IBM
IBM Security Key Lifecycle Manager (SKLM)
- Installing ProtectApp PKCS#11 Library
- Setting up SSL/TLS
- Setting up Configuration Files
- Setting up Certificates
- Verifying Your Integration
IBM Spectrum Scale
- Pre-Integration
- Integration with CipherTrust Manager
- Verifying Your Integration
- High Availability
- Appendix
IBM FileNet Content Manager
- Integration with CipherTrust Manager
- Verifying Integration
- Appendix
IBM DB2
- Setting up the Environment
- Integration with CipherTrust Manager
- Creating a Local Keystore
- Pre integration steps for CipherTrust Manager
- Adding the CA Cert and Generating the CSR
- Generating the Client Certificate
- Configuring KMIP interface
- Generating Master Encryption Key in the CipherTrust Manager
- Creating an Encrypted Database
- Verifying Your Integration

Generating the Client Certificate

Before generating the client certificate, ensure that you have registered the KMIP client.

Tip

To register the KMIP client, Refer This.

You can generate the client certificate using any of the following two options:

Manual Registration
Auto Registration

Manual Registration

Generate a registration token using the Local Root CA and the profile generated in the previous step.
Copy the registration token and go to Registered clients > Add client. Specify the client name and paste the registration token and click Save.
Download the resultant client certificate.
Move the downloaded client certificate in the working folder (/opt/wallet/KMIP) of DB2 server and rename it to client.crt.

After moving the and renaming the client certificate as mentioned above, add the signed client certificate into local KeyStore. To do so, execute the following command:

/home/<db2 instance user>/sqllib/gskit/bin/gsk8capicmd_64 -cert -receive -db <LOCAL KEYSTOREFILE> -stashed -file <CLIENT CERTIFICATE>

For Example: /home/db2user/sqllib/gskit/bin/gsk8capicmd_64 -cert -receive -db "/opt/wallet/KMIP/clientkeydb.p12" -stashed -file "client.crt"

Auto Registration

Copy the CSR generated previously.
On the CipherTrust Manager GUI perform the following steps:
1. Go to CA > Local , click on the Local CA present there.
2. Click on Upload CSR.
3. Add a specified name in Display name and paste the content of CSR in the CSR column and select Certificate Purpose as client.
4. Click on Issue Certificate and save the certificate.
Move the downloaded client certificate in the working folder (/opt/wallet/KMIP) of DB2 server and rename it to client.crt.

After moving the and renaming the client certificate as mentioned above, add the signed client certificate into local KeyStore. To do so, execute the following command:

/home/<db2 instance user>/sqllib/gskit/bin/gsk8capicmd_64 -cert -receive -db <LOCAL KEYSTOREFILE> -stashed -file <CLIENT CERTIFICATE>

For Example: /home/db2user/sqllib/gskit/bin/gsk8capicmd_64 -cert -receive -db "/opt/wallet/KMIP/clientkeydb.p12" -stashed -file "client.crt".

Suggest A Change

Generating the Client Certificate

Manual Registration

Auto Registration

On this page