Encrypting IBM i ODBC Connections from Linux with TLS/SSL

ODBC connections between Linux and IBM i should be encrypted to keep their Db2 data safe in transit.

To encrypt ODBC data, IBM recommends the industry-standard TLS encryption protocol (the successor to SSL).

As of version 1.1.0.27, the IBM i ODBC driver supports use of the SSL keyword for Linux as well as Windows.

When SSL=1 is specified either in odbc.ini or an ODBC connection string, the IBM i server will respond from a prestarted ODBC job named QZDASSINIT (the second “S” stands for “secure”) rather than the usual QZDASOINIT job.

Assign a TLS certificate to database server

You’ll also need to assign a certificate to the database server; by default, none is assigned. See this IBM support article for how to provision and assign certificates to the host servers; in particular, you want to assign a certificate to these host servers at a minimum: QIBM_OS400_QZBS_SVR_DATABASE, QIBM_OS400_QZBS_SVR_RMTCMD, QIBM_OS400_QZBS_SVR_SIGNON, and QIBM_OS400_QZBS_SVR_CENTRAL .

If you use a self-signed certificate, you’ll also have to load the self-signed certificate into your system Certificate Authority trust.

For older driver versions

For version 1.1.0.26 and older of the Linux driver, without SSL available, IBM provides instructions on setting up a secure tunnel from a Linux system to IBM i at https://www.ibm.com/support/pages/node/869822. TIP: In case it’s not clear in IBM’s article, applications should use the DSN name that was set up in the Linux odbc.ini file. We have helped clients set up secure ODBC tunnels for applications written in PHP and Node.js. It would work the same for Python and other languages as well.