Creating a stash file
Create a stash file to address operational concerns that involve access to PKCS #11 keystore credentials.
Before you begin
About this task
A stash file stores the password of a keystore in obfuscated form. The stash file
contributes to enhanced operations. If you create a stash file, the database manager can access
credentials that it requires to log in to the PKCS #11 keystore. Without a stash
file, the only realistic solutions to restart an instance immediately in the event of an unplanned
outage are less than ideal:
- Store the credentials in plain form so that an automated script can restart the instance. However, storing the password in plain form is not desirable since it violates security policies and best practices.
- Have a DBA always available to provide the access credentials for the PKCS #11 keystore when the instance restarts. However, having to rely on human intervention, with the expectancy of instant response time, is rarely feasible from an operational perspective.
Restrictions
Procedure
To create a stash file in a PKCS #11 keystore:
Results
The PKCS #11 keystore password is now stored in the stash file, in obfuscated form. The next operation that requires the PKCS #11 keystore password will read it from the stash file.
What to do next
If you are currently using Db2 native encryption with master keys that are stored in a local keystore and you want to start to use a PKCS #11 keystore instead, Migrate the local keystore to a PKCS #11 keystore.
If you decide to stop using the stash file, in favor of providing PKCS #11 keystore credentials on
instance start, follow these steps:
- Run the db2start command with the
OPEN KEYSTORE USING passwordoption. - Update the PKCS #11 keystore configuration file by removing the KEYSTORE_STASH parameter.
- Delete the stash file to eliminate any potential security risks that this unused file poses.