Enable and test encryption in IBM Db2

4min
This section shows you how to enable and test encryption for this Db2 integration.
Import the signed client certificate
1
Put the signed client certificate PEM file into the working folder you created (for example, C:\Certs).
2
Rename the client certificate file to client.crt.
3
Run the following command to import the signed client certificate into the local keystore:
Shell
"C:\Program Files\IBM\gsk8\bin\gsk8capicmd_64" -cert -receive -db C:\Certs\clientkeydb.p12 -stashed -file C:\Certs\client.crt
"C:\Program Files\IBM\gsk8\bin\gsk8capicmd_64" -cert -receive -db C:\Certs\clientkeydb.p12 -stashed -file C:\Certs\client.crt
﻿
Create the KMIP configuration file
1
Open a text editor and create the kmip.cfg configuration file similar to the following template with your details:
Text
VERSION=1
PRODUCT_NAME=OTHER
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=C:\Path\to\clientkeydb.p12
SSL_KEYDB_STASH=C:\Path\to\clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=<LABEL OF CLIENT CERTIFICATE>
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false
MASTER_SERVER_HOST=<IP ADDRESS OF KMES SERIES 3>
MASTER_SERVER_KMIP_PORT=<KMIP PORT>
VERSION=1
PRODUCT_NAME=OTHER
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=C:\Path\to\clientkeydb.p12
SSL_KEYDB_STASH=C:\Path\to\clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=<LABEL OF CLIENT CERTIFICATE>
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false
MASTER_SERVER_HOST=<IP ADDRESS OF KMES SERIES 3>
MASTER_SERVER_KMIP_PORT=<KMIP PORT>
﻿
The following example shows a sample configuration file:
Text
VERSION=1
PRODUCT_NAME=OTHER
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=C:\Certs\clientkeydb.p12
SSL_KEYDB_STASH=C:\Certs\clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=ibmdb2
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false
MASTER_SERVER_HOST=10.0.8.79
MASTER_SERVER_KMIP_PORT=5696
VERSION=1
PRODUCT_NAME=OTHER
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=C:\Certs\clientkeydb.p12
SSL_KEYDB_STASH=C:\Certs\clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=ibmdb2
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false
MASTER_SERVER_HOST=10.0.8.79
MASTER_SERVER_KMIP_PORT=5696
﻿
2
Save the file to your working folder (such as C:\Certs).
Configure Db2 to use the KMES Series 3
1
Open the Db2 Command Line Processor.
2
Run the following commands to point to the  by using the configuration file:
SQL
db2 => update dbm cfg using keystore_location C:\Certs\kmip.cfg
db2 => update dbm cfg using keystore_type kmip
db2 => update dbm cfg using keystore_location C:\Certs\kmip.cfg
db2 => update dbm cfg using keystore_type kmip
﻿
3
Run the following commands to stop and start the database:
SQL
db2 => db2stop
db2 => db2start
db2 => db2stop
db2 => db2start
﻿
Create an encrypted database and verify the integration
1
In the IBM Db2 Command Line Processor, run the following command to create an encrypted database, replacing fxencdb with your database name (no more than eight characters):
SQL
db2 => create db fxencdb encrypt
db2 => create db fxencdb encrypt
﻿
The master encryption key generates on the and you see the following message after the process successfully completes:
SQL
DB20000I  The CREATE DATABASE command completed successfully.
DB20000I  The CREATE DATABASE command completed successfully.
﻿
2
Verify the database encrypted successfully by executing the following command:
SQL
db2 => get db cfg for fxencdb
db2 => get db cfg for fxencdb
﻿
The Encrypted Database configuration parameter should be set to YES in the command response.
3
Verify the creation of the key on the  by navigating to Key Management > Keys. A HSM Protected key should have been generated for IBM Db2, similar to the following example:
Text
DB2_SYSGEN_DB2_FXENCDB_2024-04-18-11.47.35_4A9769C4
DB2_SYSGEN_DB2_FXENCDB_2024-04-18-11.47.35_4A9769C4
﻿
For more information on configuring a KMIP key store with IBM Db2, consult the IBM documentation.
Updated 18 Jun 2024
Did this page help you?
Create a role and identity on the KMES Series 3
Microsoft SQL Server