IBM Support

Error ECF_CRYPT_UNEXPECTED_ERROR in db2diag.log: "FIPS: internal test failed, interface disabled"

Troubleshooting


Problem

When a Db2 client or server is using encryption features such as TLS, Native Encryption, or SERVER_ENCRYPT authentication, the internal self-test of GSKit might fail when it can't obtain sufficient entropy from the random number generator in a low entropy environment.

Low entropy environments are rare but can result from specific hardware or software combinations or changes.
It is a NIST requirement that a FIPS 140 certified cryptographic provider must shut down its interface if it detects an internal self-test failure. This failure can cause the Db2 instance to stop functioning correctly, and requires a restart of the instance to resolve.

Symptom

GSKit functions return "FIPS: internal test failed, interface disabled" errors in the Db2 diagnostic log. The messages look similar to the following examples:
2020-10-04-22.00.28.189983+480 I3282677A2710        LEVEL: Error
PID     : 5112106              TID : 6393109        PROC : db2sysc 0
INSTANCE: db2inst               NODE : 000           DB   : xxxxxxxxxx
APPHDL  : 0-4750               APPID: xxxxxxxxxxxxxxxxxxxxxxxxx
HOSTNAME: xxxxxxxxxxxx
EDUID   : 6393109              EDUNAME: db2agent (SAMPLE) 0
FUNCTION: DB2 Common, Cryptography, cryptEncryptInit, probe:20
MESSAGE : ECF=0x90000403=-1879047165=ECF_CRYPT_UNEXPECTED_ERROR
          Unexpected cryptographic error
DATA #1 : Hex integer, 4 bytes
0x00000002
DATA #2 : Hex integer, 4 bytes
0x0000000B
DATA #3 : Hex integer, 4 bytes
0x00000003
DATA #4 : String, 59 bytes
FIPS: internal test failed, interface disabled (ICC8.6.0.0)
2020-10-19-16.47.51.820206+000 I15507A2441          LEVEL: Error
PID     : 8192246              TID : 40546          PROC : db2sysc 0
INSTANCE: db2inst               NODE : 000           DB   : xxxxxxxxx
APPHDL  : 0-9067
HOSTNAME: xxxxxxxxxxxxxxxxxxx
EDUID   : 40546                EDUNAME: db2agent (RQ1) 0
FUNCTION: DB2 Common, Cryptography, cryptDHGetPublicKey, probe:10
MESSAGE : ECF=0x90000403=-1879047165=ECF_CRYPT_UNEXPECTED_ERROR
          Unexpected cryptographic error
DATA #1 : Hex integer, 4 bytes
0x00000002
DATA #2 : Hex integer, 4 bytes
0x0000000B
DATA #3 : Hex integer, 4 bytes
0x00000003
DATA #4 : String, 59 bytes
FIPS: internal test failed, interface disabled (ICC8.6.0.0)
2014-08-05-14.25.26.753225+480 I88875C1088 LEVEL: Error
PID : 63242384 TID : 1 PROC : testProc
INSTANCE: db2inst NODE : 000
EDUID : 1
FUNCTION: DB2 Common, Cryptography, cryptContextRealInit, probe:70
MESSAGE : ECF=0x90000403=-1879047165=ECF_CRYPT_UNEXPECTED_ERROR
Unexpected cryptographic error
DATA #1 : Hex integer, 4 bytes
0x00000002
DATA #2 : Hex integer, 4 bytes
0x0000000B
DATA #3 : Hex integer, 4 bytes
0x00000003
DATA #4 : String, 46 bytes
FIPS: internal test failed, interface disabled
In addition, when a FIPS test failure occurs, functions using TLS might encounter errors similar to the following.
2021-04-21-20.06.50.147993-420 I2267E484             LEVEL: Error
PID     : 32557                TID : 140318414464768 PROC : db2sysc 0
INSTANCE: db2v111              NODE : 000
APPHDL  : 0-24
HOSTNAME: MYHOST1
EDUID   : 24                   EDUNAME: db2agent () 0
FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30
MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the
          return code "12" in "sqlccSSLSocketRead".
2021-04-21-20.06.50.147993-420 I2267E484             LEVEL: Error
PID     : 32557                TID : 140318414464768 PROC : db2sysc 0
INSTANCE: db2v111              NODE : 000
APPHDL  : 0-24
HOSTNAME: MYHOST1
EDUID   : 24                   EDUNAME: db2agent () 0
FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30
MESSAGE : DIA3604E The SSL function "gsk_secure_soc_read" failed with the
          return code "9" in "sqlccSSLSocketRead".
2021-04-21-20.06.50.147993-420 I2267E484             LEVEL: Error
PID     : 32557                TID : 140318414464768 PROC : db2sysc 0
INSTANCE: db2v111              NODE : 000
APPHDL  : 0-24
HOSTNAME: MYHOST1
EDUID   : 24                   EDUNAME: db2agent () 0
FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:30
MESSAGE : DIA3604E The SSL function "gsk_secure_soc_init" failed with the
          return code "3" in "sqlccSSLSocketSetup".

Note: The exact stack and function name can differ. Other encryption and TLS related functions may fail similarly.

[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"ARM Category":[{"code":"a8m500000008PmnAAE","label":"Security and Plug-Ins-\u003EEncryption"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions"}]

Log InLog in to view more of this document

This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.

Document Information

Modified date:
01 May 2025

UID

ibm16356455

Page Feedback