Setting up a centralized KMIP keystore
To set up a centralized keystore, with a key manager that is configured for the Key Management Interoperability Protocol (KMIP), for use with Db2® native encryption, you need to create a KMIP keystore configuration file. Once you have created the configuration file, you can enter parameter values to configure SSL communication between the Db2 instance and the key manager.
Before you begin
- If you are using IBM® Security Key Lifecycle Manager, see: Quick Start Guide
- Create a KMIP keystore configuration file
Configure SSL between the Db2 instance and the key
manager, by using one of the following methods:
Note: Other key manager products can be configured in a similar manner.
- The KMIP server must support TLS 1.2.
- All certificates must be signed with a signature algorithm that uses SHA2 (SHA256, SHA384, SHA512). The use of SHA1 is not supported.
- All certificates must have a key size of at least 2048 bits.Note: The "All certificates" mentioned above refers to the Db2 client certificate, the KMIP server certificate, and any Certificate Authority (CA) and intermediate CA root certificates.
- Configure SSL with ISKLM
- Configure SSL with KeySecure