IBM Db2 keystore:

   gsk8capicmd_64 -cert -list -db sdkms-kmip.p12 -stashed

   Output:

   db2inst1@2407b7a6943b SDKMS_Certs]$ gsk8capicmd_64 -cert -
   list -db sdkms-kmip.p12 -stashed
   Certificates found
   * default, - personal, ! trusted, # secret key
   !       CN= <fortanix_dsm_url>
   !       "CN=R3,O=Let's Encrypt,C=US"
   !       trustedCA
   -       sdkms_app_cert
   [db2inst1@2407b7a6943b SDKMS_Certs]$

2. Run the following command to create a new CSR request:

   gsk8capicmd_64 -certreq -recreate -db sdkms-kmip.p12 -stashed -label "sdkms_app_cert" -target new_cert_request.csr

3. Sign: Send the resulting new_cert_request.csr to be signed by the original Certificate Authority (CA).

4. Receive: After the signed certificate has been returned (assuming you got it back as new_cert_signed.csr) then receive it back into your server keystore.

   gsk8capicmd_64 -cert -receive -db sdkms-kmip.p12 -stashed -file new_cert_signed.csr

5. Verify: Verify the new dates on the received certificate.

   gsk8capicmd_64 -cert -details -label "sdkms_app_cert" -db sdkms- kmip.p12 -stashed

6. Restart: For the new certificate to take effect, the Db2 server instance must be restarted.

   db2stop
   db2start

5.11 Create an Encrypted Database

Run the following command to create an encrypted database:

db2 create db mydb1 encrypt

In the DSM left navigation panel, click the Security Objects menu item to view the master key created in Fortanix DSM.

In the DSM left navigation panel, click the Apps menu item, and click the app created in Section 4.4: Creating an Application to go to the detailed view of the app and view the logs.

If you encounter an error in your environment, troubleshoot certificate and network-related issues to ensure successful communication with the Fortanix DSM.

6.0 Rotating Master Keys in Fortanix DSM with IBM Db2

Rotating your encryption keys is part of a complete security policy. And as with passwords, how often is a controversial topic. This article is intended to give you information to make an informed decision about how and when to rotate your encryption keys. The focus is the keys that protect your data at rest and do not discuss SSL certificates.

IBM Db2 native encryption uses a 2-tier approach to data encryption where the data is encrypted with a Data Encryption Key (DEK) and the DEK itself is encrypted with a Master Key (MK). The encrypted DEK is stored with the data while the MK is stored in a keystore external to Db2.

As the master key is stored outside of the database manager, the requirement and frequency to rotate the master key depend on the type of keystore in use and the protections provided by the keystore. A local keystore file is protected by a password and operating system file permissions, however, it is owned by the Db2 Instance Owner, which is often a shared service account. In such an environment policy to rotate the master key on a regular basis would be natural. On the other extreme, master keys protected by Hardware Security Modules (HSM) require much less rotation if at all. Master keys protected by an HSM never leave the secure confines of the hardware device and strong controls exist to prevent the key from being extracted. Master keys accessed from a KMIP server fall somewhere in the middle. Strong controls exist within the KMIP server to authorize who has access to the master keys and audit their usage. However, these servers are often deployed as software running on a traditional operating system and servers and are only as secure as the environment in which they are deployed. On the other hand, there are secure HSMs offering KMIP interfaces. A key rotation schedule would be suggested by the security hardening of the KMIP server and the environment in which it is deployed.

Db2 provides routine SYSPROC.ADMIN_ROTATE_MASTER_KEY() to rotate the database master key to a new value. This operation decrypts the database DEK and re-encrypts it with the new master key.

The 2-tier approach ensures that the key used to encrypt the data, the DEK, is never exposed outside of the encrypted database, transaction log, or backup and no interfaces exist within Db2 to access the DEK. Since the MK is stored in a different location from the encrypted data, this makes concurrent exposure of the encrypted data and the MK much less likely again reducing risk. Finally, since the DEK is not exposed, there is little reason to rotate it, and rotation of the MK used to protect the DEK, can be done efficiently without the need to decrypt and re-encrypt the data itself.

6.1 Rotating Keys in Db2

Perform the following steps to rotate the key in IBM Db2:

1. Run the following command to list your DB directory:

   db2 list db directory

   

2. Run the following command to connect the DB to the same database:

   db2 connect to mydb1

   

3. Run the following command to check the encryption information:

   db2 “select * from table(sysproc.admin_get_encryption_info())”

   

4. Run the following command to rotate the master key from Db2:

   db2 “CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY (NULL)”

   

5. Once the key is rotated, check on Fortanix DSM end if the Master Key is rotated.

   In the DSM left navigation panel, click the Apps menu item, and then click the app created in Section 4.4: Creating an Application to find a new key created in Fortanix DSM.

   

7.0 Backup and Restore Encrypted Database

Perform the following steps:

1. Run the following command to take backup of the database:

   db2 backup database mydb1

   Where mydb1 is the database that is encrypted with keys in Fortanix DSM.

2. Move the backup file generated to the destination server.

3. On the destination server, configure Fortanix DSM integration for the new Db2 instance as described in Section 4.4: Creating an Application to Section 5.8: Configure a Db2 Instance to Use a Keystore. This will be a new configuration with a new app.

   NOTE

   The app must be created under the same group as earlier.

4. Run the following command to restore the backup of the encrypted database mydb1.

   db2 restore db mydb1 encrypt

5. Run the following command to verify that you can query the encrypted data in the restored database:

   db2 list db directory
   db2 connect to mydb1
   db2 "select * from <table_name>"

   You should now be able to connect to the database and select data from tables.

6. Run the following query to see the new master key used by the database:

   db2 "select * from table(sysproc.admin_get_encryption_info())"

7. Verify from the Fortanix DSM UI that the new Db2 Key from the previous step is seen under the group’s security objects.

8.0 Migrating from a Local Keystore to a Centralized KMIP Keystore

If you want to migrate your Db2 local keystore to a centralized keystore that is configured for the Key Management Interoperability Protocol (KMIP), you can copy your master keys to the centralized keystore by issuing the db2p12tokmip command.

8.1 Prerequisites

Ensure the following:

• Create a KMIP keystore configuration file.

• Configure TLS between the Db2 instance and the centralized key manager.

8.2 Procedure

Perform the following steps to migrate from a local keystore to a centralized KMIP keystore:

1. Set up the centralized KMIP keystore.

2. Set the allow_key_insert_without_keystore_backup parameter to TRUE in the centralized KMIP keystore configuration file.

3. Copy all master keys from the local keystore to the centralized KMIP by issuing the db2p12tokmip command.

   

   For example:

   db2p12tokmip -from /home/test/keystores/ne-keystore.p12 -to /database/config/db2inst1/KMIP/kmip.cfg

   Where,

   • /home/test/keystores/ne-keystore.p12 is the .p12 file for the local keystore.

   • /database/config/db2inst1/KMIP/kmip.cfg is the configuration file for the KMIP keystore.