IBM Support

Master Key rotation in pureScale

Technical Blog Post


Abstract

Master Key rotation in pureScale

Body

In purescale, when you rotate the “Master Key” on one member, it does not immediately reflect on other members, when you check it with db2pd -enc command.  

 

Example : 

 

1> Suppose Master key rotation is achieved using below command on member 0 : 

db2 "CALL SYSPROC.ADMIN_ROTATE_MASTER_KEY (NULL)"

  Value of output parameter
  --------------------------
  Parameter Name  : LABEL
  Parameter Value : DB2_SYSGEN_xxxxxx_xxxx_2018-08-11-11.18.52

  Return Status = 0

 
2> On checking with following command : 
 
MEMBER 0 $ db2pd -db DBNAME -enc

Master Key Label: DB2_SYSGEN_xxxxxx_xxxx_2018-08-11-11.18.52

 Master Key Rotation Timestamp: 2018-08-11-11.18.52.000000

 Previous Master Key Label: DB2_SYSGEN_xxxxxx_xxxx_2018-03-04-05.34.25

 

 3> Checking it on other member : 

MEMBER 1 $ db2pd -db psdb -enc

 Master Key Label: DB2_SYSGEN_xxxxxx_xxxx_2018-03-04-05.34.25

 Master Key Rotation Timestamp: 2018-03-04-05.34.25.000000

 Previous Master Key Label: DB2_SYSGEN_xxxxxx_xxxx_2017-10-17-14.47.11

  

One of our customer did a Deactivate/Activate DB after which the member 1 also reflected the new Master key in db2pd -enc command.

 

Is it needed ? Why doesn't the new master key get reflected in other members right away ? 

 

Solution : 

When you next rotate the database Master Key in purescale, use the following command first to check the key rotation on the "other” member instead of db2pd : 

db2 "select OBJECT_TYPE, OBJECT_NAME, MASTER_KEY_LABEL, ROTATION_TIME from table(sysproc.admin_get_encryption_info())"

It should show that the master key has been rotated properly.  db2pd -enc on both/all members should then match when run afterwards.

 

Explanation : 

db2pd -enc looks at an in-memory copy of the encryption information. It will not be refreshed on other member/s until it is needed, such as when transactions/logs are being committed to disk, you are querying the encryption info table function, or during database activation.

 A lack of activity on the other member explains the situation and the db2pd -enc showing old value from memory. 

 

[{"Business Unit":{"code":"BU029","label":"Data and AI"}, "Product":{"code":"SSEPGG","label":"DB2 for Linux- UNIX and Windows"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"","Edition":""}]

UID

ibm11140148