Informix

 View Only
  • 1.  IDS 12.10 'Key generation failed' -26009 on Windows 11?

    Posted Thu January 19, 2023 06:53 PM

    Hi everyone,

    IDS 12.10FC10WE
    Windows 11 Pro 21H2

    We recently got a couple of Windows 11 laptops for developers, so I installed Informix on them the same way I have always done for our Windows 10 machines.
    All appears to install correctly but encrypt and decrypt of columns now does not work on either laptop.

    So if I do:   set encryption password "abcdefghijk";
    Then:
    update table1  set  mycrypt_column = encrypt_aes("password") where 1 = 1;
    Result is:
    Code -26009: Key generation failed.

    Same error if I try a decrypt_char().

    A web search hasn't given me much joy on how to resolve this.
    We can't install v14 as we need to be in step with production which is still 12.10.
    There are no clues in the online log.
    Starting with 'oninit -j' shows these lines ralating to encryption:
      Initialization of Encryption...succeeded
      Initializing encryption-at-rest if necessary...succeeded

    Anyone have any idea what is necessary under Windows 11 and IDS 12.10 to fix this?

    Regards,
      Bryce Stenberg
      Harness Racing New Zealand Inc.



    ------------------------------
    Bryce Stenberg
    ------------------------------


  • 2.  RE: IDS 12.10 'Key generation failed' -26009 on Windows 11?

    IBM Champion
    Posted Fri January 20, 2023 04:25 AM
    Hi Bryce,

    as you're not mentioning EaR (encryption-at-rest - dbspace/chunk level encryption), I'm assuming you're not using it, so those two lines oninit output might not be relevant, i.e. not indicative of anything ok or not.

    After attempting such encrypt_aes() call, do you see an 'encrypt' VP in "onstat -g glo" and do you have a line in message log like this one:

      IBM Global Security Kit (GSKit) version 8.0.55.26.

    I'm getting both, on my Linux system, already with only running "set encryption password "asdfasdf";" ...

    Just trying to establish whether the required GSKit crypto libraries are present on these systems - after all, as you're describing it, it sounds like an OS/environment problem.

    BR,
     Andreas

    ------------------------------
    Andreas Legner
    ------------------------------



  • 3.  RE: IDS 12.10 'Key generation failed' -26009 on Windows 11?

    Posted Sun January 22, 2023 04:34 PM
    Hi Andreas,

    You are right, we are not using encryption-at-rest.
    After running 'set encryption password' I do see the encrypt VP:

    Virtual processor summary:
    class       vps       usercpu   syscpu    total
    cpu         6         412.37    122.98    535.35
    aio         1         0.00      0.02      0.02
    lio         1         0.00      0.00      0.00
    pio         1         0.00      0.00      0.00
    adm         1         0.00      0.00      0.00
    soc         3         0.00      0.00      0.00
    msc         1         0.00      0.00      0.00
    encrypt     1         0.00      0.02      0.02
    fifo        1         0.00      0.00      0.00
    total       16        412.37    123.02    535.38

    Individual virtual processors:
    vp    pid       class       usercpu   syscpu    total     Thread    Eff
    1     18388     cpu         0.50      3.22      3.72      5.01      74%
    2     15244     adm         0.00      0.00      0.00      0.00       0%
    3     19272     lio         0.00      0.00      0.00      0.00       0%
    4     2252      pio         0.00      0.00      0.00      0.00       0%
    5     20232     aio         0.00      0.02      0.02      0.03      48%
    6     16188     msc         0.00      0.00      0.00      0.14       0%
    7     13860     fifo        0.00      0.00      0.00      0.00       0%
    8     13884     cpu         1.05      0.32      1.37      1.37     100%
    9     12992     cpu         149.83    33.22     183.05    183.05   100%
    10    19580     cpu         28.60     8.67      37.27     37.27    100%
    11    14496     cpu         159.58    54.25     213.83    213.83   100%
    12    14552     cpu         72.80     23.32     96.12     96.12    100%
    13    19148     soc         0.00      0.00      0.00      NA         NA
    14    18132     soc         0.00      0.00      0.00      NA         NA
    15    13644     soc         0.00      0.00      0.00      NA         NA
    16    5300      encrypt     0.00      0.02      0.02      0.30       5%
                     tot         412.37    123.02    535.38

    And the log file does show:   IBM Global Security Kit (GSKit) version 8.0.50.88.
    So it looks like it kicks off but just doesn't work.

    Regards, Bryce.

    ------------------------------
    Bryce Stenberg
    ------------------------------



  • 4.  RE: IDS 12.10 'Key generation failed' -26009 on Windows 11?

    IBM Champion
    Posted Mon January 23, 2023 05:57 AM
    Hi Bryce,

    GSKit being there and loadable looking to be a good thing, but it might be that version (8.0.50.88) that is causing the -26009.

    Interestingly, per my notes, 12.10.xC10's bundled GSKit version is an older one, and in your support case you reported 8.0.50.26 (which in turn seems much older than what 12.10.xC10 would bring??).

    -> can you clarify this version info, and are you really getting this error with 8.0.50.26?

    Andreas

    ------------------------------
    Andreas Legner
    ------------------------------



  • 5.  RE: IDS 12.10 'Key generation failed' -26009 on Windows 11?

    Posted Mon January 23, 2023 03:01 PM
    Solved!   Cheers Andreas and IBM support (who also came through with similar).

    It was all to do with the version of GSKit.  (I typo'd the earlier version I mentioned what with writing this message on one computer and working against another with the Informix installation - actual version installed was 8.0.50.88,  not 8.0.50.26).

    On these laptops ClientSDK had been installed after the informix server was installed, this had replaced the GSKit with 8.0.50.88.
    When I looked in %informixdir%\gskit folder the installer for the version the server wanted was there (8.0.50.75).  After installing that again all is now good :)

    Thanks everyone.
    Regards,
      Bryce.

    ------------------------------
    Bryce Stenberg
    ------------------------------



  • 6.  RE: IDS 12.10 'Key generation failed' -26009 on Windows 11?

    Posted Fri January 20, 2023 04:34 AM
    I'll preface this with "no experience with Informix on Windows"...

    According to the Error Messages document:
    https://www.ibm.com/docs/en/informix-servers/12.10?topic=informix-error-messages

    -26009    Key generation failed.
    The internal crypto library key generation API failed.

    Which isn't super helpful but sounds like a missing library (.dll).
    Given your "Initialization of Encryption...succeeded" messages on
    startup, you probably are not missing a library, or it is not yet
    initialized at that point yet.

    On Linux, I ran nm(1) and grepped for 'crypt' on the libraries in
    $INFORMIXDIR/lib.  It looks like most of the encryption functions
    are in libbsapsm.so, so I'd look to see if you have a libbsapsm.dll,
    which would probably be the equvalent on Windows.

    Of course the Informix library might be making a call to a Windows
    library where a function was changed/moved between Windows 10 and 11.
    You would have to run some sort of library trace tool on the Informix
    process to track this down.  It probably would not be trivial given
    everything the Informix server is doing.


    Another suggestion:
    What is the size of mycrypt_column in your table?
    Is it big enough to hold the encrypted format of the data?

    See "1. Calculate the size of the encrypted column"
    https://www.ibm.com/docs/en/informix-servers/12.10?topic=encryption-encrypting-column-data

    I ran a test with a varchar(10) field, inserted data unencrypted,
    then ran the update to encrypt the data.  It worked OK, but because
    the column was not big enough to hold the encrypted format, when
    trying to select data with decrypt_char I got the error:

    26005: The encrypted data is wrong or corrupted

    which is different from your error.  When using a column size of
    varchar(255) for the encrypted column, reinserting the encrypted
    data, then decrypt_char worked OK.

    Not sure if any of that helps you.

    scot


  • 7.  RE: IDS 12.10 'Key generation failed' -26009 on Windows 11?

    Posted Sun January 22, 2023 11:09 PM
    Hi Scot,

    Nothing is wrong with the column size, good thought though.

    I checked libbsapsm, there is a libbsapsm.dll in %informixdir\bin so it is in the path.
    I don't have any library trace tooling and don't know how to go about it anyway.
    I've now opened a case with IBM so I'll see what they have to say.

    Regards, Bryce.

    ------------------------------
    Bryce Stenberg
    ------------------------------