The internal format of GSKit stash files has changed.

Problem

A stash file stores the password of a keystore in obfuscated form, and contributes to enhanced operations.  The internal format of GSKit stash file has changed.

The characteristics of this change are:
    - The format of existing stash files will not change unless deliberately migrated (see below).
    - All newly generated stash files will be created using the new format.
    - From Db2 V10.5 FP9 and V11.1 FP3 Db2 will work with both old and new formatted stash files.

Products will need to take care not to generate a stash file with Db2 V10.5 FP9 and V11.1 FP3 that is for use on an older fixpack containing an older build of GSKit. Db2 V10.5 FP8 and V11.1 FP2 iFix002 or lower (GSKit builds prior to 8.0.50.69) cannot read the new stash file format.

If trying to read the stash file created with a later version of GSKit on an older build, you may get the following error from GSKit:

> gsk8capicmd_64 -cert -list -db  keys.p12 -stashed
CTGSK3026W The key file "keys.p12" does not exist or cannot be read.
CTGSK2016W An invalid database password was encountered.
-Command usage-
-list                 Required <all | personal | ca>
-db | -crypto         Required
-tokenlabel           Required if -crypto present
-pw | -stashed        Optional
-type                 Optional <cms | kdb | pkcs12 | p12>
-secondarydb          Optional if -crypto present
-secondarydbpw        Optional if -secondarydb present
-secondarydbtype      Optional if -secondarydb present
-expiry               Optional
-rfc3339              Optional

To find out which version of GSKit you are using, please see the following: http://www-01.ibm.com/support/docview.wss?uid=swg21617892

You may observe the following error returned by Db2 when encountering this condition:

SQL1728N The command or operation failed because the keystore could not be accessed. Reason code "7".

And associated error messages in db2diag.log:

2018-04-18-13.38.12.828133+000 I9226569E3243         LEVEL: Error
PID     : 12589                TID : 140183995410176 PROC : db2sysc 0
INSTANCE: db2inst1             NODE : 000            DB   : SAMPLE
APPHDL  : 0-9                  APPID: *LOCAL.db2inst1.180418133812
AUTHID  : DB2INST1             HOSTNAME: hostname
EDUID   : 25                   EDUNAME: db2agent (SAMPLE) 0
FUNCTION: DB2 Common, Cryptography, cryptP12KSOpen, probe:305
MESSAGE : ECF=0x90000647=-1879046585=ECF_CRYPT_KEYSTORE_UNEXPECTED_ERROR
         An unexpected error accessing the keystore
DATA #1 : unsigned integer, 4 bytes
17
DATA #2 : String, 27 bytes
/home/db2inst1/db2_keys.kdb
 .....
 
2018-04-18-13.38.12.855869+000 I9231070E922          LEVEL: Severe
PID     : 12589                TID : 140183995410176 PROC : db2sysc 0
INSTANCE: db2inst1             NODE : 000            DB   : SAMPLE
APPHDL  : 0-9                  APPID: *LOCAL.db2inst1.180418133812
AUTHID  : DB2INST1             HOSTNAME: hostname
EDUID   : 25                   EDUNAME: db2agent (SAMPLE) 0
FUNCTION: DB2 UDB, base sys utilities, sqeLocalDatabase::FirstConnect, probe:10151
DATA #1 : SQLCA, PD_DB2_TYPE_SQLCA, 136 bytes
sqlcaid : SQLCA     sqlcabc: 136   sqlcode: -1728   sqlerrml: 2
sqlerrmc: 7
sqlerrp : SQLEXCER
sqlerrd : (1) 0x805C08E4      (2) 0x000008E4      (3) 0x00000000
          (4) 0x00000000      (5) 0x00000000      (6) 0x00000000
sqlwarn : (1)      (2)      (3)      (4)        (5)       (6)  
          (7)      (8)      (9)      (10)        (11)    
sqlstate:    
DATA #2 : Boolean, 1 bytes
false

__

Additionally, you may observe the following error returned by Db2 during db2start when setting up SSL:

03/31/2018 08:52:59     0   0   SQL5043N  Support for one or more communications protocols failed to start successfully. However, core database manager functionality started successfully.

And the following entry may appear in the db2diag.log:
 
2018-03-31-09.22.11.857920+000 I52702545A433      LEVEL: Error
PID     : 54460796             TID  : 258         PROC : db2sysc 17
INSTANCE: db2inst1             NODE : 017
EDUID   : 258                  EDUNAME: db2sysc 17
FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:530
MESSAGE : DIA3604E The SSL function "gsk_environment_init" failed with the
          return code "408" in "sqlccLoadSSLLibrary".

2018-03-31-09.22.11.862228+000 I52702979A354      LEVEL: Error
PID     : 54460796             TID  : 258         PROC : db2sysc 17
INSTANCE: db2inst1             NODE : 017
EDUID   : 258                  EDUNAME: db2sysc 17
FUNCTION: DB2 UDB, common communication, sqlccLoadSSLLibrary, probe:998
MESSAGE : DIA3603E SSL was not setup. Return code = "54".
 

Migrating to the new format is recommended because it uses the stronger stash file protection. Customers can migrate their existing stash files to the new format via the -stashpw command in the gsk8capicmd tool. See the gsk8capicmd user guide for details. The stash file can also be re-created in the format used by the current fixpack by using the same -stashpw command.