Creating a local keystore
You can create a keystore on the local system by using the IBM Global Security Kit (GSKit) library command gsk8capicmd_64.
About this task
Local keystore considerations for multi-member database
When using a local keystore with a Db2® multi-member configuration, such as Db2 pureScale or Db2 Database Partitioning Facility, a copy of the keystore must be present on each member. In addition, coordination of keystore updates must be done manually. For this reason, a centralized keystore is recommended for these database environments.
Procedure
Log in as the Db2 instance owner, and
then create the local keystore by running the gsk8capicmd_64 command.
- Example
-
gsk8capicmd_64 -keydb -create -db "/home/thomas/keystores/ne-keystore.p12" -pw "g00d.pWd" -type pkcs12 -stash -pqc false
- Basic command syntax
-
gsk8capicmd_64 -keydb -create -db "<file-name>" -pw "<password>" -type pkcs12 -stash -pqc false
- <file-name> is the full path and file name you want to give the keystore file
-pqc false
creates a keystore in the PBE-based format, which is compatible with Strict FIPS mode, FIPS Compatibility mode, and NOFIPS mode.- Keystore format:
- For use with native encryption, the format of the keystore must be PKCS#12, so it is mandatory
to specify
-type pkcs12
- PKCS#12 keystore file names must have the extension ".p12"
- For use with native encryption, the format of the keystore must be PKCS#12, so it is mandatory
to specify
- Stashing the password:
- If you specify the
-stash
parameter, the keystore password is stored (or stashed) in a stash file with the same base name as the keystore file but with the file extension ".sth". - If the password is not stashed, you are prompted for a password whenever the database manager
accesses the keystore, including during
db2start
.
Note: You can stash the password in a stash file later by running the gsk8capicmd_64 command with the-stashpw
parameter.Note: Stashing the password with the gsk8capicmd_64 command is intended to be used in a local keystore only. Do not attempt to stash a password in a local keystore with the db2credman command. The db2credman command is intended to be used with a PKCS #11 keystore. - If you specify the
For information about the full syntax of the gsk8capicmd_64 command, see the GSKCapiCmd User Guide.