ibm_db connect DB2 using SSLClientKeystoredb in Python

Question

I am trying to connect to a DB2 JDBC database thru Python with providing the SSLClientKeystoredb.

This is how I have been trying to connect to the DB:

import ibm_db

arg1 = "DRIVER={IBM DB2 ODBC DRIVER};" + "DATABASE=databasename;HOSTNAME=" + "server" + ";PORT=" + "111111" + ";PROTOCOL=TCPIP;UID=" + "userId" + ";PWD=" + "password" + ";SECURITY=ssl" + ";SSLClientKeystoredb=" + "C:/Users/path/db2_ssl_keydb.kdb" + ";SSLClientKeystash=" + "C:/Users/path/db2_ssl_keydb.sth"

conn=ibm_db.connect(arg1, "", "")

I keep getting this error:

 SQLCODE=-1109M][CLI Driver] SQL1109N  The command was not processed because the database manager failed to load the following DLL: "GSKit Error: 202".  SQLSTATE=42724

I installed both GSKit8 Crypt and GSKit SSL 64-bit. Any help would be appreciated !

Answer 1

On Db2-client workstations, you can avoid installing/configuring the GSK8 as a separate component, and still have encrypted SSL connections to Db2-LUW servers.

Note that you might need GSK8 on client-workstations for other reasons (other non-Db2 applications), but that is a separate matter.

On MS-Windows, there are two ways to avoid having to install GSK8 for Db2 SSL connections, but in this answer I mention one way.

Technically this feature became available at V10.5 fixpack 5 Db2-clients, but there were some bugs so I suggest to avoid that fixpack and start with fixpack 8 or higher. This functionality also works in V11.1 Db2-clients.

If you have the server-certificate in ARM format, then you can use the SSLSERVERCERTIFICATE and SECURITY keywords in the connection-string to connect with SSL from Python (or from any tool that uses the Db2 CLI libraries).

With this approach you don't need a keystore and stash to be manually created, and you don't need SSLClientKeystoredb etc in the connection string.

You still need to add appropriate security for the ARM file both at rest and during distribution.

This approach may be easier to manage, and example connection is below:

try:
   arg1="DATABASE=whatever;HOSTNAME=whatever;PORT=50443;UID=whavever;PWD=whatever;SSLServerCertificate=/path_to/db2server_instance.arm;SECURITY=ssl;"
   conn = ibm_db.connect(arg1,"","")

except:
    logging.error('Error: Failed to connect to database: %s', ibm_db.conn_errormsg())
    sys.exit(1)

Answer 2

Don't know if it helps, but when I launched the gitBash / command prompt via "run as administrator" it worked for me. After I used the

conn=ibm_db.connect("Database=****DB; Hostname=***.***.***.COM; PORT=****; Security=ssl; SSLClientKeystoredb=c:/keystore/ibmca.kdb; SSLClientKeystash=c:/keystore/ibmca.sth;UID= ; PWD= ;",'','')

Answer 3

"202 - GSK_KEYRING_OPEN_ERROR

Unable to open the key file or the Microsoft Certificate Store. Either the path was specified incorrectly or the file permissions did not allow the file to be opened, or the file format is incorrect."

The arg1 passed to ibm.db is badly formatted and you are missing a semi-colon after you assign your SSLClientKeystash. Try following this: IBM Support

Answer 4

The issue was solved by switching to python 2.7.9, and changing the path of the SSL to "C:\\SSL" for the certificates. Not sure if changing the path helped but just wanted to mention that for future reference.