db2p12top11 - Migrate local keystore to a centralized PKCS #11 keystore command

Migrates master keys from a local PKCS12 keystore to a centralized PKCS #11 keystore.

Authorization

Instance owner

Required connection

None

Command syntax

db2p12top11 command

Read syntax diagramSkip visual syntax diagram db2p12top11 -fromlocal.p12-localpwpw -to pkcs11_keystore.cfg -pin pw -dryrun-version-v-h-help

Command parameters

-from local.p12

Specifies the path to the local keystore.

-localpw pw

Specifies the local keystore password if it was not stashed. Users are prompted for the password if the keystore password was not stashed, or if the keystore with the stashed password failed to open.

-to pkcs11_keystore.cfg

Specifies the path to the centralized PKCS #11 keystore configuration file.

-pin pw

The password to authenticate to the centralized PKCS #11 keystore as a normal user. Users are prompted for the password if the keystore password was not stashed, or if the keystore with the stashed password failed to open.

-dryrun

Prints a list of keys that are to be migrated. However, running this parameter does not run the migration itself. Instead, it is used for testing purposes, and to ensure that the user has the correct file paths and password.

-version or -v

Prints the program's version.

-h or -help

Displays the help message for this command.

Examples

To print the db2p12top11 description and syntax information, type either of the following commands:
db2p12top11 -h
or
db2p12top11 -help
To migrate keys that are stored in the KEYSTORE_LOCATION configuration parameter to a centralized PKCS #11 keystore:
db2p12top11 -to ˜/pkcs11_keystore.cfg -pin Str0ngPassw0rd
This example uses the PKCS #11 keystore configuration file pkcs11_keystore.cfg. Initially, the command attempts to access the local keystore, since the local keystore password is assumed to be stashed. If the attempt to access the keystore fails, the user is prompted for the password.
To migrate keys that are stored in the KEYSTORE_LOCATION configuration parameter to a centralized PKCS #11 keystore:
db2p12top11 -to ~/pkcs11_keystore.cfg -pin str0ngPassw0rd -localpw 1234
Similar to the previous example, this example performs the same procedure. However, the password 1234 is used to access the local keystore.

Usage notes

  • The -to parameter is mandatory.
  • The configuration file must be passed to the tool to perform the migration.
  • If you are migrating to a hardware security module (HSM) of the Entrust nShield family, you must assign the unwrap_kek parameter to the CKNFAST_OVERRIDE_SECURITY_ASSURANCES environment variable.