Error when connecting to DB2 with ibm_db with SSL

Question

I am trying to connect to DB2 using python module ibm_db with SSL and I get the following error

 conn = ibm_db.connect("DATABASE=myDB;HOSTNAME=xx.xx.xxx.xxx;PORT=nnn;PROTOCOL=TCPIP;SECURITY=SSL;SSLServerCertificate=./myFile.arm;UID=<username>;PWD=<password>;","","")
stmt = ibm_db.exec_immediate(conn, "delete from myschema.mytable")

I get the following exception

   Exception: [IBM][CLI Driver] SQL30081N  A communication error has been detected. Communication protocol being used: "SSL".  Communication API being used: "SOCKETS".  Location where the error was detected: "".  Communication function detecting the error: "sqlccSSLSocketSetup".  Protocol specific error code(s): "414", "*", "*".  SQLSTATE=08001 SQLCODE=-30081

I have spent several hours trying to debug. Can't make any progress here

Any help will be appreciated.

Answer 1

Tinniam,

How is your gskit keystore (ie .kdb) and stash file (ie .sth file - file storing encrypted password for the keystore) created? Was it creating locally with the same version on the client machine or was it created by someone on other machine that has a different version of gskit?

There is a known gskit incompatibility issue ( http://www-01.ibm.com/support/docview.wss?uid=swg22014693 ). A stash file generated with version GSKit 8.0.50.69 and newer versions cannot be read by lower version and it will return exactly gskit 414 error.

Check the gskit on where your keystore and stash file are created and the version that the client is using. There is a gsk8ver_64 tool in sqllib/gskit/bin to tell you the version.

If indeed, you have hit the incompatibility issue, you need to either upgrade your client to use the version of Db2 that has gskit on the newer boundary release OR: find an older version of Db2 server such as 10.5 fp9 and generate a new keystore and stash file with the lower version of gskit.

NOTE: newer version of gskit can read stash created by lower version. But stash file created by 8.0.50.69 and newer versions is not readable by gskit version that is lower than 8.0.50.69 release.

Hope this help solve your issue.

Kevin See

Db2 Hybrid Cloud Security Team

Answer 2

I had the same issue today while opening an SSL connection from a Db2 Client to a Db2 server. SQL30081N with error code 414. Db2 docs pointed to this https://www.ibm.com/support/knowledgecenter/en/SSVJJU_6.3.0/com.ibm.IBMDS.doc/progref506.htm and the hint was 414 – Incorrectly formatted certificate received from partner.

We figured out sometime later, we have just imported the public key of our server into the client trust keyring. Correct is to import only the public keys of the root server and the intermediate server into the client trust store. You do not need to import the server public key (signed by the intermediate server) into the client trust store.

I hope, the original poster has already found a solution and I just wanted to leave here my solution for the next person with the same issue.

Answer 3

I would recommend to investigate how the SSL / TLS communication is configured, how the certificate is managed.

The SSL-specific error is documented as GSKit issue related to certificates . You probably have checked the recommendations for the error SQL30081N . The error SQL30081N even has protocol-specific details for the error codes.