Creating a keystore with IBM Global Security Kit (GSKit)
A keystore is an industry recognized way of securely storing TLS private keys, root certificates, and certificate chains. Db2® supports both the IBM proprietary Certificate Management System (CMS) format and the Public-Key Cryptography Standards #12 (PKCS12) open standard format.
Before you begin
This procedure explains how to use the IBM Global Security Kit (GSKit) to create a keystore for digital certificates and keys that enable secure transmission of data between servers and clients on your Db2 network, by using TLS.
Before you attempt to use IBM Global Security Kit (GSKit), verify that IBM Global Security Kit (GSKit) is installed properly.About this task
For information about the IBM Global Security Kit (GSKit) tool GSKCapiCmd, see the GSKCapiCmd User Guide.
Procedure
What to do next
To view the contents of your keystore, run
the IBM Global Security Kit (GSKit) command gsk8capicmd_64 with the -cert -list options.
For example, the following command lists the contents of the keystore
mydbserver.kdb:
gsk8capicmd_64 -cert -list -db mykeystore.p12 –stashed
Certificates found
* default, - personal, ! trusted, # secret key
! MyRootCA
- Db2Server
Where
- "!" identifies a certificate that is being trusted to sign other certificates. This option should appear only before root and intermediate CA certificates.
- "-" identifies an end-point (or personal) certificate. Only end-point certificates are valid to specify in SSL_SVR_LABEL.
Viewing details about a certificate in your keystore
To view details about
a certificate in your keystore file, such as the key size and CA information, run the IBM Global Security Kit (GSKit) command
gsk8capicmd_64 with the -cert -details options. For example,
the following command shows the details of the certificate db2Server from the
keystore file
mydbserver.kdb:
gsk8capicmd_64 -cert -details -label db2Server -db mydbserver.kdb -stashed