Overview
As data security becomes increasingly critical in today’s digital landscape, organizations prioritize solutions protecting sensitive information. One key aspect is ensuring encryption at rest and in transit, safeguarding data from potential threats, whether stored or transferred. DB2 Native encryption, encrypt db2 backup image and key database files like tablespace containers, transaction logs, archive logs, load copy data as well as load staging files.
Db2 encrypts data with a data encryption key (DEK) before the data is written to disk. The DEK is stored, encrypted by the master key (MK), within the database or backup image. The DEK itself is generated by Db2 as needed, such as when an encrypted database or encrypted database backup is created.
A master key (MK) is an encryption key that is used to encrypt a data encryption key (DEK). Each encrypted database is associated with one master key at one time.
This tutorial is about enabling DB2 to securely store and manage its Master keys in a centralized external keystore, IBM Guardium Key Lifecycle Management (GKLM) through KMIP, ensuring compliance with industry standards and best practices.
Learning Objectives
In this tutorial, you will learn to setup a basic integration of Guardium Key Lifecycle Manager(GKLM) as a centralized key manager to manage master keys for DB2 database.
Prerequisites
- IBM DB2
- Guardium Key Life Cycle Manager (Note : This tutorial is based on GKLM v5.0)
- Make sure to define the parameter enableClientCertPush=true under SKLMConfig.properties file of GKLM server
Steps
Step 1. Create local keystore and DB2 client certificate.
- Create local keystore using gsk8capicmd_64 command from db2 command prompt.
Example:
gsk8capicmd_64 -keydb -create -db "ne-keystore.p12" -pw "g00d.pWd" -type pkcs12 -stash -pqc false
2. On the Db2 server, create the certificate by issuing the gsk8capicmd_64 command followed by providing the password that you have kept while creating keystore.
Example:
gsk8capicmd_64 -cert -create -db "ne-keystore.p12" -label "DB2_signer_certificate" -dn "CN=weblinux.Raleigh.ibm.com,O=ibm,OU=IBM HTTP Server,L=RTP,ST=NC,C=US" -sig_alg SHA256_WITH_RSA -size 2048
3. Extract the certificate to a file by issuing the gsk8capicmd_64 command
Example:
gsk8capicmd_64 -cert -extract -db "ne-keystore.p12" -label "DB2_signer_certificate" -target "DB2_certificate_file.pem" -format ascii
4. Verify the keystrore stash, p12 file and DB2 server certificate has been created under c:\ drive.
Note: The path c:\ drive is not mandatory, you can specify any path of your choice when creating the keystore.
5. Securely transmit the Db2 server certificate file to the centralized key manager.
Step 2. Create device group and import Db2 server certificate
1. Select "Catalog" tab in the "Configured Endpoints" page of the "Endpoint Management" tab.
2. Select the device family "GPFS" and then enter "DB2" as the new device group name.
Note : Do not enable machine affinity.
3. Select “DB2” group from home page and import Db2 server certificate by clicking on “Add certificate” tab .
Step 3. Create an TLS signer certificate for GKLM server and import into DB2 server
1. On GKLM server, create self signed certificate from “system certificates” tab by providing required parameters.
2.Download newly created GKLM server certificate from “system certificates” page.
3. On the Db2 server: add the centralized key manager certificate to the local keystore.
Example:
gsk8capicmd_64 -cert -add -db "ne-keystore.p12" -label "sklm_signer_certificate" -file " sklm_signer_certificate_2025121233338.cer"
4. Verify both GKLM and DB2 server certificates are presents in keystore.
Example:
gsk8capicmd_64 -cert -list -db ne-keystore.p12 -stashed
Step 4. Create KMIP keystore configuration file
To store your master key or keys in a centralized keystore using KMIP, you need to create a configuration file that lists details about the keystore.Create KMIP keystore configuration by mentioning file with below parameters and save it.
VERSION=1
PRODUCT_NAME=ISKLM
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=true
SSL_KEYDB=Path to keystore p12 file
SSL_KEYDB_STASH= Path to keystore stash file
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=db2 server certificate label name
PRIMARY_SERVER_HOST=GKLM server IP
PRIMARY_SERVER_KMIP_PORT=KMIP port number
DEVICE_GROUP=DB2
Example:
Note : Remove file extension .txt and keep .cfg by renaming the file as isklm.cfg.
Step 5. Update database manager and verify key operations
1. Set keystore_type to "KMIP", and set keystore_location to the absolute path and file name of the centralized keystore configuration file
Example:
db2 update dbm cfg using keystore_location C:\isklm.cfg keystore_type kmip
2. Restart Db2 server using below command
3. Create encrypted database using below command
Example:
db2 create db TEST encrypt
Note: Accept the certificate on pending client certificate list from GKLM home page.
4. Verify the master key created on GKLM for encrypted database.
5. Since the data encryption key used by Db2 for encryption is never outside of the encrypted database, backup, or transaction log, there is little risk of exposure. The same is not true for the master key, which lives outside of the database. The rotation of the MK, which is used to protect the DEK, need to be done efficiently. Db2 provides a simple way to rotate the MK by using the SYSPROC.ADMIN_ROTATE_MASTER_KEY procedure.
Example:
Verify the new master key has created under Db2 device group.
You can also verify the master key using below db2 command
Note: MKs are needed to access the DEKs that are stored in encrypted databases, transaction logs, and backup images. Since multiple MKs can exist over the life time of these objects, it is necessary to retain them while the encrypted data is retained. Therefore, do not delete MKs from the keystore.
The master keys of DB2 databases are re-encrypted using a single master key in Guardium Key Lifecycle Manager, adding an extra layer of security.
Summary
In this tutorial, you've learned how to create a basic integration of Guardium Key Lifecycle Manager as a centralized key manager with IBM DB2.
Next steps
Now that you've completed this tutorial, continue to learn about Guardium Key Life Cycle and DB2 from the following resources