Home » DbVisualizer Forums » DbVisualizer » DbVisualizer - Support

Thread: [8.0.7] SSL connection to DB2


Permlink Replies: 9 - Pages: 1 - Last Post: Mar 1, 2013 7:33 PM Last Post By: Hans Bergsten
Mike

Posts: 44
Registered: 08/01/10
[8.0.7] SSL connection to DB2
Posted: Jan 16, 2012 7:25 PM
   thread.click_reply Reply
I'm trying to get DBVis 8.0.7 to connect to a remote DB2 v9.7.5 database with SSL.
( The remote database only support SSL connections.)

From the DB2 command-line (i.e. not java) , I'm able to connect to the same database with SSL.
Now I'm trying to get JDBC SSL connections from DB-VIS working.

Has anyone else got SSL connections from DBV 8.0.7 to DB2 v9.7 working ?

When I try an SSL connection, DBVis throws exception: "java.lang.InternalError: internal error: SHA-1 not available".
The laptop is Win-7 x64.
The laptop has both JRE7 and JDK 1.7.0.
DBVis seems to use the JRE7.

I imported the db2 server certificate into my cacerts file.

I changed java.security as per instructions here:
http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.apdv.java.doc/src/tpc/imjcc_t0054066.html

I changed dbvis.vmoptions as follows:
-Xmx512m
-Djavax.net.ssl.trustStore=cacerts
-Djavax.net.ssl.trustStorePassword=whatever
-Dcom.ibm.jsse2.JSSEFIPS=true
-DsslConnection=true
Hans Bergsten


Posts: 1,576
Registered: 10/11/06
Re: [8.0.7] SSL connection to DB2
Posted: Jan 16, 2012 9:04 PM    global.in_response_to.tooltip in response to: Mike
   thread.click_reply Reply
Hi Mike,

I have not tested this, but looking at the DB2 documentation, I see at least one thing in your configuration that is not correct. The "sslConnection=true" setting should be a done as driver property, not as a Java VM system property. So remove it from dbvis.vmoptions and instead add it under Driver Properties in the Properties tab for the connection.

I hope this helps.

Best Regards,
Hans
Mike

Posts: 44
Registered: 08/01/10
Re: [8.0.7] SSL connection to DB2
Posted: Jan 16, 2012 10:29 PM    global.in_response_to.tooltip in response to: Hans Bergsten
   thread.click_reply Reply
Hans,
I had already spotted and corrected that, although it did not resolve the issue (i.e. sslConnection=true is not a driver-property, removed from dbvis.vmoptions).

I suspect that the instructions for modifying the java.security file are incorrect or incomplete for Java 1.7.

I reverted to trying to use the SunJSSE as the security provider (instead of using the IBM JSSE2 provider).

This meant a change to java.security again.

Now the symptom has changed, although at least DBVis now successfully starts up, but it still cannot connect with SSL to DB2 because the connection attempt throws:

java.lang.ClassNotFoundException: com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl.

This class (com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl) seems to be part of the standard Oracle Java 1.7 jre (in file jsse.jar in directory jre\lib).

So I ensured that the system-environment-variable CLASSPATH includes this file , viz:
CLASSPATH=C:\Program Files\IBM\SQLLIB\java\db2java.zip;C:\Program Files\IBM\SQLLIB\java\db2jcc.jar;C:\Program Files\IBM\SQLLIB\java\sqlj.zip;C:\Program Files\IBM\SQLLIB\java\db2jcc_license_cu.jar;C:\Program Files\IBM\SQLLIB\bin;C:\Program Files\IBM\SQLLIB\java\common.jar;.;C:\Program Files\Java\jre7\lib\jsse.jar
---
So now I can't see why the ClassNotFound exception happens when the relevant jarfile is present on the CLASSPATH.

Edited by: Mike on 16-Jan-2012 22:35
Hans Bergsten


Posts: 1,576
Registered: 10/11/06
Re: [8.0.7] SSL connection to DB2
Posted: Jan 17, 2012 12:00 AM    global.in_response_to.tooltip in response to: Mike
   thread.click_reply Reply
Hi Mike,

You should not have to change the CLASSPATH at all; the jsse.jar file should be included by default. In fact, adding things like this to the CLASSPATH may cause problems, because Java applies different rules for what a class can do depending on where it is loaded from.

To help you, I need some more information. First, exactly which JDBC driver are you using (vendor and version)? Please copy the information from the Connection Message area for the connection.

Also, can you mail the java.security and dbvis.vmoptions files to support at dbvis.com?

Best Regards,
Hans
Mike

Posts: 44
Registered: 08/01/10
Re: [8.0.7] SSL connection to DB2
Posted: Jan 17, 2012 11:24 AM    global.in_response_to.tooltip in response to: Hans Bergsten
   thread.click_reply Reply
OK I emailed the requested information to support at dbvis.com for your attention.
Thank you.
Mike

Posts: 44
Registered: 08/01/10
Re: [8.0.7] SSL connection to DB2
Posted: Jan 18, 2012 11:54 AM    global.in_response_to.tooltip in response to: Hans Bergsten
   thread.click_reply Reply
It seems that the problem syptom happens only with JRE7.

I configured a different workstation that used JRE6 (not JRE7) using the instructions
provided by IBM at
http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.apdv.java.doc/src/tpc/imjcc_t0054066.html.

On that different workstation, DBVis 7.1.5 was installed and used JRE6(1.6.0_29) and DBVis is successfully able to connect via SSL to the DB2 database , using the jdbc driver for db2 supplied by DBVis, and using the SunJSSE security provider without problems.

I need to find a way to get SSL connections-to-db2 via SunJSSE working with JRE7.
I compared the JRE6 java.security file with that of JRE7 and there are several differences.
But anyway, it appears this is not a problem of DBVis.
Mike

Posts: 44
Registered: 08/01/10
Re: [8.0.7] SSL connection to DB2
Posted: Jan 20, 2012 12:02 PM    global.in_response_to.tooltip in response to: Mike
   thread.click_reply Reply
Thanks to support at dbvis dot com for advice and support.

The problem is resolved.

DBVisualizer SSL connections to DB2 works fine with JRE7 1.7.0_02 on both x64 and x86 environments, when properly configured.

The solution is:

(1) For JRE7 only, ignore one detail of IBM's advice for SunJSSE
at this URL:
http://publib.boulder.ibm.com/infocenter/db2luw/v9/topic/com.ibm.db2.udb.apdv.java.doc/doc/t0054066.htm

For JRE7 with SunJSSE ,do not add these 2 lines to java.security:
ssl.SocketFactory.provider=com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=com.sun.net.ssl.internal.ssl.SSLServerSocketFactoryImpl

( Note: these two lines work with JRE6 only, but they break JRE7 1.7.0_02 b13 at least).

(2) Add a driver property sslConnection=true to the DBVisualiser connection.

(3) If you are using the default cacerts file that comes with the JRE7, there's no need for any system property or driver property to identify it. If you specify a "javax.net.ssl.trustStore" driver-property, then ensure the filename is fully qualified (else you may get exception "the trustAnchors parameter must be non-empty" ).
If you are using your own truststore (not cacerts), and/or a non-default password then give relevant driver properties to DBbvisualiser on the connection.
Hans Bergsten


Posts: 1,576
Registered: 10/11/06
Re: [8.0.7] SSL connection to DB2
Posted: Jan 20, 2012 8:19 PM    global.in_response_to.tooltip in response to: Mike
   thread.click_reply Reply
Hi Mike,

I'm glad you figured it out. Thanks for posting the summary here. I'm sure it will save others a lot of work.

Best Regards,
Hans
Carmen Schaedler

Posts: 1
Registered: 03/01/13
Re: [8.0.7] SSL connection to DB2
Posted: Mar 1, 2013 2:28 PM    global.in_response_to.tooltip in response to: Mike
   thread.click_reply Reply
For JRE7 with SunJSSE, try to use these 2 lines for java.security:
ssl.SocketFactory.provider=sun.security.ssl.SSLSocketFactoryImpl
ssl.ServerSocketFactory.provider=sun.security.ssl.SSLServerSocketFactoryImpl

Path has changed for this two classes.
Hans Bergsten


Posts: 1,576
Registered: 10/11/06
Re: [8.0.7] SSL connection to DB2
Posted: Mar 1, 2013 7:33 PM    global.in_response_to.tooltip in response to: Carmen Schaedler
   thread.click_reply Reply
Hi Carmen,

Thanks for the information!

Best Regards,
Hans

Point your RSS reader here for a feed of the latest messages in all forums