TLS/SSL server authentication

Save PDF

Last Updated: March 16, 2026
3 minute read

DataDirect Connectors
ODBC
IBM Db2 8.0
Documentation

The following strings configure the driver to use the TLS/SSL server authentication method. In this configuration, since ValidateServerCertificate=1, the driver validates the certificate sent by the server and the host name specified by HostNameInCertificate. In addition, the driver uses user ID/password authentication.

Note: The strings demonstrated in this section use the DSN-less format. For additional formats, see "Using a connection string".

For Db2 for Linux, UNIX, and Windows; Db2 Hosted; and Db2 Warehouse on Cloud:

DRIVER=DataDirect 8.0 Db2 Wire Protocol;EncryptionMethod=1;
IPAddress=ip_address;HostNameInCertificate=host_name_in_certificate;
TCPPort=tcp_port;Database=database_name;Truststore=truststore;
TruststorePassword=truststore_password;
ValidateServerCertificate=validate_server_certificate;
EnableFIPS=enable_fips;LogonID=user_name;Password=password;

For Db2 for z/OS and iSeries:

DRIVER=DataDirect 8.0 Db2 Wire Protocol;EncryptionMethod=1;
IPAddress=ip_address;HostNameInCertificate=host_name_in_certificate;
TCPPort=tcp_port;Location=location_name;Collection=collection_name;
Truststore=truststore;TruststorePassword=truststore_password;
ValidateServerCertificate=validate_server_certificate;
EnableFIPS=enable_fips;LogonID=user_name;Password=password;

where:

ip_address: specifies the host name or the IP address of the machine where catalog tables are stored.

host_name_in_certificate: specifies a host name for certificate validation.

tcp_port: specifies the port number that is assigned to the Db2 DRDA listener process on the server host machine. The default is 50000.

database_name: specifies the name of the database to which you want to connect. Valid only on Db2 for Linux, UNIX, and Windows; Db2 Hosted; and Db2 Warehouse on Cloud.

collection_name: specifies the current collection or library. Valid only on Db2 for z/OS and Db2 for i.

location_name: specifies the name of the Db2 location that you want to access. Valid only on Db2 for z/OS and Db2 for i.

truststore

specifies either the path and file name of the truststore file or the contents of the TLS/SSL certificates to be used.

When specifying the contents of the TLS/SSL certificates, use the following format:

Truststore=data://-----BEGIN CERTIFICATE-----certificate_content-----END CERTIFICATE-----.

Where certificate_content is the content of the TLS/SSL certificate. Note that the number of dashes (-----) must be the same before and after both BEGIN CERTIFICATE and END CERTIFICATE.

truststore_password: specifies the password that is used to access the truststore file.
Note: Do not specify the password when using the certificate content for authentication. Since the truststore file is not required to be stored on the disk when the certificate content is specified directly, the driver need not unlock its contents.

validate_server_certificate: determines whether the driver validates the certificate that is sent by the database server. When it is set to 1, the driver validates the certificates. When it is set to 0, the driver does not validate the certificates.

enable_fips

determines whether the driver loads the FIPS provider or the default provider. When Enable FIPS is set to 1, the driver loads the FIPS provider and when it is set to 0, the driver loads the default provider. The FIPS provider contains a set of approved cryptographic algorithms that conform to the Federal Information Processing Standards (FIPS) specified in FIPS 140-2.

Note:

The FIPS provider is supported only on the following platforms: Windows 64-bit, Linux 64-bit, and AIX 64-bit.
Do not set the Truststore Password connection option when using the FIPS provider. The truststore password uses the PKCS12KDF algorithm, which is not an approved FIPS algorithm. Hence, it must not be specified when using the FIPS provider.
For using the FIPS and default providers, the certificates must be generated using the OpenSSL 3.5-compliant cryptographic algorithms. See "Generating TLS/SSL certificates using OpenSSL 3.5-compliant algorithms" for more information.

user_name: specifies your username.

password: specifies your password.

Note: The LogonID and Password options are not required to be stored in the connection string. They can also be sent separately by the application using the SQLConnect ODBC API. For SQLDriverConnect and SQLBrowseConnect, they will need to be specified in the connection string.

The following example connection string includes the options required for connecting to Db2 for Linux, UNIX, and Windows using TLS/SSL server authentication.

DRIVER=DataDirect 8.0 Db2 Wire Protocol;EncryptionMethod=1;
IPAddress=localhost;TCPPort=50000;HostNameInCertificate=MySubjectAltName;
Database=db2data;Truststore=TrustStoreName;TruststorePassword=TSXYZZY;
ValidateServerCertificate=1;LogonID=jsmith;Password=secret;

Progress DataDirect for ODBC for Db2 Wire Protocol Driver User's Guide Release 8.0.2

TLS/SSL server authentication

Table of Contents

TLS/SSL server authentication

Related Links