Creating a keystore with IBM Global Security Kit (GSKit)

You run the IBM Global Security Kit (GSKit) tool gsk8capicmd_64 tool to create a keystore for storing the digital certificate and private key for the Db2 server. Stored certificates can be either self-signed or signed by a certificate authority (CA).

About this task

Db2 supports both CMS (.kdb) and PKCS #12 (.p12) type keystores. On Windows platforms, Db2 supports the Microsoft Certificate Store (MSCS).

Ensure that you have IBM Global Security Kit (GSKit) installed properly, and that IBM Global Security Kit (GSKit) is included in your environment path. For more information, see IBM Global Security Kit global installation instructions overview.

Procedure

From a terminal window, run the following command to create a keystore:

gsk8capicmd_64 -keydb -create -db server.p12 -pw myServerPassw0rdpw0 -stash -pqc false

where

-pw is a unique password.
-stash creates a stash file at the same path as the keystore, with a file extension of .sth.
At instance start-up, IBM Global Security Kit (GSKit) uses the stash file to obtain the password to the keystore.
Important: Use strong file system protection on the stash file. By default, only the instance owner can access this file (with both read and write access).
-pqc false creates a keystore in the PBE-based format, which is compatible with Strict FIPS mode, FIPS Compatibility mode, and NOFIPS mode.
Note: Keystores created with previous versions of Db2 that use IBM Global Security Kit (GSKit) 8.0.55.26 or earlier use the PBE-based format by default, and do not need to be recreated.