Common problems with keystore integration
When you attempt to integrate Db2® with a keystore, some configuration issues might arise that cause errors.
Lack of keystore credentials (SQL1728N rc = 3)
Db2 does not have access to the keystore, due to the lack of credentials.
-1728 SQLCODE with reason code
3 is returned.
To open the keystore, the db2start command must be executed again with the OPEN KEYSTORE option and the needed credential; you do not need to issue a db2stop command before rerunning the db2start command.
Error when DEVICE_GROUP parameter set (SQL1782N rc = 8)
Some KMIP keystores return an error when the DEVICE_GROUP parameter is set in the Db2 keystore configuration file.
-1782 SQLCODE error with reason code
The DEVICE_GROUP parameter needs to be set only when using the IBM Security Key Lifecycle Manager (ISKLM) product. Remove the parameter for other KMIP keystore products.
Adding new certificates with gsk8capicmd_64(CTGSK2043W) generates an error
GSKit returns what appears to be an error when adding new certificates.
The error that is returned appears similar to the following example:
$ gsk8capicmd_64 -cert -receive -db "clientkeydb.p12" -stashed -file "client.crt"
CTGSK2052W An invalid basic constraint extension was found. CTGSK2043W Key entry validation failed.
What appears to be an error is a warning. The W at the end of both GSKit codes indicates
that it is a warning (for example,
CTGSK2052W). The warning indicates that, while
the certificate was received, there might be some problems with it. In this case, GSKit is
complaining that the basic constraint was not properly set, which could lead to a future 414
error from GSKit if the ALLOW_NONCRITICAL_BASIC_CONSTRAINT parameter is not set
in the configuration.