Generating Master Encryption Key in the CipherTrust Manager
To generate the Master Encryption Key in the CipherTrust Manager, perform the following steps:
Create a centralized KeyStore.
To store a Master Encryption Key in CipherTrust Manager for a DB2 native encryption, you need to create a configuration file that contains all details about this centralized KeyStore i.e. the CipherTrust Manager.
In the work folder (/opt/wallet/KMIP) of the DB2 server, create kmip.cfg file with the following details:
VERSION=1 PRODUCT_NAME=KEYSECURE ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true SSL_KEYDB=/opt/wallet/KMIP/clientkeydb.p12 SSL_KEYDB_STASH=/opt/wallet/KMIP/clientkeydb.sth SSL_KMIP_CLIENT_CERTIFICATE_LABEL=DB2_CLIENT_CERT ALLOW_NONCRITICAL_BASIC_CONSTRAINT=false MASTER_SERVER_HOST=IP of CM MASTER_SERVER_KMIP_PORT=<port for KMIP interface> CLONE_SERVER_HOST= CLONE_SERVER_KMIP_PORT=
where:
SSL_KEYDB (Required): Absolute path and name of the local keystore file that holds the SSL certificates for communication between DB2 server and the CipherTrust Manager.
SSL_KEYDB_STASH (Optional): Absolute path and name of the stash file for the local keystore that hold the certificates for communication between DB2 server and the CipherTrust Manager.
SSL_KMIP_CLIENT_CERTIFICATE_LABEL (Required): The label of the SSL certificate for authenticating the client during communication with the CipherTrust Manager.
MASTER_SERVER_HOST is the CipherTrust Manager IP.
MASTER_SERVER_KMIP_PORT is the KMIP interface Port in the CipherTrust Manager.
Configure a DB2 instance to use CipherTrust Manager as centralized keystore.
Enter into DB2 command line using the db2 command with the DB2@instance user.
Update the keystore to point to our new config file kmip.cfg.
db2 => update dbm cfg using keystore_location <file path>/kmip.cfg db2 => update dbm cfg using keystore_type kmipStop and Start the database.
db2 => db2stop db2 => db2start
