Introduction


JDBC is a set of classes and interfaces written in Java that allows Java programs to access a database. This how-to explains how to use encryption with IBM's DB2 type 4 thin driver. Database connection encryption becomes increasingly important to protect database query transmissions over long distance, insecure channels, and to add another layer of protection.

IBM's DB2 database server can be set up to secure client access with SSL/TLS encryption. An example installation guide for say, DB2 v11.1 can be found in IBM's Knowledge Center Link. Setting up SSL/TLS involves creating a DB2 key store, a x509.3 certificate, and enabling it in the DB2 instance configuration for a dedicated database listener port.

Database server side SSL/TLS setup information


While this guide is focussed on the client side, some key information below is needed from the database server side. There, encryption is handled by the included IBM Global Security Kit (GSKit) libraries and commandline tools.

db2inst1@lts140464:~$ db2 get database manager configuration |grep SSL
 SSL server keydb file                   (SSL_SVR_KEYDB) = /home/db2inst1/ssl/key.kdb
 SSL server stash file                   (SSL_SVR_STASH) = /home/db2inst1/ssl/key.sth
 SSL server certificate label            (SSL_SVR_LABEL) = ltsdb2
 SSL service name                         (SSL_SVCENAME) = db2ssl
 SSL cipher specs                      (SSL_CIPHERSPECS) = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
 SSL versions                             (SSL_VERSIONS) = TLSV12
 SSL client keydb file                  (SSL_CLNT_KEYDB) =
 SSL client stash file                  (SSL_CLNT_STASH) =

This output confirms that SSL is configured, and our encryption port listed under SSL_SVCENAME is called "db2ssl". The following check confirms that this SSL port is ready for connections.

db2inst1@lts140464:~$ sudo lsof -i |grep db2
db2sysc   22828 db2inst1    6u  IPv4  42977      0t0  TCP *:db2 (LISTEN)
db2sysc   22828 db2inst1    7u  IPv4  42978      0t0  TCP *:db2ssl (LISTEN)

Now we can get the TCP port number from /etc/services:

db2inst1@lts140464:~$ grep db2ssl /etc/services
db2ssl        50001/tcp                       # SSL/TLS port for DB2 instance "db2inst1"

Finally we connect to the database SSL port, verify it really accepts SSL connections, and get the certificate from it.

db2inst1@lts140464:~$ openssl s_client -connect localhost:50001 </dev/null
CONNECTED(00000003)
depth=0 C = JP, L = Setagaya, O = FM4DD, OU = Support, CN = db2test.fm4dd.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = JP, L = Setagaya, O = FM4DD, OU = Support, CN = db2test.fm4dd.com
verify return:1
---
Certificate chain
 0 s:/C=JP/L=Setagaya/O=FM4DD/OU=Support/CN=db2test.fm4dd.com
   i:/C=JP/L=Setagaya/O=FM4DD/OU=Support/CN=db2test.fm4dd.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDgDCCAmigAwIBAgIIHSAGv1CSeP0wDQYJKoZIhvcNAQELBQAwXjELMAkGA1UE
BhMCSlAxETAPBgNVBAcTCFNldGFnYXlhMQ4wDAYDVQQKEwVGTTRERDEQMA4GA1UE
CxMHU3VwcG9ydDEaMBgGA1UEAxMRZGIydGVzdC5mbTRkZC5jb20wHhcNMTcxMjA0
MDY1NTU2WhcNMTgxMjA1MDY1NTU2WjBeMQswCQYDVQQGEwJKUDERMA8GA1UEBxMI
U2V0YWdheWExDjAMBgNVBAoTBUZNNEREMRAwDgYDVQQLEwdTdXBwb3J0MRowGAYD
VQQDExFkYjJ0ZXN0LmZtNGRkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAPF1huDdHbx/0s+vHV9yFaQsh7i2yVi/eTUsrfNCb4N5/v+0DfHy7VTt
mKtt9WqUuW3h47K7QLexIunl/y3R834eUKOmHDTMDPk5NPQr8AYVDmb4X3cMc2uf
X9TPsgbzdvn6qAuW9uQ6gJlwXSLFhXtF2RpQmrjXaPVp0yTnLL27HUozpvWTgEiv
qIzoxDtxJM3Fp3Wtk8hC+heqmZ1bR7ysT0dv46W2RxUgPGLUmBPPG0p4DS6AfZxN
NRnyZ/25mn55n6GB1f0Ca+HeVhTOF/PDx7ZTcs0+Mp6kQe5QQ5vv5BOdBNwnoD+H
jAME6+MVZFgkeuCvc0c1BsgaNoxsICkCAwEAAaNCMEAwHQYDVR0OBBYEFP8Afew7
mtb+xf76QqXylWjjZGGEMB8GA1UdIwQYMBaAFP8Afew7mtb+xf76QqXylWjjZGGE
MA0GCSqGSIb3DQEBCwUAA4IBAQDTlo2SI4NKz/fQY6YkO6lRgGnK3yraFrRCM+Kd
mfr9edPqQAAAl3f+ZPo/ow4YTeyX4+gRTUMY6E6a/1jfLikb8vUztO61YxlsqKCP
CVGdL2EIG9gboLwOesHHv36AHT/VUuuG/gRValFAnYdiYZfPdf/g4XPmtautYR7F
+x3yHuQzOxlbJMAK/GPvIoy0lzdE2oNHr5vwrNmnQq92PwqM8n7GpZOeFv+SHYIk
4oMKpfocVNwjHF+8jbT9E48xzEOhfoihSXY6KYsB8RprIgZBPTZmsa4hX7zfmw14
Wl+0ZxddkAGxglVsx4e+u3zEEEVNR5zYf+bN6LwtZf1pBx9f
-----END CERTIFICATE-----
subject=/C=JP/L=Setagaya/O=FM4DD/OU=Support/CN=db2test.fm4dd.com
issuer=/C=JP/L=Setagaya/O=FM4DD/OU=Support/CN=db2test.fm4dd.com
---
No client certificate CA names sent
---
SSL handshake has read 1478 bytes and written 509 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
...

Client system access preparations


Besides encrypting the data, SSL also ensures its talking to the correct endpoint at the server side, using certificate verification. This means JDBC needs access to the database server certificate we identified in the step before. Java uses its own keystore container file. If it does not exist yet we need to create it, and import the database server certificate (I saved above certificate into file db2cert.pem). The JDBC code can now reference this keystore container file, and its access password.

fm@susie:~> keytool -import -file db2cert.pem -keystore keystore.jks -alias ltsdb2 -storepass mypassword
Owner: CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP
Issuer: CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP
Serial number: 1d2006bf509278fd
Valid from: Mon Dec 04 15:55:56 JST 2017 until: Wed Dec 05 15:55:56 JST 2018
Certificate fingerprints:
         MD5:  C2:DC:11:26:63:39:E9:72:FC:C1:66:7C:AA:D4:8E:FF
         SHA1: 62:88:F2:E1:32:09:F0:16:11:A2:AF:25:C7:7E:E5:50:E2:C0:BF:34
         SHA256: 0C:9A:34:18:6C:C8:DD:DC:F0:C5:35:70:D6:98:2D:33:4F:86:8F:A5:33:1B:44:0C:47:FF:F5:76:2D:1A:DC:46
         Signature algorithm name: SHA256withRSA
         Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: FF 00 7D EC 3B 9A D6 FE   C5 FE FA 42 A5 F2 95 68  ....;......B...h
0010: E3 64 61 84                                        .da.
]
]

#2: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: FF 00 7D EC 3B 9A D6 FE   C5 FE FA 42 A5 F2 95 68  ....;......B...h
0010: E3 64 61 84                                        .da.
]
]

Trust this certificate? [no]:  yes
Certificate was added to keystore

JDBC Java code for encrypted DB2 access


The following example code JdbcEncDB2.java can be used to quickly access and test the JDBC connection.

vi JdbcEncDB2.java
// ------------------------------------------------
// JdbcEncDB2.java
// Tests a encrypted connection to DB2, using IBM
// DB2 SSL. See "IBM KNowledge Center", Section
// "Configuring Secure Sockets Layer (SSL) support
// in a DB2 instance". Encryption is enforced at the
// DB2-side port and cleartext connection will fail.
// ------------------------------------------------
import java.sql.Connection;
import java.sql.DriverManager;
import java.sql.ResultSet;
import java.sql.Statement;
import java.sql.SQLException;
import java.util.Properties;

class JdbcEncDB2 {
  public static void main (String args[]) {
    try {
      // use the JDBCtype 4 driver
      Class.forName("com.ibm.db2.jcc.DB2Driver");
    }
    catch (ClassNotFoundException e) {
      System.err.println (e);
      System.exit(-1);
    }
    try {
      Properties properties = new Properties();
      properties.put("user", "db2inst1");
      properties.put("password", "test");
      properties.put("sslConnection", "true");
      properties.put("sslTrustStoreLocation", "/home/fm/keystore.jks");
      properties.put("sslTrustStorePassword", "mypassword");
      String url = "jdbc:db2://localhost:50001/SAMPLE";

      Connection connection = DriverManager.getConnection(url, properties);

      // build query, use table "ENV_INST_INFO" in schema "SYSIBM"
      String query = "select INST_NAME from SYSIBMADM.ENV_INST_INFO" ;

      // execute query
      Statement statement = connection.createStatement() ;
      ResultSet rs = statement.executeQuery(query) ;

      // return query result
      while ( rs.next() )
      System.out.println("DB2 Query result: " + rs.getString(1)) ;
      connection.close() ;
    }
    catch (java.sql.SQLException e) {
      System.err.println(e) ;
      System.exit(-1) ;
    }
  }
}

Compile and run the test program


fm@susie:~> javac JdbcEncDB2.java 
fm@susie:~> java JdbcEncDB2
DB2 Query result: db2inst1

Should this test fail, typical reasons are:

Sometimes, its a question of versions. At the time of writing the following versions were available:
db2inst1@lts140464:~$ db2level
DB21085I  This instance or install (instance name, where applicable: 
"db2inst1") uses "64" bits and DB2 code release "SQL11010" with level 
identifier "0201010F".
Informational tokens are "DB2 v11.1.0.0", "s1606081100", "DYN1606081100AMD64", 
and Fix Pack "0".
Product is installed at "/home/db2inst1/sqllib".
And at the client side:
fm@susie:~> java -cp db2jcc4.jar com.ibm.db2.jcc.DB2Jcc -version
IBM Data Server Driver for JDBC and SQLJ 4.19.66

fm@susie:~> java -version
java version "1.7.0_151"
OpenJDK Runtime Environment (IcedTea 2.6.11) (7u151-2.6.11-2ubuntu0.14.04.1)
OpenJDK 64-bit Server VM (build 24.151-b01, mixed mode)

Confirm encryption on the client side


The script output is as expected, but how do we tell the connection is really encrypted, and uses adequate encryption parameters? We can verify with a Java debug parameter.

fm@susie:~> java -Djavax.net.debug=ssl JdbcEncDB2

adding as trusted cert:
  Subject: CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP
  Issuer:  CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP
  Algorithm: RSA; Serial number: 0x1d2006bf509278fd
  Valid from Mon Dec 04 15:55:56 JST 2017 until Wed Dec 05 15:55:56 JST 2018

trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(0) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
...
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1512463372 bytes = { 254, 132, 47, 18, 4, 186, 43, 182, 29, 251, 241, 43, 160, 186, 56, 173, 104, 202, 169, 207, 232, 122, 161, 206, 248, 58, 235, 194 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA224withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
main, WRITE: TLSv1.2 Handshake, length = 163
main, READ: TLSv1.2 Handshake, length = 1366
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 12 bytes = { 254, 197, 211, 220, 99, 170, 246, 161, 124, 195, 220, 186, 199, 233, 208, 89, 221, 200, 55, 118, 190, 219, 94, 39, 223, 32, 107, 166 }
Session ID:  {125, 18, 100, 73, 131, 118, 139, 185, 70, 201, 246, 218, 255, 166, 172, 204, 120, 1, 188, 227, 139, 230, 136, 65, 186, 21, 148, 93, 67, 77, 111, 90}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Compression Method: 0
Extension ec_point_formats, formats: [uncompressed]
Extension renegotiation_info, renegotiated_connection: 
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
** TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 30481386155750323326890561212765513281567421242176194898751858931652993621496236434827210211691425956433242353400256070134803805873805723207258980516716970314030800719253945261286239910493621803130345302469598118525596381326812681031904397930628940286850337735344592230011594976905839506611288453316511431732281594348447439140543423734450206326944835989267737975768308019977932319003153515281642515573386889003942953866610419768793878236308454675709597627794881132542036872740413484831867046429464822662479008274091387654236421080515525118326183680708154809697092353190550680854732296659929474836731058451927068844073
  public exponent: 65537
  Validity: [From: Mon Dec 04 15:55:56 JST 2017,
               To: Wed Dec 05 15:55:56 JST 2018]
  Issuer: CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP
  SerialNumber: [    1d2006bf 509278fd]
...[shortening output]...
***
Found trusted certificate:
[
[
  Version: V3
  Subject: CN=db2test.fm4dd.com, OU=Support, O=FM4DD, L=Setagaya, C=JP
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
...[shortening output]...
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: SunPKCS11-NSS EC public key, 384 bits (id 1, session object)
  public x coord: 1246518603194943893383502020230123073686302590005602824974756128864754520176971067002605904454877127052123088426895
  public y coord: 210365413291924666961880002120358853514104085228785658084782088069947436018826865496297805115266364568213589854800
  parameters: secp384r1 [NIST P-384] (1.3.132.0.34)
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 180, 86, 82, 209, 83, 94, 197, 95, 150, 147, 39, 202, 193, 115, 133, 252, 244, 164, 197, 37, 249, 57, 233, 151, 244, 74, 178, 15, 211, 175, 252, 39, 246, 106, 21, 186, 15, 27, 109, 59, 102, 232, 157, 250, 207, 248, 8, 16, 151, 181, 165, 124, 58, 208, 128, 133, 125, 29, 44, 218, 3, 55, 93, 222, 251, 134, 214, 245, 71, 212, 243, 59, 53, 155, 73, 208, 133, 198, 105, 121, 78, 108, 187, 188, 90, 63, 173, 81, 171, 73, 213, 50, 58, 31, 15, 8 }
main, WRITE: TLSv1.2 Handshake, length = 102
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 44, 177, 116, 42, 53, 193, 253, 125, 97, 238, 43, 199 }
***
main, WRITE: TLSv1.2 Handshake, length = 96
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 96
*** Finished
verify_data:  { 59, 227, 206, 194, 104, 205, 226, 219, 51, 233, 128, 137 }
***
...[shortening output]...
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: SunPKCS11-NSS EC public key, 384 bits (id 1, session object)
  public x coord: 1246518603194943893383502020230123073686302590005602824974756128864754520176971067002605904454877127052123088426895
  public y coord: 210365413291924666961880002120358853514104085228785658084782088069947436018826865496297805115266364568213589854800
  parameters: secp384r1 [NIST P-384] (1.3.132.0.34)
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 180, 86, 82, 209, 83, 94, 197, 95, 150, 147, 39, 202, 193, 115, 133, 252, 244, 164, 197, 37, 249, 57, 233, 151, 244, 74, 178, 15, 211, 175, 252, 39, 246, 106, 21, 186, 15, 27, 109, 59, 102, 232, 157, 250, 207, 248, 8, 16, 151, 181, 165, 124, 58, 208, 128, 133, 125, 29, 44, 218, 3, 55, 93, 222, 251, 134, 214, 245, 71, 212, 243, 59, 53, 155, 73, 208, 133, 198, 105, 121, 78, 108, 187, 188, 90, 63, 173, 81, 171, 73, 213, 50, 58, 31, 15, 8 }
main, WRITE: TLSv1.2 Handshake, length = 102
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 44, 177, 116, 42, 53, 193, 253, 125, 97, 238, 43, 199 }
***
main, WRITE: TLSv1.2 Handshake, length = 96
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 96
*** Finished
verify_data:  { 59, 227, 206, 194, 104, 205, 226, 219, 51, 233, 128, 137 }
***
...[shortening output]...
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: SunPKCS11-NSS EC public key, 384 bits (id 1, session object)
  public x coord: 1246518603194943893383502020230123073686302590005602824974756128864754520176971067002605904454877127052123088426895
  public y coord: 210365413291924666961880002120358853514104085228785658084782088069947436018826865496297805115266364568213589854800
  parameters: secp384r1 [NIST P-384] (1.3.132.0.34)
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 180, 86, 82, 209, 83, 94, 197, 95, 150, 147, 39, 202, 193, 115, 133, 252, 244, 164, 197, 37, 249, 57, 233, 151, 244, 74, 178, 15, 211, 175, 252, 39, 246, 106, 21, 186, 15, 27, 109, 59, 102, 232, 157, 250, 207, 248, 8, 16, 151, 181, 165, 124, 58, 208, 128, 133, 125, 29, 44, 218, 3, 55, 93, 222, 251, 134, 214, 245, 71, 212, 243, 59, 53, 155, 73, 208, 133, 198, 105, 121, 78, 108, 187, 188, 90, 63, 173, 81, 171, 73, 213, 50, 58, 31, 15, 8 }
main, WRITE: TLSv1.2 Handshake, length = 102
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 44, 177, 116, 42, 53, 193, 253, 125, 97, 238, 43, 199 }
***
main, WRITE: TLSv1.2 Handshake, length = 96
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 96
*** Finished
verify_data:  { 59, 227, 206, 194, 104, 205, 226, 219, 51, 233, 128, 137 }
***
...[shortening output]...
*** ECDH ServerKeyExchange
Signature Algorithm SHA512withRSA
Server key: SunPKCS11-NSS EC public key, 384 bits (id 1, session object)
  public x coord: 1246518603194943893383502020230123073686302590005602824974756128864754520176971067002605904454877127052123088426895
  public y coord: 210365413291924666961880002120358853514104085228785658084782088069947436018826865496297805115266364568213589854800
  parameters: secp384r1 [NIST P-384] (1.3.132.0.34)
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 180, 86, 82, 209, 83, 94, 197, 95, 150, 147, 39, 202, 193, 115, 133, 252, 244, 164, 197, 37, 249, 57, 233, 151, 244, 74, 178, 15, 211, 175, 252, 39, 246, 106, 21, 186, 15, 27, 109, 59, 102, 232, 157, 250, 207, 248, 8, 16, 151, 181, 165, 124, 58, 208, 128, 133, 125, 29, 44, 218, 3, 55, 93, 222, 251, 134, 214, 245, 71, 212, 243, 59, 53, 155, 73, 208, 133, 198, 105, 121, 78, 108, 187, 188, 90, 63, 173, 81, 171, 73, 213, 50, 58, 31, 15, 8 }
main, WRITE: TLSv1.2 Handshake, length = 102
main, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 44, 177, 116, 42, 53, 193, 253, 125, 97, 238, 43, 199 }
***
main, WRITE: TLSv1.2 Handshake, length = 96
main, READ: TLSv1.2 Change Cipher Spec, length = 1
main, READ: TLSv1.2 Handshake, length = 96
*** Finished
verify_data:  { 59, 227, 206, 194, 104, 205, 226, 219, 51, 233, 128, 137 }
***
...

See also: How to install and use IBM DB2 JDBC drivers