If
you want to migrate your Db2® nativity-encrypted
local keystore to a centralized PKCS #11 keystore, you can copy the
master keys to the centralized keystore by issuing the db2p12top11
command.
Procedure
-
Back up the PKCS #11 keystore by using the vendor's key manager software.
-
Set the ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP parameter to TRUE in
the
centralized PKCS #11 keystore
configuration file.
-
If
you are migrating to a hardware security module (HSM) of the
Entrust family, you must
assign the unwrap_kek parameter to the CKNFAST_OVERRIDE_SECURITY_ASSURANCES
environment variable.
-
Copy all master keys from the local keystore to the
centralized
PKCS #11 keystore by issuing
the db2p12top11 command.
- Example
-
db2p12top11 -to ˜/pkcs11_keystore.cfg -pin Str0ngPassw0rd
To see full syntax information, type
db2p12top11 -h in the
Db2 Command Window, or
refer to
db2p12top11 command.
-
Set the ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP parameter to FALSE in the
centralized
PKCS #11 keystore
configuration file.
What to do next
-
Configure the DB2 instance to use the
centralized
PKCS #11 keystore.
- Change the master key by running the ADMIN_ROTATE_MASTER_KEY
procedure.