IBM Support

SQL1782N RC=8 when using KeySecure for DB2 Native Encryption with Create database command

Troubleshooting


Problem

Running command "db2 create database test encrypt" returns error SQL1782N RC=8. Customer setting up DB2 Native Encryption and is using V11 m2fp2 and has configured the following parameters in the KMIP Configuration file: VERSION=1 KEYSTORETYPE=KEYSECURE *** note the above parameter is deprecated and replaced with the following: *** PRODUCT_NAME=KEYSECURE ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=TRUE SSL_KEYDB=/opt/test/KMIP/clientkeydb.p12 SSL_KEYDB_STASH=/opt/test/KMIP/clientkeydb.sth SSL_KMIP_CLIENT_CERTIFICATE_LABEL=testdb2inst1_client DEVICE_GROUP=DB2 MASTER_SERVER_HOST=testdb2inst1.prod.test.com MASTER_SERVER_KMIP_PORT=5696 ALLOW_NONCRITICAL_BASIC_CONSTRAINT=TRUE NOTE: ALLOW_NONCRITICAL_BASIC_CONSTRAINT=TRUE is only available from v11 m2fp2 and is used to allow you to bypass the 'critical' constraint in basicConstraints. Not all keystores support critical.

Symptom

The db2diag.log file will have following message after you run "db2 create database test encrypt"
SQL1782N The command or operation failed because an error was encountered
accessing the centralized key manager. Reason code "8".
Dialog:
PID    : 38273194            TID : 4371          PROC : db2sysc 0
INSTANCE: db2inst1             NODE : 000          DB  :
APPHDL : 0-7                 APPID: *LOCALdb2inst1.180206222453
AUTHID : db2inst1             HOSTNAME: myhost1
EDUID  : 4371                EDUNAME: db2agent (instance) 0
FUNCTION: DB2 UDB, bsu security, sqlexInsertNewMasterKeyLabelKMIP, probe:1596
MESSAGE : ZRC=0x805C0918=-2141452008=SQLEX_KMIP_ERROR
         "The KMIP request returned an error."
DATA 1 : String, 59 bytes
Call failed at master/clone; will try the same master/clone
DATA 2 : String, 49 bytes
clone, total clones, retry count, max retry count
DATA 3 : signed integer, 4 bytes
-1
DATA 4 : signed integer, 4 bytes
0
DATA 5 : unsigned integer, 4 bytes
4
DATA 6 : unsigned integer, 4 bytes
50

Cause

DB2 does not support the use of the DEVICE_GROUP=DB2 with KEYSECURE

Environment

AIX

Diagnosing The Problem

Check the KMIP config file for the DEVICE_GROUP=DB2 or collect a db2trc and search for it.

Resolving The Problem

Remove DEVICE_GROUP=DB2 from the KMIP configuration file and restart DB2.

[{"Product":{"code":"SSEPGG","label":"Db2 for Linux, UNIX and Windows"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"Security \/ Plugins - Encryption","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"11.1","Edition":"Advanced Enterprise Server;Advanced Workgroup Server;Enterprise Server;Workgroup Server","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
07 December 2022

UID

swg22013589