To configure a Db2 instance to use a
keystore for native encryption, you need to set two database manager configuration parameters:
keystore_type and keystore_location.
Procedure
-
For a local keystore, set keystore_type to "PKCS12", and set keystore_location to the absolute path and file name of the local keystore file.
- Example
-
update dbm cfg using keystore_location /home/thomas/keystores/ne-keystore.p12 keystore_type pkcs12
-
For a centralized keystore, where
the key manager product uses the Key Management Interoperability Protocol (KMIP), set
keystore_type to "KMIP", and set keystore_location to the
absolute path and file name of the centralized keystore configuration file.
- Example
-
update dbm cfg using keystore_location /home/thomas/keystores/isklm.cfg keystore_type kmip
-
For
a centralized keystore, where the hardware security module (HSM) uses the PKCS #11 keystore API, set
keystore_type to "PKCS11", and set keystore_location to
the absolute path and file name of the PKCS #11 keystore configuration
file.
- Example
-
update dbm cfg using keystore_location /home/thomas/keystores/pkcs11.cfg keystore_type pkcs11
What to do next
Restart the database manager instance to cause the configuration changes to take effect.