Detections
Analytics

8.1.3 Configure an Endpoint Certificate (SSL_SVR_LABEL)

Information

The SSL_SVR_LABEL database manager configuration parameter controls which certificate Db2 will serve to clients. This certificate must have its associated certificate chain present in the server-side key store and must be associated with a private key.

Rationale:

It is highly recommended to set SSL_SVR_LABEL. Leaving this parameter blank and allowing Db2 to utilize a default certificate will only work with CMS(.KDB) format key stores, and the feature is deprecated.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Perform the following to set SSL_SVR_LABEL:

Attach to the Db2 instance.

db2 => attach to <db2instance>

Run the following command, where <label> is the name of a certificate present in the server-side key store.

db2 => update dbm cfg using SSL_SVR_LABEL <label>

Updating the value of SSL_SVR_LABEL while attached to the instance will cause the certificate served by Db2 to change while instance is running, with no effect on existing connections.

See Also

https://workbench.cisecurity.org/benchmarks/23492

Item Details

Category: ACCESS CONTROL, IDENTIFICATION AND AUTHENTICATION, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|AC-17(2), 800-53|IA-5, 800-53|IA-5(1), 800-53|SC-8, 800-53|SC-8(1), 800-53|SC-28, 800-53|SC-28(1), CSCv7|16.4, CSCv7|16.5

Plugin: Unix

Control ID: 7da021b83b5a6f7db25906f16c61fc2a60daa968614f89e665c7239544ffb0fc