Information
The ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP setting in ekeystore.cfg file for external key managers (KMIP or PKCS11) allows writing to the keystore. The setting is false by default. Check that the setting has not been turned on.
Rationale:
Keeping the setting as false does not allow Db2 to create master keys. If you choose to turn the setting on, you acknowledge that Db2 does not backup changes to the keystore. Always backup your keystore before making changes.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
$ cat ekeystore.cfg
VERSION=1
PRODUCT_NAME=Luna
ALLOW_KEY_INSERT_WITHOUT_KEYSTORE_BACKUP=false
LIBRARY=/usr/safenet/lunaclient/luna6.1/lib/libCryptoki2_64.so
SLOT_LABEL=DB2Partition
NEW_OBJECT_TYPE=PRIVATE
KEYSTORE_STASH=/home/db2inst1/sqllib/security/pkcs11.sth
For maximum security, turn the setting off and create the keys outside of Db2. This way you will also be able to manage the labeling scheme across the Db2 instances and prevent name collision between different databases.