IBM Support

SQL1782N RC=8 when using KeySecure for DB2 Native Encryption with Create database command

Technote (troubleshooting)


Problem(Abstract)

Running command "db2 create database test encrypt" returns error SQL1782N RC=8. Customer setting up DB2 Native Encryption and is using V11 m2fp2 and has configured the following parameters in the KMIP Configuration file:

VERSION=1
KEYSTORETYPE=KEYSECURE
*** note the above parameter is deprecated and replaced with the following:
*** PRODUCT_NAME=KEYSECURE
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=TRUE
SSL_KEYDB=/opt/test/KMIP/clientkeydb.p12
SSL_KEYDB_STASH=/opt/test/KMIP/clientkeydb.sth
SSL_KMIP_CLIENT_CERTIFICATE_LABEL=testdb2inst1_client
DEVICE_GROUP=DB2
MASTER_SERVER_HOST=testdb2inst1.prod.test.com
MASTER_SERVER_KMIP_PORT=5696
ALLOW_NONCRITICAL_BASIC_CONSTRAINT=TRUE

NOTE: ALLOW_NONCRITICAL_BASIC_CONSTRAINT=TRUE is only available from v11 m2fp2 and is used to allow you to bypass the 'critical' constraint in basicConstraints. Not all keystores support critical.

Symptom

The db2diag.log file will have following message after you run "db2 create database test encrypt"

SQL1782N The command or operation failed because an error was encountered
accessing the centralized key manager. Reason code "8".
Dialog:
PID    : 38273194            TID : 4371          PROC : db2sysc 0
INSTANCE: db2inst1             NODE : 000          DB  :
APPHDL : 0-7                 APPID: *LOCALdb2inst1.180206222453
AUTHID : db2inst1             HOSTNAME: newton
EDUID  : 4371                EDUNAME: db2agent (instance) 0
FUNCTION: DB2 UDB, bsu security, sqlexInsertNewMasterKeyLabelKMIP, probe:1596
MESSAGE : ZRC=0x805C0918=-2141452008=SQLEX_KMIP_ERROR
         "The KMIP request returned an error."
DATA 1 : String, 59 bytes
Call failed at master/clone; will try the same master/clone
DATA 2 : String, 49 bytes
clone, total clones, retry count, max retry count
DATA 3 : signed integer, 4 bytes
-1
DATA 4 : signed integer, 4 bytes
0
DATA 5 : unsigned integer, 4 bytes
4
DATA 6 : unsigned integer, 4 bytes
50


Cause

DB2 does not support the use of the DEVICE_GROUP=DB2 with KEYSECURE


Environment

AIX

Diagnosing the problem

Check the KMIP config file for the DEVICE_GROUP=DB2 or collect a db2trc and search for it.

Resolving the problem

Remove DEVICE_GROUP=DB2 from the KMIP configuration file and restart DB2.

Related information

Creating a centralized keystore configuration file

Document information

More support for: DB2 for Linux, UNIX and Windows
Security / Plugins - Encryption

Software version: 11.1

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Software edition: Advanced Enterprise Server, Advanced Workgroup Server, Enterprise Server, Workgroup Server

Reference #: 2013589

Modified date: 12 February 2018


Translate this page: