IBM Security Guardium Key Lifecycle Manager operations take significant amounts of time

IBM Security Guardium Key Lifecycle Manager operations take significant amounts of time to complete when you add or update a large number of keys in the IBM Security Guardium Key Lifecycle Manager keystore, such as more than 50,000 keys.

Periodically perform database maintenance. For example, when you add or update a large number of keys, take these steps:

  1. Perform a backup of IBM Security Guardium Key Lifecycle Manager.
  2. Stop the Guardium Key Lifecycle Manager server by using the stopServer command.
    Alternatively on Windows systems, stop the Guardium Key Lifecycle Manager server by using Windows Computer Management:
    1. Open the Control Panel and click Administrative Tools > Computer Management > Services.
    2. Stop the Guardium Key Lifecycle Manager server service, which has a name like IBMWAS85Service - SKLMServer
  3. From a Db2 command window, run these Db2 commands, each on one line.
    db2 reorg indexes all for table kmt_device_type allow no access
    db2 runstats on table sklmdb2.kmt_device_type and indexes all
    db2 reorg indexes all for table sklmdb2.kmt_certstr_rn allow no access
    db2 runstats on table sklmdb2.kmt_certstr_rn and indexes all
    db2 reorg indexes all for table sklmdb2.kmt_keystr_rn allow no access
    db2 runstats on table sklmdb2.kmt_keystr_rn and indexes all
    db2 reorg indexes all for table sklmdb2.kmt_group allow no access
    db2 runstats on table sklmdb2.kmt_group and indexes all
    db2 reorg indexes all for table sklmdb2.kmt_devaudit allow no access
    db2 runstats on table sklmdb2.kmt_devaudit and indexes all
    db2 reorg indexes all for table sklmdb2.kmt_kmip_attr_appinfo allow no access
    db2 runstats on table sklmdb2.kmt_kmip_attr_appinfo and indexes all
    db2 reorg indexes all for table sklmdb2.kmt_kmip_attr_cryptoparams allow no access
    db2 runstats on table sklmdb2.kmt_kmip_attr_cryptoparams and indexes all
    db2 reorg indexes all for table sklmdb2.kmt_kmip_attr_custom allow no access
    db2 runstats on table sklmdb2.kmt_kmip_attr_custom and indexes all
    db2 reorg indexes all for table sklmdb2.kmt_kmip_attr_digest allow no access
    db2 runstats on table sklmdb2.kmt_kmip_attr_digest and indexes all
    db2 reorg indexes all for table sklmdb2.kmt_kmip_attr_link allow no access
    db2 runstats on table sklmdb2.kmt_kmip_attr_link and indexes all
    db2 reorg indexes all for table sklmdb2.kmt_kmip_global_names allow no access
    db2 runstats on table sklmdb2.kmt_kmip_global_names and indexes all
    db2 reorg indexes all for table sklmdb2.kmt_kmip_attr_name allow no access
    db2 runstats on table sklmdb2.kmt_kmip_attr_name and indexes all
    db2 reorg indexes all for table sklmdb2.kmt_kmip_attr_objectgroup allow no access
    db2 runstats on table sklmdb2.kmt_kmip_attr_objectgroup and indexes all
  4. Start the Guardium Key Lifecycle Manager server by using the startServer command.
    Alternatively on Windows systems, start the Guardium Key Lifecycle Manager server by using Windows Computer Management:
    1. Open the Control Panel and click Administrative Tools > Computer Management > Services.
    2. Start the Guardium Key Lifecycle Manager server service, which has a name like - IBM WebSphere Application Server V8.5 - SKLM26Server.
  5. Perform another backup of IBM Security Guardium Key Lifecycle Manager.