DB2 - Problem description
Problem IT15353 | Status: Closed |
DB2CKLOG TOOL DOES NOT HAVE KEYSTORE PASSWORD OPTIONS, CANNOT VALIDATE ENCRYPTED LOG FILES | |
product: | |
DB2 FOR LUW / DB2FORLUW / A50 - DB2 | |
Problem description: | |
When the DB2 Native Encryption feature is enabled, the database's log files are encrypted. A user may attempt to validate log files with the db2cklog tool. To read these encrypted log files, access to the PKCS12 local keystore is required. The keystore is protected by a password, and this password can be stored in a stash file. If this password is not stored in a stash file, then user need to specify this password for standalone tools. Here's the syntax output for db2cklog db2cklog (DB2 Check Log File tool) ---------------------------------------------------------------- -------------- Syntax: DB2CKLOG [ CHECK ] <log-file-number1> [ TO <log-file-number2> ] [ ARCHLOGPATH <archive-log-path> ] Currently there's no option to specify the keystore password. And if a keystore stash file is not used, a user will get the following error: db2cklog 1 ________________________________________________________________ ____ _____ D B 2 C K L O G _____ DB2 Check Log File tool I B M The db2cklog tool is a utility can be used to test the integrity of an archive log file and to determine whether or not the log file can be used in the rollforward database command. ________________________________________________________________ ____ ________________________________________________________________ ________________ Failed to get cipher ticket from header dek! Reason code: -2141452066, sqlcode: -1728. | |
Problem Summary: | |
**************************************************************** * USERS AFFECTED: * * Users using the DB2 Native Encryption feature and using * * db2cklog tool * **************************************************************** * PROBLEM DESCRIPTION: * * See Error Description * **************************************************************** * RECOMMENDATION: * * Upgrade to the newest fix pack. * **************************************************************** | |
Local Fix: | |
DB2 PKCS12 keystore is managed with GSkit. The user can generate a stash file with the following command: gsk8capicmd_64 -keydb -stashpw -db <keystore_file> -pw <keystore_password>. Once a stash file is generated, the tool can work properly because the password is automatically retrieved from the stash file. | |
Solution | |
Problem was first fixed in DB2 UDB Version 10.5 fix pack 8 | |
Workaround | |
DB2 PKCS12 keystore is managed with GSkit. The user can generate a stash file with the following command: gsk8capicmd_64 -keydb -stashpw -db <keystore_file> -pw <keystore_password>. Once a stash file is generated, the tool can work properly because the password is automatically retrieved from the stash file. | |
Timestamps | |
Date - problem reported : Date - problem closed : Date - last modified : | 18.05.2016 22.12.2016 22.12.2016 |
Problem solved at the following versions (IBM BugInfos) | |
Problem solved according to the fixlist(s) of the following version(s) |