To set up a centralized keystore, with a key manager that is configured for the Key
Management Interoperability Protocol (KMIP), for use with Db2® native encryption,
you need to create a KMIP keystore configuration file. Once you have created the configuration file,
you can enter parameter values to configure Db2 communication between
the Db2 instance
and the key manager.
Before you begin
Set up the centralized key manager.
Procedure
-
Create a KMIP keystore configuration file
-
Configure Db2 between the Db2 instance and the key manager, by using one of the following methods:
- The KMIP server must support TLS 1.2 or TLS 1.3.
Note: TLS 1.3 is supported for connections to a KMIP Key Manager in Db2
11.5.8
and later.
Note: If Db2 is running in
STRICT_FIPS
mode and TLS 1.2 is used, the KMIP server must support sending and
receiving the Extended Master Secret (EMS) TLS extension. If the KMIP server does not support this
extension, the connection to the KMIP server is rejected.
- All certificates must be signed with a signature algorithm that uses SHA2 (SHA256, SHA384,
SHA512). The use of SHA1 is not supported.
- All certificates must have a key size of at least 2048 bits.
Note: The "All certificates"
mentioned above refers to the Db2 client certificate,
the KMIP server certificate, and any Certificate Authority (CA) and intermediate CA root
certificates.
- Configure Db2 with
ISKLM
- Configure Db2 with
KeySecure
Note: Db2 works
with any KMIP key manager that is compliant with KMIP 1.1 or later. Key managers not listed above
can be configured in a similar manner.
What to do next
Configure the Db2 instance to
use this centralized
KMIP keystore to
store database master keys for Db2 native encryption.