z/Data Perspectives: DB2 Encryption Support Keeps Improving

by Craig S. Mullins
November 13, 2007

The CPACF delivers cryptographic support on every CP with Data Encryption Standard (DES), Triple DES (TDES), and Advanced Encryption Standard (AES)-128 bit data encryption/decryption, as well as Secure Hash Algorithm (SHA-1) and SHA-256 hashing. For a more detailed discussion of CPACF, check out the IBM redbook IBM eServer zSeries 990 (z990) Cryptography Implementation (SG24-7070).

OK, so far, we’ve been talking about encryption for data at rest. But DB2 9 also improves support for encryption of data in transit. DB2 9 supports the Secure Socket Layer (SSL) protocol by implementing the z/OS Communications Server IP Application Transparent Transport Layer Security (AT-TLS) function. The z/OS V1R7 Communications Server for TCP/IP introduces the AT-TLS function in the TCP/IP stack for applications that require secure TCP/IP connections. AT-TLS performs transport layer security on behalf of the application, in this case DB2 for z/OS, by invoking the z/OS system SSL in the TCP layer of the TCP/IP stack. Support is provided for TLS V1.0, SSL V2.0, and SSL V3.0 protocols.

So encryption of data over the wire is improved in z/OS 1.7. The Communications Server supports AT-TLS, which uses SSL data encryption. SSL encryption has been available on z/OS for a long time, but now DB2 9 makes use of this facility and offers SSL encryption using a new secure port. When acting as a requester, DB2 can request a connection using the secure port of another DB2 subsystem. When acting as a server, and from within a trusted context, SSL encryption can be required for the connection.

So, little by little, better encryption support is being made available within the world of DB2 for z/OS. Z