Creating a local keystore

You can create a keystore on the local system by using the GSKit library command gsk8capicmd_64.

About this task

Local keystore considerations for multi-member database

When using a local keystore with a Db2® multi-member configuration, such as Db2 pureScale or Db2 Database Partitioning Facility, a copy of the keystore must be present on each member. In addition, coordination of keystore updates must be done manually. For this reason, a centralized keystore is recommended for these database environments.


Log in as the Db2 instance owner, and then create the local keystore by running the gsk8capicmd_64 command.

gsk8capicmd_64 -keydb -create -db "/home/thomas/keystores/ne-keystore.p12" 
    -pw "g00d.pWd" -type pkcs12 -stash
Basic command syntax

gsk8capicmd_64 -keydb -create -db "<file-name>" -pw "<password>" -type pkcs12 -stash
  • <file-name> is the full path and file name you want to give the keystore file
  • Keystore format:
    • For use with native encryption, the format of the keystore must be PKCS#12, so it is mandatory to specify -type pkcs12
    • PKCS#12 keystore file names must have the extension ".p12"
  • Stashing the password:
    • If you specify the -stash parameter, the keystore password is stored (or stashed) in a stash file with the same base name as the keystore file but with the file extension ".sth".
    • If the password is not stashed, you are prompted for a password whenever the database manager accesses the keystore, including during db2start.
    Note: You can stash the password in a stash file later by running the gsk8capicmd_64 command with the -stashpw parameter.
    Note: Stashing the password with the gsk8capicmd_64 command is intended to be used in a local keystore only. Do not attempt to stash a password in a local keystore with the db2credman command. The db2credman command is intended to be used with a PKCS #11 keystore.

For information about the full syntax of the gsk8capicmd_64 command, see the GSKCapiCmd User Guide.