Secure IBM i with JDBC over SSL

Secure IBM i with JDBC over SSL

The focus on security in IT environments continues to grow each year. Pressure to adequately secure sensitive business data is constantly reinforced by many factors such as legislative requirements (HIPAA, SOX), security standards (PCI DSS), news articles on data breaches that ruin a company's reputation, and more. Consequently, businesses focus heavily on securing the data in their DB environments by defining and implementing security policies that control who is and is not authorized to sensitive data. An area of security sometimes overlooked is the connection between a JDBC client and server. If the JDBC connection is not properly secured, a breach of sensitive data can occur within the IT environment. One solution is to utilize JDBC over Secure Sockets Layer (SSL)/Transport Layer Security (TLS).

This article provides the basic steps to configure the IBM Developer Kit for Java JDBC driver (Native) or the IBM Toolbox for Java JDBC driver (Toolbox) to utilize an SSL connection. The environment consists of one IBM i where the database resides (server) and another IBM i where the program runs (client).

IBM i Requirements

For an IBM i product to communicate over SSL as a server or as a client, it must be running IBM i 5.4 or later and have the following applications installed:

Product Name 5.4 6.1 7.1
Digital Certificate Manager 5722-SS1
Option 34
Option 34
5770-SS1 Option 34
IBM TCP/IP Connectivity Utilities for i
(Base TCP/IP support)
5722-TC1 5761-TC1 5770-TC1
IBM HTTP Server for i (for access to Digital Certificate Manager)
After installation, start the *ADMIN HTTP server using
5722-DG1 5761-DG1 5770-DG1

To communicate over SSL as a client on a release prior to V7R1M0, reference the IBM i InfoCenter for a list of the required PTFs.

Setting Up Digital Certificates on IBM i

Digital Certificate Manager (DCM) lets you manage digital certificates for your network and use SSL to enable secure communications for many applications. A digital certificate is an electronic credential that you can use to establish proof of identity in an electronic transaction. DCM lets you manage certificates that you obtain from any Certificate Authority (CA). If you choose to use a default trusted CA, you don’t need to create your own CA, nor export/import the CA certificate between the server and client.

In this example, we use DCM to create and operate our own local CA to sign certificates. Note that the profile accessing DCM needs to have *SECADM and *ALLOBJ authority. Reference Digital Certificate Manager for more detailed information.

When setting up certificates for the Native JDBC driver, the steps listed below must be done on both the server and client systems. If you’re using the Toolbox JDBC driver, the steps must be done on the server system only.

  1. Open a Web browser and enter http://your_system:2001/ to load the IBM System Director Navigator for i5/OS Web console. From the welcome page, take the “IBM i Tasks Page” link and select “Digital Certificate Manager.”

  2. Use the “Create New Certificate Store” link to create the *SYSTEM certificate store. Specify “No - Do not create a certificate in the certificate store.” If *SYSTEM is not listed, a certificate store already exists on your system. In that case, skip to step 4.

  3. Use the “Create a Certificate Authority (CA)” link to create a CA. When you get to the step regarding the *OBJECTSIGNING store, click “Cancel” so the store isn’t created.

  4. Use the “Select a Certificate Store” button to open the *SYSTEM Certificate Store.

  5. Select the “Manage Certificates>View certificate” links to ensure the CA has LOCAL_CERTIFICATE_AUTHORITY listed.

  6. Use the “Create Certificate” link to create a Server or client certificate. Use the “Local Certificate Authority (CA)” button to sign the certificate and assign the certificate to the following servers:
    • Native: i5/OS DDM/DRDA Server - TCP/IP application
    • Toolbox: Database Server, Signon Server

    NOTE: If the Local CA isn’t listed, you may need to log out of DCM and log back in for recent changes to appear.

  7. Use the “Export certificate” link to export the CA to a file. Specify a name of /tmp/certServer.arm (on the server) and /tmp/certClient.arm (on the client).
  9. Continue to the following appropriate section for either the Native JDBC driver or the Toolbox JDBC driver.

Brett Leeser is a software engineer with the IBM i Final System Test team in Rochester, Minn.

Marie Wilson is a software engineer with the IBM i Final System Test team in Rochester, Minn.

Michelle A. Schlicht is a staff software engineer with IBM. Michelle can be reached at

comments powered by Disqus



2017 Solutions Edition

A Comprehensive Online Buyer's Guide to Solutions, Services and Education.

IBM Systems Magazine Subscribe Box Read Now Link Subscribe Now Link iPad App Google Play Store
IBMi News Sign Up Today! Past News Letters