IBM Data Platform Ideas Portal for Customers


This portal is to open public enhancement requests against products and services offered by the IBM Data Platform organization. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:


Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,


Post your ideas

Post ideas and requests to enhance a product or service. Take a look at ideas others have posted and upvote them if they matter to you,

  1. Post an idea

  2. Upvote ideas that matter most to you

  3. Get feedback from the IBM team to refine your idea


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.

IBM Employees should enter Ideas at https://ideas.ibm.com



Add a new idea Subscribe
Status Not under consideration
Workspace Db2
Components Other/Unknown
Created by Guest
Created on Mar 5, 2026

RELATED IDEAS

Support OpenSSL

Problem Statement

Currently, GSKit is the only supported way of setting up TLS and cryptography in Db2 LUW. Because only IBM products rely on GSKit (as far as I know) it poses a higher barrier to entry when starting with Db2. While GSKit supports standards like PKCS#12 keystores it adds a proprietary layer for stash files - resulting in PKCS#12 files being incompatible with e.g., OpenSSL.

GSKit doesn't have a way of creating a truststore without a private key and thus a password/stash file. For creating trust this is pointless because only the root and intermediate certificates are important. No private keys are used. This makes distributing truststores more difficult than it should be.

GSKit doesn't have a mechanism of an "OS truststore" - something were the OS stores all the certificates it (and utilities running on it) can trust. We maintain these truststores with customer root certificates which helps setting up TLS for many applications. For GSKit-required applications this doesn't work and a new truststore must be created and managed.

During a case we also identified a problem where two different versions were loaded inside one process because both MQ and Db2 was used. This caused a low-level memory exception. The result was that GSKit cannot be safely loaded twice in the same process. OpenSSL doesn't pose such restriction.

GSKit isn't supported by tools like Ansible. A lot of custom code is required to produce the necessary files. An Ansible role was created internally that allows management of truststores and keystores.

Current Workaround

Learning GSKit can be done and the fair amount of documentation and examples help in doing so. Because it is the only option for Db2, there is simply no way around it right now. Sometimes I was asked to implement external TLS implementations (e.g., through HAProxy) for incoming and outgoing connections. This, however, adds another layer of complexity.

For the problem of running both MQ and Db2 in the same process, we are making sure that the MQ GSKit supplied libraries are loaded first via LD_PRELOAD. This is flaky and, as per my understanding, prone to fail in case Db2's version of GSKit is higher than the one MQ is shipped with.

Benefit / Goals

  1. Reduce the barrier of entry for people starting out with Db2

  2. OpenSSL exists for a wide variety of distributions. It is also distributed by them. In case of security fixes these can be easily identified and patched (in many cases, automatically). OpenSSL shouldn't be bundled with Db2.

  3. Make setting up TLS and cryptography much easier to setup for Db2, increasing the use of TLS.

  4. Allow the use of an OS truststore for TLS verification (in case of federation or Db2 clients).

  5. Enhance the Db2 configuration experience because support is included for other products: Instantly use certificates provided through external key vaults (e.g., Azure KeyVault). Support provisioning with Ansible (it offers a module to create the required files).

  6. OpenSSL isn't just used for TLS but also ships a cryptography library which likely can be used to support the management of keys Db2 uses for encryption.

The goals could also be implemented as features to GSKit. Because OpenSSL exists and is widely accepted and it already ships that functionality, my suggestions is to reuse something that exists and has proven to work.

Needed By Quarter
  • Admin
    Siji Daniel
    Apr 8, 2026

    Hello. Thank you for submitting this Idea with sufficient details of the use case. We discussed this internally. Our Security expert will add some comments to respond. However, having considered this request, it is not something we are able to deliver in the future. If there is broad interest for this, it can be resubmitted in 18 months. In the meantime, this Idea is marked Not under consideration - Db2 will work with GSKit to see what they can do to support the request.

    Reply

By clicking the "Post Comment" or "Submit Idea" button, you are agreeing to the IBM Ideas Portal Terms of Use.
Do not place IBM confidential, company confidential, or personal information into any field.