Setting up a centralized KMIP keystore

To set up a centralized keystore, with a key manager that is configured for the Key Management Interoperability Protocol (KMIP), for use with Db2® native encryption, you need to create a KMIP keystore configuration file. Once you have created the configuration file, you can enter parameter values to configure SSL communication between the Db2 instance and the key manager.

Before you begin

Set up the centralized key manager.

If you are using IBM® Security Key Lifecycle Manager, see: Quick Start Guide

Procedure

Create a KMIP keystore configuration file
Configure SSL between the Db2 instance and the key manager, by using one of the following methods:
- The KMIP server must support TLS 1.2.
- All certificates must be signed with a signature algorithm that uses SHA2 (SHA256, SHA384, SHA512). The use of SHA1 is not supported.
- All certificates must have a key size of at least 2048 bits.
  Note: The "All certificates" mentioned above refers to the Db2 client certificate, the KMIP server certificate, and any Certificate Authority (CA) and intermediate CA root certificates.
- Configure SSL with ISKLM
- Configure SSL with KeySecure
Note: Other key manager products can be configured in a similar manner.

What to do next

Configure the DB2 instance to use this centralized KMIP keystore to store database master keys for Db2 native encryption.