Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.futurex.com/llms.txt

Use this file to discover all available pages before exploring further.

This section shows you how to enable and test encryption for this Db2 integration.

Import the certificate

Perform the following steps to import the signed client certificate:
1
Put the signed client certificate PEM file into the working folder you created (for example, C:\Certs).
2
Rename the client certificate file to client.crt.
3
Run the following command to import the signed client certificate into the local keystore:
Shell
"C:\Program Files\IBM\gsk8\bin\gsk8capicmd_64" -cert -receive -db C:\Certs\clientkeydb.p12 -stashed -file C:\Certs\client.crt

Create the configuration file

Perform the following steps to create the KMIP configuration file:
1
Open a text editor and create the kmip.cfg configuration file similar to the following template with your details:
None
VERSION=1
PRODUCT_NAME=OTHER
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=C:\Path\to\clientkeydb.p12
SSL_KEYDB_STASH=C:\Path\to\clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=<LABEL OF CLIENT CERTIFICATE>
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false
MASTER_SERVER_HOST=<IP ADDRESS OF KMES SERIES 3>
MASTER_SERVER_KMIP_PORT=<KMIP PORT>
The following example shows a sample configuration file:
None
VERSION=1
PRODUCT_NAME=OTHER
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=C:\Certs\clientkeydb.p12
SSL_KEYDB_STASH=C:\Certs\clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=ibmdb2
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false
MASTER_SERVER_HOST=10.0.8.79
MASTER_SERVER_KMIP_PORT=5696
2
Save the file to your working folder (such as C:\Certs).

Configure Db2

Perform the following steps to configure Db2 to use the KMES Series 3:
1
Open the Db2 Command Line Processor.
2
Run the following commands to point to the KMES Series 3 by using the configuration file:
Sql
db2 => update dbm cfg using keystore_location C:\Certs\kmip.cfg
db2 => update dbm cfg using keystore_type kmip
3
Run the following commands to stop and start the database:
Sql
db2 => db2stop
db2 => db2start

Create an encrypted database

Perform the following steps to create an encrypted database and verify the integration:
1
In the IBM Db2 Command Line Processor, run the following command to create an encrypted database, replacing fxencdb with your database name (no more than eight characters):
Sql
db2 => create db fxencdb encrypt
The master encryption key generates on the KMES Series 3, and you see the following message after the process successfully completes:
Sql
DB20000I  The CREATE DATABASE command completed successfully.
2
Verify the database encrypted successfully by executing the following command:
Sql
db2 => get db cfg for fxencdb
The Encrypted Database configuration parameter is set to YES in the command response.
3
Verify the creation of the key on the KMES Series 3 by navigating to Key Management > Keys. A HSM Protected key should have been generated for IBM Db2, similar to the following example:
None
DB2_SYSGEN_DB2_FXENCDB_2024-04-18-11.47.35_4A9769C4
For more information on configuring a KMIP key store with IBM Db2, consult the IBM documentation.