Setting up a centralized KMIP keystore

To set up a centralized keystore, with a key manager that is configured for the Key Management Interoperability Protocol (KMIP), for use with Db2® native encryption, you need to create a KMIP keystore configuration file. Once you have created the configuration file, you can enter parameter values to configure Db2 communication between the Db2 instance and the key manager.

Before you begin

Set up the centralized key manager.

If you are using IBM® Security Key Lifecycle Manager, see: Quick Start Guide

Procedure

Create a KMIP keystore configuration file
Configure Db2 between the Db2 instance and the key manager, by using one of the following methods:
- The KMIP server must support TLS 1.2 or TLS 1.3.
  Note: TLS 1.3 is supported for connections to a KMIP Key Manager in Db2 11.5.8 and later.
- All certificates must be signed with a signature algorithm that uses SHA2 (SHA256, SHA384, SHA512). The use of SHA1 is not supported.
- All certificates must have a key size of at least 2048 bits.
  Note: The "All certificates" mentioned above refers to the Db2 client certificate, the KMIP server certificate, and any Certificate Authority (CA) and intermediate CA root certificates.
- Configure Db2 with ISKLM
- Configure Db2 with KeySecure
Note: Db2 works with any KMIP key manager that is compliant with KMIP 1.1 or later. Key managers not listed above can be configured in a similar manner.

What to do next

Configure the Db2 instance to use this centralized KMIP keystore to store database master keys for Db2 native encryption.