Setting up a centralized KMIP keystore

To set up a centralized keystore, with a key manager that is configured for the Key Management Interoperability Protocol (KMIP), for use with Db2® native encryption, you need to create a KMIP keystore configuration file. Once you have created the configuration file, you can enter parameter values to configure Db2 communication between the Db2 instance and the key manager.

Before you begin

Set up the centralized key manager.

Procedure

  1. Create a KMIP keystore configuration file
  2. Configure Db2 between the Db2 instance and the key manager, by using one of the following methods:
    • The KMIP server must support TLS 1.2 or TLS 1.3.
      Note: TLS 1.3 is supported for connections to a KMIP Key Manager in Db2 11.5.8 and later.
      Note: If Db2 is running in STRICT_FIPS mode and TLS 1.2 is used, the KMIP server must support sending and receiving the Extended Master Secret (EMS) TLS extension. If the KMIP server does not support this extension, the connection to the KMIP server is rejected.
    • All certificates must be signed with a signature algorithm that uses SHA2 (SHA256, SHA384, SHA512). The use of SHA1 is not supported.
    • All certificates must have a key size of at least 2048 bits.
      Note: The "All certificates" mentioned above refers to the Db2 client certificate, the KMIP server certificate, and any Certificate Authority (CA) and intermediate CA root certificates.
    • Configure Db2 with ISKLM
    • Configure Db2 with KeySecure
    Note: Db2 works with any KMIP key manager that is compliant with KMIP 1.1 or later. Key managers not listed above can be configured in a similar manner.

What to do next

Configure the Db2 instance to use this centralized KMIP keystore to store database master keys for Db2 native encryption.