Creating a local keystore

You can create a keystore on the local system by using the GSKit library command gsk8capicmd_64.

About this task

Local keystore considerations for multi-member database

When using a local keystore with a Db2® multi-member configuration, such as Db2 pureScale or Db2 Database Partitioning Facility, a copy of the keystore must be present on each member. In addition, coordination of keystore updates must be done manually. For this reason, a centralized keystore is recommended for these database environments.

Procedure

Example


gsk8capicmd_64 -keydb -create -db "/home/thomas/keystores/ne-keystore.p12" 
    -pw "g00d.pWd" -type pkcs12 -stash

Basic command syntax


gsk8capicmd_64 -keydb -create -db "<file-name>" -pw "<password>" -type pkcs12 -stash

<file-name> is the full path and file name you want to give the keystore file
Keystore format:
- For use with native encryption, the format of the keystore must be PKCS#12, so it is mandatory to specify -type pkcs12
- PKCS#12 keystore file names must have the extension ".p12"
Stashing the password:
- If you specify the -stash parameter, the keystore password is stored (or stashed) in a stash file with the same base name as the keystore file but with the file extension ".sth".
- If the password is not stashed, you are prompted for a password whenever the database manager accesses the keystore, including during db2start.
Note: You can stash the password in a stash file later by running the gsk8capicmd_64 command with the -stashpw parameter.

Note: Stashing the password with the gsk8capicmd_64 command is intended to be used in a local keystore only. Do not attempt to stash a password in a local keystore with the db2credman command. The db2credman command is intended to be used with a PKCS #11 keystore.

For information about the full syntax of the gsk8capicmd_64 command, see the GSKCapiCmd User Guide.