Migrating from a local keystore to a centralized KMIP keystore

If you want to migrate your Db2® local keystore to a centralized keystore that is configured for the Key Management Interoperability Protocol (KMIP), you can copy your master keys to the centralized keystore by issuing the db2p12tokmip command.

Before you begin

• Create a KMIP keystore configuration file
• Configure TLS between the DB2 instance and the centralized key manager

1. Back up the centralized KMIP keystore. See: Backing up IBM® Security Key Lifecycle Manager .
2. Set the allow_key_insert_without_keystore_backup parameter to TRUE in the centralized KMIP keystore configuration file.
3. Copy all master keys from the local keystore to the centralized KMIP keystore by issuing the db2p12tokmip command.

   Example

   
   db2p12tokmip -from /home/thomas/keystores/ne-keystore.p12 
       -to /home/thomas/keystores/isklm.cfg
   

   To see full syntax information, type db2p12tokmip -h in the Db2 command line window, or refer to db2p12tokmip command.

4. Set the allow_key_insert_without_keystore_backup parameter to FALSE in the centralized KMIP keystore configuration file.

What to do next

1. Configure the Db2 instance to use the centralized keystore.
2. Change the master key by running the ADMIN_ROTATE_MASTER_KEY procedure.