Background

 

This document in brief about and how to encrypt the SAP system database as part of the client Infosec policy.

 

Landscape

 

In order to demonstrate this configuration, the below landscape is required

• SAP Systems: ECC, SRM, GRC, HR, PI and Solution Manager


• IBM DB2 database 10.5.7


• RedHat Enterprise Linux Server Release 6.10

Tools & Requirements

• DB2 GSKIT Library files


• IBM DB2 Database service user account access (OS level)

 

Configuration Steps:

 

Pre-Requisites:

• IBM DB2 GSKIT updated library files.


• DB2<SID> user id access

References:

https://www.emc.com/collateral/TechnicalDocument/docu87632.pdf

 

https://www.ibm.com/support/knowledgecenter/en/SSXJFX_2.0.0/cfmup060.html

 

IBM DB2 Encryption steps:

 

Login to the database using db2<sid>

login to db db2SID

Check the db2 version

Check the database encryption status

Check the database encryption status

 Navigate to the path : /db2/db2<sid>/db2-software/gskit/bin

Goto the path gskit/bin

Check the gskit library files

check gskit library files

gskit files listed as below

gskit files

 Check the environmental variable set for LD_LIBRARY_PATH

check env path variable set

/db2/db2<sid>/db2_software/lib64/gskit:/db2/db2<sid>/db2_software/lib32/gskit

 

Set the environmental variable for LD_LIBRARY_PATH as below:

setenv LD_LIBRARY_PATH /usr/sap/<SID>/SYS/exe/run:/usr/sap/<SID>/SYS/exe/uc/linuxx86_64:/db2/db2<sid>/sqllib/lib64:/db2/db2<sid>/sqllib/lib32:db2/db2<sid>/db2_software/lib64/gskit:/db2/db2<sid>/db2_software/lib32/gskit

Navigate to to the location /db2/db2<sid>/db2_software/gskit/bin/gsk8capicmd

navigate to file path gsk8capicmd

 Login with the db2<sid> password and ensure it is working fine

check the db2sid login with password working fine

Create a folder as db2 under the path /db2/db2db0/

Run the command:

/db2/db2<sid>/db2_software/gskit/bin/gsk8capicmd_64 -keydb -create -db /db2/db2<sid>/db2/<SID>keystore.p12 -pw <password> -strong -type pkcs12 -stash

Update the keystore password

Command:

db2 update dbm cfg using keystore_type pkcs12 keystore_location

/db2/db2<sid>/db2/<SID>keystore.p12

Check the dbm cfg for keystore parameters

Command:

db2 get dbm cfg | grep KEY

Check the database encryption status

Command:

db2pd -db <SID> -encryptioninfo

Check the DB size

Command:

db2 "CALL GET_DBSIZE_INFO(?,?,?,0)"

Command:

db2 backup database <SID> to /encryption/<Provide name for BACKUP>  &

To check the backup status

Command:

db2 list utilities show detail

Offline Database backup completed

Now Drop the database

Command:

db2 drop database <SID>

Check the restore status

Then start the DB as below

Connect to the DB

 Check the DB configuration for Encryption status

Command:

db2 update db cfg for <SID> | grep encryption

 Check the DB connectivity

 Now check the encryption status in the DB configuration

Check the DB Encryption status in the application level

End of Encryption configuration

 

IBM DB2 Decryption steps:

 Check sapdata sizes

Execute Compress offline backup on disk (/encryption/bkpdecrypt)

NOTE: For storage constraint, the compressed backup option used, generally don’t use compress option, because restore will take more time

Check Restore Progress

Connect to Db2 database