Enterprise Resource Planning Blogs by Members
Gain new perspectives and knowledge about enterprise resource planning in blog posts from community members. Share your own comments and ERP insights today!
Showing results for 
Search instead for 
Did you mean: 
0 Kudos


This document in brief about and how to encrypt the SAP system database as part of the client Infosec policy.




In order to demonstrate this configuration, the below landscape is required

  • SAP Systems: ECC, SRM, GRC, HR, PI and Solution Manager

  • IBM DB2 database 10.5.7

  • RedHat Enterprise Linux Server Release 6.10

Tools & Requirements

  • DB2 GSKIT Library files

  • IBM DB2 Database service user account access (OS level)


Configuration Steps:



  • IBM DB2 GSKIT updated library files.

  • DB2<SID> user id access






IBM DB2 Encryption steps:


Login to the database using db2<sid>

login to db db2SID

Check the db2 version

Check the database encryption status

Check the database encryption status

 Navigate to the path : /db2/db2<sid>/db2-software/gskit/bin

Goto the path gskit/bin

Check the gskit library files

check gskit library files

gskit files listed as below

gskit files

 Check the environmental variable set for LD_LIBRARY_PATH

check env path variable set



Set the environmental variable for LD_LIBRARY_PATH as below:

setenv LD_LIBRARY_PATH /usr/sap/<SID>/SYS/exe/run:/usr/sap/<SID>/SYS/exe/uc/linuxx86_64:/db2/db2<sid>/sqllib/lib64:/db2/db2<sid>/sqllib/lib32:db2/db2<sid>/db2_software/lib64/gskit:/db2/db2<sid>/db2_software/lib32/gskit

Navigate to to the location /db2/db2<sid>/db2_software/gskit/bin/gsk8capicmd

navigate to file path gsk8capicmd

 Login with the db2<sid> password and ensure it is working fine

check the db2sid login with password working fine

Create a folder as db2 under the path /db2/db2db0/

Run the command:

/db2/db2<sid>/db2_software/gskit/bin/gsk8capicmd_64 -keydb -create -db /db2/db2<sid>/db2/<SID>keystore.p12 -pw <password> -strong -type pkcs12 -stash

Update the keystore password


db2 update dbm cfg using keystore_type pkcs12 keystore_location


Check the dbm cfg for keystore parameters


db2 get dbm cfg | grep KEY

Check the database encryption status


db2pd -db <SID> -encryptioninfo

Check the DB size


db2 "CALL GET_DBSIZE_INFO(?,?,?,0)"


db2 backup database <SID> to /encryption/<Provide name for BACKUP>  &

To check the backup status


db2 list utilities show detail

Offline Database backup completed

Now Drop the database


db2 drop database <SID>

Check the restore status

Then start the DB as below

Connect to the DB

 Check the DB configuration for Encryption status


db2 update db cfg for <SID> | grep encryption

 Check the DB connectivity

 Now check the encryption status in the DB configuration

Check the DB Encryption status in the application level

End of Encryption configuration


IBM DB2 Decryption steps:

 Check sapdata sizes

Execute Compress offline backup on disk (/encryption/bkpdecrypt)

NOTE: For storage constraint, the compressed backup option used, generally don’t use compress option, because restore will take more time

Check Restore Progress

Connect to Db2 database



Labels in this area