Common problems with keystore integration

Lack of keystore credentials (SQL1728N rc = 3)

Issue

Db2 does not have access to the keystore, due to the lack of credentials.

Symptom

The -1728 SQLCODE with reason code 3 is returned.

Solution

To open the keystore, the db2start command must be executed again with the OPEN KEYSTORE option and the needed credential; you do not need to issue a db2stop command before rerunning the db2start command.

Error when DEVICE_GROUP parameter set (SQL1782N rc = 8)

Issue

Some KMIP keystores return an error when the DEVICE_GROUP parameter is set in the Db2 keystore configuration file.

Symptom

The -1782 SQLCODE error with reason code 8 is returned.

Solution

The DEVICE_GROUP parameter needs to be set only when using the IBM Security Key Lifecycle Manager (ISKLM) product. Remove the parameter for other KMIP keystore products.

Adding new certificates with gsk8capicmd_64(CTGSK2043W) generates an error

Issue

GSKit returns what appears to be an error when adding new certificates.

Symptom

The error that is returned appears similar to the following example:

$ gsk8capicmd_64 -cert -receive -db "clientkeydb.p12" -stashed -file "client.crt" -default_cert yes
CTGSK2052W An invalid basic constraint extension was found. CTGSK2043W Key entry validation failed.

Solution

What appears to be an error is a warning. The W at the end of both GSKit codes indicates that it is a warning (for example, CTGSK2052W). The warning indicates that, while the certificate was received, there might be some problems with it. In this case, GSKit is complaining that the basic constraint was not properly set, which could lead to a future 414 error from GSKit if the ALLOW_NONCRITICAL_BASIC_CONSTRAINT parameter is not set in the configuration.