0

I have configured SSL/TLS on Db2/Linux v11.5.7.0. In DBeaver 22.1.5 (Java GUI program to access database) in Driver properties I have configured parameter: sslConnection to true and DBeaver successfully connects to Db2 user using SSL/TLS.

According to Db2 Java Driver documentation in DBeaver at Driver properties I have configured sslClientHostnameValidation to BASIC to enable Db2 client to execute hostname validation.

When I double click to establish connection in DBeaver I get error:

[jcc][t4][20162][14259][4.31.10] Connection failed: could not establish a SSL connection with the server. The connection has been configured to use hostname validation and the servers TLS certificate does not contain a hostname or IP address which matches the value configured by the client. ERRORCODE=-20576, SQLSTATE=08001

To troubleshoot the problem, in DBeaver I enabled Connection calls trace and the output is:

[jcc][Time:2022年09月01日-13:32:11.588][Thread:Connect to 'test1ssl_hostname_validation'][Connection@1fcbbce6]doHostnameValidation () called [jcc][Time:2022年09月01日-13:32:11.588][Thread:Connect to 'test1ssl_hostname_validation'][Connection@1fcbbce6]doHostnameValidation () returned sslIsHostnameValid=false

It does not tell anything about what was the hostname it checked.

I have read Db2 documentation Troubleshooting hostname validation at the client when negotiating a TLS connection and according to documentation error should be logged into db2diag.log at Db2 server site. But there is no error at all recorded in my case.

I have even increased DIAGLEVEL dbm cfg parameter to maximum 4 and restarted the instance, reproduced the problem, but still no error is displayed in db2diag.log

For certificate I have double check Subject Alternative Name and there is correctly set FQDN.

How can I verify which hostname did client recognized and which hostname did it get from certificate? Regards

asked Sep 1, 2022 at 11:53
1
  • Try both forward and reverse name resolution from the client: they should both yield the same hostname, and that hostname must be present in the server certificate. Commented Sep 2, 2022 at 11:48

1 Answer 1

1

From CONNECT trace I have found out that serverName was set to localhost instead of server name.

  1. Right click on connection and select Edit Connection.
  2. Make sure Connection setting | Main tab | Database section | Host field has the same value as SSL certificate's:
  • Subject Alternative Name and/or
  • Subject/CN value

Because my Db2 server is running inside VirtualBox machine accessed using Port Forwarding I solved the problem:

  1. In DBeaver at Connection Settings | Main tab | Host field I have set my server name FQDM.
  2. In C:\Windows\system32\drivers\etc\hosts file I have added new line starting with set: 127.0.0.1 then space and my server's FQDM.
  3. In DBeaver connect and connect is successful.
answered Sep 5, 2022 at 10:46

Your Answer

Draft saved
Draft discarded

Sign up or log in

Sign up using Google
Sign up using Email and Password

Post as a guest

Required, but never shown

Post as a guest

Required, but never shown

By clicking "Post Your Answer", you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.