DB2 10.5 Fixpack 5 New Features - 29 March 2015 23:27

0. Contents

1. Product packaging and licensing enhancements
1.1. New addons to product editions
1.2. New Purescale licensing option
2. DB2 native encryption
3. Column-organized tables enhancements
3.1. Additional operating systems
4. HADR enhancements
4.1. BLU+HADR on Windows
4.2. IBM Tivoli® System Automation for Multiplatforms Version 4.1
5. Purescale enhancements
5.1. Geographically dispersed DB2 pureScale cluster
5.2. Cluster caching facility (CF) self-tuning memory
6. Application interface enhancements
6.1. CLI Driver Enhancements
6.2. IBM Data Server Provider for .NET Enhancements
6.3. Client information IBM data server driver configuration keywords with embedded SQL applications
7. Miscellaneous enhancements
7.1. Scalar UDF exeuction improved with column-organized tables
7.2. Exclusive access provided for 1 or more network cards per member
7.3. db2cli Enhancements
7.3.1. IBM data server driver configuration file with LDAP catalog entries
7.3.2. LDAP catalog entries to register DSNs with Microsoft ODBC Driver Manager
7.3.3. IBM Tivoli System Automation for Multiplatforms (SA MP) Version 4.1 on supported AIX operating systems
7.3.4. User IDs and group IDs can now be up to 128 bytes on Linux and UNIX operating systems

1. Product packaging and licensing enhancements

1.1. New addons to product editions

The following new DB2 offerings are available as add-ons to different DB2 product editions

IBM DB2 BLU Acceleration In-Memory Offering
IBM DB2 Business Application Continuity Offering
IBM DB2 Encryption Offering
IBM DB2 Performance Management Offering

The DB2 Editions are

DB2 Advanced Enterprise Server Edition and DB2 Advanced Workgroup Server Edition include all the above options
DB2 Enterprise Server Edition allows the above options to be added by registering an additional associated license certificate file with a minimum purchase of 25 users per 100 Processor Value Units
DB2 Workgroup Server Edition allows the above options to be added by registering an additional associated license certificate file. You must acquire a separate user license for each authorized user of this product, with a minimum purchase of five users per server.
DB2 Express Server Edition allows adding the IBM DB2 Encryption Offering and/or the IBM DB2 Performance Management Offering by registering an additional associated license certificate file. You must acquire a separate user license for each authorized user of this product with a minimum purchase of five users per server.
DB2 Express-C Edition includes by default the native backup encryption and native database encryption functionality introduced through the IBM DB2 Encryption Offering. No other DB2 add-on offerings can be added to DB2 Express-C.
DB2 Developer Edition by default includes the functionality provided by all DB2 add-on offerings. The software in this package cannot be used for production systems. You must acquire a separate user license for each Authorized User of this product.

The features of the various new add-on offerings are:

The DB2 BLU Acceleration In-Memory Offering uses column organized table (shadow tables+InfoSphere® Change Data Capture), Intra-Query Parallelism and Workload manager
IBM DB2 Business Application Continuity Offering allows deploying two member DB2 pureScale environment where one member is active for processing the application workloads and one member is an idle standby.The idle standby member provides the DB2 pureScale availability and takes over the application workload in the case of planned or unplanned outages of the primary active member. In addition, the idle standby member is used to perform common administrative functions, and provide the ability to offload compute, emory and I/O administrative tasks away from the primary active member.
The IBM DB2 Encryption Offering includes Native backup encryption and Native database encryption
The IBM DB2 Performance Management Offering includes IBM InfoSphere Optim Performance Manager,IBM InfoSphere Optim Query Workload Tuner and Workload manager

1.2. New Purescale licensing option

For Purescale with DB2 Advanced Enterprise Server Edition or DB2 Advanced Workgroup Server Edition

If your DB2 pureScale configuration contains a member that is used only for administrative or

failover purposes, licensing requirements for this administrative member can be reduced.

See License Information documents

2. DB2 native encryption

Native database encryption (encryption at rest) with no application or schema changes

Included by default in:

DB2 Express-C
DB2 Advanced Workgroup Server Edition
DB2 Advanced Enterprise Server Edition
DB2 Developer Edition

Available for purchase in:

DB2 Express Server Edition
DB2 Workgroup Server Edition
DB2 Enterprise Server Edition

Encryption works via a Database Encryption Key (DEK) which is stored and managed by the database

The Database Encryption Key (DEK) is protected via a Master Key, encrypted master keys are stored outside the database in a PKCS#12-compliant keystore and the keystore is protected via a password.

A DB2 instance is associated with 1 keystore via the keystore_type and keystore_location database manager configuration parameters

The keystore password (in obfuscated form) can be stashed to a file which is owned by the instance owner, this allows the DB2 instance to be started without manual intervention. If the password is not stashed, you cannot access an encrypted database until you provide the keystore password.

Database backup images are automatically encrypted if the encrlib and encropts database configuration parameters are set to a non-null value. The encrypted master key encrypts the backup DEK by default. For non-encrypted databases you can also use the gsk8capicmd command to add a seperate master key to the keystore and specify that label on the BACKUP DATABASE command.

The CREATE DATABASE command now includes an ENCRYPT option which includes

CIPHER AES (default) or CIPHER (3DES)
MODE CBC - encryption algorithm mode with CBC being the default
KEY LENGTH 128 (AES only)/168 (3DES only)/192(AES only)/256(AES only, default)
MASTER KEY LABEL label-name, label-name can be up to 255 characters, if not specified the database manager automatically generates a master key and inserts it into the keystore file. The master key is always encrypted with AES and if automatically generated it is a 256-bit key.

To encrypt a database

Add path to GSKit libraries to your environment - PATH environment variable on Windows platforms and the LIBPATH, SHLIB_PATH, or LD_LIBRARY_PATH environment variable on Linux or UNIX-based platforms.

Linux and UNIX 32-bit	$INSTHOME/sqllib/lib32/gskit
Linux and UNIX 64-bit	$INSTHOME/sqllib/lib64/gskit
Windows 32-bit	C:\Program Files (x86)\IBM\gsk8\lib
Windows 64-bit	64-bit GSKit libraries C:\Program Files\IBM\gsk8\lib64, 32-bit GSKit libraries C:\Program Files (x86)\IBM\gsk8\lib

As the instance owner create a PKCS#12-compliant keystore using either the gsk8capicmd (or gsk8capicmd_64) GSKit command:
The GSKCapiCmd User's Guide is at GSKCapiCmd User's Guide
gsk8capicmd -keydb -create -db ccardskeystore.p12 -pw Str0ngPassw0rd –strong -type pkcs12 –stash

The stash file is keystore_name.sth
Add a master key to the keystore (unless you want to have one automatically generated).
gsk8capicmd –secretkey –add –db ccardskeystore.p12 –stashed –label mylabel.mydb.myinstance.myserver -file mysecretkeyfile

The master key is in the BINARY file 'mysecretkeyfile' which must be the size of the key used to encrypt the database e.g. 256 bits (32 bytes) for AES-256

This should be generated from a secure source E.g. /dev/random
Configure the instance to use the keystore by settings the keystore_type and keystore_location database manager configuration parameters.
db2 update dbm cfg using keystore_type pkcs12 keystore_location /home/db2/ccardskeystore.p12

Examples

First update environment to add gsk8capicmd/gsk8capicmd64 to PATH

E.g. on Linux
su - db2inst1
echo "AddRemoveString PATH /opt/ibm/db2/V10.5.0.5/gskit/bin a" >> ${INSTHOME?}/sqllib/userprofile
cat ${INSTHOME?}/sqllib/userprofile
AddRemoveString PATH /opt/ibm/db2/V10.5.0.5/gskit/bin a

Keystore (with stashed password file) and simple encrypted database

Create keystore as instance owner

The gsk8capicmd_64 has good help:

gsk8capicmd_64 -keydb -create -help

-Command usage-
-db                   Required
-pw | -stashed        Optional
-type                 Optional 
-expire               Optional
-stash                Optional
-strong               Optional
-empty | -populate    Optional
-f                    Optional

gsk8capicmd_64 -keydb -create -db /home/db2inst1/ccardskeystore.p12 -pw Str0ngPassw0rd -type pkcs12 -stash -strong 
 ls -lrt /home/db2inst1
total 12
drwxrwxr-x  3 db2inst1 db2iadm1 4096 Mar 21 11:19 db2inst1
drwxrwsr-t 25 db2inst1 db2iadm1 4096 Mar 29 06:17 sqllib
-rw-------  1 db2inst1 db2iadm1    0 Mar 29 06:17 ccardskeystore.p12
-rw-------  1 db2inst1 db2iadm1  129 Mar 29 06:17 ccardskeystore.sth

Configure instance witk keystore

db2 update dbm cfg using keystore_type pkcs12 keystore_location /home/db2inst1/ccardskeystore.p12
SQL1362W  One or more of the parameters submitted for immediate modification 
were not changed dynamically. Client changes will not be effective until the 
next time the application is started or the TERMINATE command has been issued. 
Server changes will not be effective until the next DB2START command.
db2stop
db2start
db2 attach to db2inst1
db2 get dbm cfg | grep KEYSTORE
 Keystore type                           (KEYSTORE_TYPE) = PKCS12
 Keystore location                   (KEYSTORE_LOCATION) = /home/db2inst1/ccardskeystore.p12

Create the database with the encryption option

db2 create db daveenc1 encrypt cipher AES KEY LENGTH 192
DB20000I  The CREATE DATABASE command completed successfully.
db2 get db cfg for DAVEENC1 | grep "Encrypted database"
 Encrypted database                                      = YES

FYI List keystore contents, 1 key db2 system generated for instance db2inst1 database DAVEENC1 at 2015-03-29-06.23.50!!

 gsk8capicmd_64 -cert -list all -db /home/db2inst1/ccardskeystore.p12 -stashed
Certificates found
* default, - personal, ! trusted, # secret key
#	DB2_SYSGEN_db2inst1_DAVEENC1_2015-03-29-06.23.50

FYI No expiry on keystore password:

NOTE: Backup encryption is automatically enabled via ENCRLIB/ENCROPTS db cfg parameters with a non-default key length of 192

db2 get db cfg for DAVEENC1 | grep ENCR
 Encryption Library for Backup                 (ENCRLIB) = libdb2encr.so
 Encryption Options for Backup                (ENCROPTS) = CIPHER=AES:MODE=CBC:KEY LENGTH=192

The shared library is under sqllib/lib64

Keystore (with NO stashed password file) and simple encrypted database

db2 drop database daveenc1
DB20000I  The DROP DATABASE command completed successfully.
db2 update dbm cfg using keystore_type NONE keystore_location NULL
DB20000I  The UPDATE DATABASE MANAGER CONFIGURATION command completed
rm /home/db2inst1/ccardskeystore.p12 /home/db2inst1/ccardskeystore.sth
db2stop # Bounce only to demo definitely using new unstashed keystore below!
db2start
gsk8capicmd_64 -keydb -create -db /home/db2inst1/ccardskeystore.p12 -pw Str0ngPassw0rd -type pkcs12 -strong

# No stash file is created!
ls -lrt /home/db2inst1
total 8
drwxrwxr-x  3 db2inst1 db2iadm1 4096 Mar 21 11:19 db2inst1
drwxrwsr-t 25 db2inst1 db2iadm1 4096 Mar 29 06:17 sqllib
-rw-------  1 db2inst1 db2iadm1    0 Mar 29 07:03 ccardskeystore.p12

db2stop

db2 update dbm cfg using keystore_type pkcs12 keystore_location /home/db2inst1/ccardskeystore.p12
DB20000I  The UPDATE DATABASE MANAGER CONFIGURATION command completed successfully.

db2start OPEN KEYSTORE USING Str0ngPassw0rd
03/29/2015 07:07:55     0   0   SQL1063N  DB2START processing was successful.
SQL1063N  DB2START processing was successful.

db2 create db daveenc1 encrypt 
DB20000I  The CREATE DATABASE command completed successfully.

db2 get db cfg for DAVEENC1 | grep ENCR
 Encryption Library for Backup                 (ENCRLIB) = libdb2encr.so
 Encryption Options for Backup                (ENCROPTS) = CIPHER=AES:MODE=CBC:KEY LENGTH=256

NOTE: Backup encryption is automatically enabled via ENCRLIB/ENCROPTS db cfg parameters with a default key length of 256

Alternative instance startup using filename

db2stop force

Put password into /tmp/bbb1

db2start OPEN KEYSTORE PASSARG filename:/tmp/bbb1
03/29/2015 07:16:03     0   0   SQL1063N  DB2START processing was successful.
SQL1063N  DB2START processing was successful.

db2 connect to daveenc1

   Database Connection Information

 Database server        = DB2/LINUXX8664 10.5.5
 SQL authorization ID   = DB2INST1
 Local database alias   = DAVEENC1

Alternative instance startup using file descriptor!!

bash
exec 5</tmp/bbb1
echo $$
53088
lsof -p 53088 | egrep "COMMAND|bbb1"
COMMAND   PID     USER   FD   TYPE DEVICE SIZE/OFF    NODE NAME
bash    53088 db2inst1    5r   REG    8,3       15  266413 /tmp/bbb1

03/29/2015 07:23:45     0   0   SQL1063N  DB2START processing was successful.
SQL1063N  DB2START processing was successful.
db2 connect to daveenc1

   Database Connection Information

 Database server        = DB2/LINUXX8664 10.5.5
 SQL authorization ID   = DB2INST1
 Local database alias   = DAVEENC1

db2 "create table a (b int)"
DB20000I  The SQL command completed successfully.

Backup encryption

This is either enabled via:

Set Database cfg parameters encrlib/encropts

These are set automatically if the database is created encrypted.

Only a user with SECADM authorization can change the setting of the encrlib/encropts configuration parameters.

encrlib must either be a full path or relative to the  current working directory of the DB2 server.

When the encrlib configuration parameter is set, you cannot specify any compression options with your backup operations, 
and the only valid encryption option that you can specify is EXCLUDE.

db2 backup database daveenc1

Backup successful. The timestamp for this backup image is : 20150329073730

To both compress and encrypt a database backup image, specify the db2compr_encr library 
(or the libdb2compr_encr library on non-Windows platforms) in place of db2encr (or libdb2encr).

specifying the ENCRYPT option with the BACKUP DATABASE command

NOTE: When database cfg parameters encrlib/encropts are only the encrypt exclude option can be used.

db2 backup database daveenc1 encrypt exclude # library is not stored in the backup image

Backup successful. The timestamp for this backup image is : 20150329074657

db2 backup database daveenc1 encrypt encrlib 'libdb2compr_encr.so' # Compress and encrypt
SQL2459N  The BACKUP DATABASE command failed to process an encrypted database 
backup or compressed database backup because of configuration or command 
errors. Reason code "1".

db2 connect to daveenc1 # Must connect to db to change encrlib/encropts

   Database Connection Information

 Database server        = DB2/LINUXX8664 10.5.5
 SQL authorization ID   = DB2INST1
 Local database alias   = DAVEENC1


db2 update db cfg for daveenc1 using encrlib NULL encropts NULL
DB20000I  The UPDATE DATABASE CONFIGURATION command completed successfully.

db2 backup database daveenc1 encrypt encrlib 'libdb2compr_encr.so'

Backup successful. The timestamp for this backup image is : 20150329075200

db2 backup database daveenc1 encrypt 

Backup successful. The timestamp for this backup image is : 20150329075312

# Backup with seperate master key

Put password in file /tmp/ccc1
gsk8capicmd_64 -secretkey -add -db /home/db2inst1/ccardskeystore.p12 -file /tmp/ccc1 -label inst1.bkup -pw Str0ngPassw0rd

db2 "backup database daveenc1 encrypt encrlib 'libdb2encr.so' encropts 'Cipher=AES:Mode=CBC:Key Length=256:Master Key Label=inst1.bkup'"

Backup successful. The timestamp for this backup image is : 20150406072630

Restore database

db2 terminate
DB20000I  The TERMINATE command completed successfully.

db2 attach to db2inst1

   Instance Attachment Information

 Instance server        = DB2/LINUXX8664 10.5.5
 Authorization ID       = DB2INST1
 Local instance alias   = DB2INST1

 db2 drop database daveenc1
DB20000I  The DROP DATABASE command completed successfully.

db2 "restore database daveenc1 taken at 20150406072630 encrypt"
DB20000I  The RESTORE DATABASE command completed successfully.

db2 connect to daveenc1

   Database Connection Information

 Database server        = DB2/LINUXX8664 10.5.5
 SQL authorization ID   = DB2INST1
 Local database alias   = DAVEENC1

Restore to another instance on another host

# Set instance to use keystore
gsk8capicmd_64 -keydb -create -db /home/db2inst1/ccardskeystore.p12 -pw Str0ngPassw0rd -type pkcs12 -strong # No stash file
db2 attach to db2inst1
db2 update dbm cfg using keystore_type pkcs12 keystore_location /home/db2inst1/ccardskeystore.p12
db2stop force
db2start open keystore using Str0ngPassw0rd
db2 attach to db2inst1
# Create encrypted database
db2 create db daveenc1 encrypt cipher AES KEY LENGTH 192
# Generate new master key of length 192 for backup database
dd if=/dev/random of=/tmp/ccc1 bs=1 count=24
gsk8capicmd_64 -secretkey -add -db /home/db2inst1/ccardskeystore.p12 -file /tmp/ccc1 -label inst1.bkup -pw Str0ngPassw0rd
# Backup using new master key with Key Length=192
db2 connect to daveenc1
db2 update db cfg for daveenc1 using encrlib NULL encropts NULL
db2 "backup database daveenc1 to /tmp/a encrypt encrlib 'libdb2encr.so' encropts 'Cipher=AES:Mode=CBC:Key Length=192:Master Key Label=inst1.bkup'"
# Export key from primary keystore
gsk8capicmd_64 -cert -export -db /home/db2inst1/ccardskeystore.p12 -pw Str0ngPassw0rd -label inst1.bkup -target /tmp/t.p12 -target_type pkcs12 -target_pw Tran5ferPassw0rd
### On inst2
# Import Database Backup Key
gsk8capicmd_64 -keydb -create -db ~/ccardskeystore.p12 -pw Str0ngPassw0rd -type pkcs12 -strong 
scp 192.168.124.133:/tmp/t.p12 /tmp/t.p12
gsk8capicmd_64 -cert -import -db /tmp/t.p12 -pw Tran5ferPassw0rd -label inst1.bkup -target ~/ccardskeystore.p12 -target_type pkcs12 -target_pw Str0ngPassw0rd
# Copy backup
scp -r 192.168.124.133:/tmp/a /tmp
# Restore backup
db2 attach to db2inst2
db2 update dbm cfg using INTRA_PARALLEL YES
db2 update dbm cfg using keystore_type pkcs12 keystore_location /home/db2inst2/ccardskeystore.p12
db2stop force
db2start open keystore using Str0ngPassw0rd
db2 "restore database daveenc1 from /tmp/a taken at 20150519052908 encropts 'show master key details'"
ls ~/sqllib/db2dump/DAVEENC1.*.masterKeyDetails
/home/db2inst2/sqllib/db2dump/DAVEENC1.0.db2inst1.DBPART000.20150519052908.masterKeyDetails
more /home/db2inst2/sqllib/db2dump/DAVEENC1.0.db2inst1.DBPART000.20150519052908.masterKeyDetails

                 KeyStore Type: PKCS12
             KeyStore Location: /home/db2inst1/ccardskeystore.p12
            KeyStore Host Name: localhost.localdomain
           KeyStore IP Address: ::1
      KeyStore IP Address Type: IPV6
          Encryption Algorithm: AES
     Encryption Algorithm Mode: CBC
         Encryption Key Length: 192
              Master Key Label: inst1.bkup

db2 "restore database daveenc1 from /tmp/a taken at 20150519052908 on /home/db2inst2 dbpath on /home/db2inst2 encrypt cipher AES KEY LENGTH 192 MASTER KEY LABEL inst1.bkup" 
SQL2523W  Warning!  Restoring to an existing database that is different from 
the database on the backup image, but have matching names. The target database 
will be overwritten by the backup version.  The Roll-forward recovery logs 
associated with the target database will be deleted.
Do you want to continue ? (y/n) 
DB20000I  The RESTORE DATABASE command completed successfully.

Setup HADR with Encrypted database
Instance inst1 192.168.124.133 database daveenc1 HADR port 60000
Instance inst2 192.168.124.143 database daveenc1 HADR port 60000
Setup encrypted database with keystore on first instance db2inst1
# Set instance to use keystore
gsk8capicmd_64 -keydb -create -db /home/db2inst1/ccardskeystore.p12 -pw Str0ngPassw0rd -type pkcs12 -strong # No stash file
db2 attach to db2inst1
db2 update dbm cfg using INTRA_PARALLEL YES
db2 update dbm cfg using keystore_type pkcs12 keystore_location /home/db2inst1/ccardskeystore.p12
db2stop force
db2start open keystore using Str0ngPassw0rd
db2 attach to db2inst1
# Create encrypted database
dd if=/dev/random of=/tmp/ccc1 bs=1 count=24
gsk8capicmd_64 -secretkey -add -db /home/db2inst1/ccardskeystore.p12 -file /tmp/ccc1 -label inst1.db -pw Str0ngPassw0rd
db2 create db daveenc1 encrypt cipher AES KEY LENGTH 192 MASTER KEY LABEL inst1.db
# Generate new backup master key of length 192
dd if=/dev/random of=/tmp/ccc1 bs=1 count=24
gsk8capicmd_64 -secretkey -add -db /home/db2inst1/ccardskeystore.p12 -file /tmp/ccc1 -label inst1.bkup -pw Str0ngPassw0rd
# Backup using new master key with Key Length=192
db2 connect to daveenc1
db2 update db cfg for daveenc1 using encrlib NULL encropts NULL
db2 update db cfg for daveenc1 using LOGARCHMETH1 LOGRETAIN
mkdir /tmp/a
db2 "backup database daveenc1 to /tmp/a encrypt encrlib 'libdb2encr.so' encropts 'Cipher=AES:Mode=CBC:Key Length=192:Master Key Label=inst1.bkup'"
# Timestamp 20150519064234
# Poke hole in firewalls for port 60000
iptables --line -vnL
iptables -I INPUT 5 -i eth0 -p tcp --dport 60000 -m state --state NEW,ESTABLISHED -j ACCEPT
# Set parameters on primary database
db2 update db cfg for daveenc1 using HADR_LOCAL_HOST 192.168.124.133
db2 update db cfg for daveenc1 using HADR_LOCAL_SVC 60000
db2 update db cfg for daveenc1 using HADR_REMOTE_HOST 192.168.124.143
db2 update db cfg for daveenc1 using HADR_REMOTE_SVC 60000
db2 update db cfg for daveenc1 using HADR_REMOTE_INST db2inst2
db2 update db cfg for daveenc1 using LOGINDEXBUILD ON
# Export key from primary keystore
gsk8capicmd_64 -cert -export -db /home/db2inst1/ccardskeystore.p12 -pw Str0ngPassw0rd -label inst1.db -target /tmp/td.p12 -target_type pkcs12 -target_pw Tran5ferPassw0rd
gsk8capicmd_64 -cert -export -db /home/db2inst1/ccardskeystore.p12 -pw Str0ngPassw0rd -label inst1.bkup -target /tmp/tb.p12 -target_type pkcs12 -target_pw Tran5ferPassw0rd
### On inst2
# Poke hole in firewalls for port 60000
iptables --line -vnL
iptables -I INPUT 5 -i eth0 -p tcp --dport 60000 -m state --state NEW,ESTABLISHED -j ACCEPT
# Create and use keystore
db2 attach to db2inst2
db2 update dbm cfg using INTRA_PARALLEL YES
db2 update dbm cfg using keystore_type pkcs12 keystore_location /home/db2inst2/ccardskeystore.p12
db2stop force
db2start open keystore using Str0ngPassw0rd
# Imports keys
scp 192.168.124.133:/tmp/t.p12 /tmp/t.p12
gsk8capicmd_64 -cert -import -db /tmp/t.p12 -pw Tran5ferPassw0rd -label inst1.bkup -target ~/ccardskeystore.p12 -target_type pkcs12 -target_pw Str0ngPassw0rd
# Create and deactivate db
gsk8capicmd_64 -keydb -create -db ~/ccardskeystore.p12 -pw Str0ngPassw0rd -type pkcs12 -strong
scp 192.168.124.133:/tmp/td.p12 /tmp/td.p12
gsk8capicmd_64 -cert -import -db /tmp/td.p12 -pw Tran5ferPassw0rd -label inst1.db -target ~/ccardskeystore.p12 -target_type pkcs12 -target_pw Str0ngPassw0rd
scp 192.168.124.133:/tmp/tb.p12 /tmp/tb.p12
gsk8capicmd_64 -cert -import -db /tmp/t.p12 -pw Tran5ferPassw0rd -label inst1.bkup -target ~/ccardskeystore.p12 -target_type pkcs12 -target_pw Str0ngPassw0rd
db2 create db daveenc1 encrypt cipher AES KEY LENGTH 192 MASTER KEY LABEL inst1.db
db2 connect to daveenc1
vim /tmp/c
SELECT VARCHAR(STORAGE_GROUP_NAME, 30) AS STOGROUP, VARCHAR(DB_STORAGE_PATH, 40)
AS STORAGE_PATH FROM TABLE(ADMIN_GET_STORAGE_PATHS('',-1)) AS T;
db2 -tvf /tmp/c
db2 list db directory | grep Local # Both /home/db2inst2
db2 terminate
db2 attach to db2inst2
db2 update db cfg for daveenc1 using LOGARCHMETH1 LOGRETAIN
db2 update db cfg for daveenc1 using LOGINDEXBUILD ON
db2 deactivate database daveenc1
# Copy backup
scp -r 192.168.124.133:/tmp/a /tmp
# Restore backup
db2 attach to db2inst2
db2 "restore database daveenc1 from /tmp/a taken at 20150519070837 encropts 'show master key details'"
ls -1rt ~/sqllib/db2dump/DAVEENC1.*.masterKeyDetails
/home/db2inst2/sqllib/db2dump/DAVEENC1.0.db2inst1.DBPART000.20150519064234.masterKeyDetails
more /home/db2inst2/sqllib/db2dump/DAVEENC1.0.db2inst1.DBPART000.20150519064234.masterKeyDetails

                 KeyStore Type: PKCS12
             KeyStore Location: /home/db2inst1/ccardskeystore.p12
            KeyStore Host Name: localhost.localdomain
           KeyStore IP Address: ::1
      KeyStore IP Address Type: IPV6
          Encryption Algorithm: AES
     Encryption Algorithm Mode: CBC
         Encryption Key Length: 192
              Master Key Label: inst1.bkup

db2 "restore database daveenc1 from /tmp/a taken at 20150519070837  on /home/db2inst2 dbpath on /home/db2inst2" 
SQL2523W  Warning!  Restoring to an existing database that is different from 
the database on the backup image, but have matching names. The target database 
will be overwritten by the backup version.  The Roll-forward recovery logs 
associated with the target database will be deleted.
Do you want to continue ? (y/n) 
DB20000I  The RESTORE DATABASE command completed successfully.
db2 rollforward db daveenc1 query status
#Setup HADR parameters on standby and start hadr on standby
db2 update db cfg for daveenc1 using HADR_LOCAL_HOST 192.168.124.143
db2 update db cfg for daveenc1 using HADR_LOCAL_SVC 60000
db2 update db cfg for daveenc1 using HADR_REMOTE_HOST 192.168.124.133
db2 update db cfg for daveenc1 using HADR_REMOTE_SVC 60000
db2 update db cfg for daveenc1 using HADR_REMOTE_INST db2inst1
db2 start hadr on database daveenc1 as standby
### On db2inst1
db2 start hadr on database daveenc1 as primary
# Check HADR state from primary
[db2inst1@localhost ~]$ db2pd -db daveenc1 -hadr

Database Member 0 -- Database DAVEENC1 -- Active -- Up 0 days 00:02:25 -- Date 2015-05-19-07.27.00.091347

                            HADR_ROLE = PRIMARY
                          REPLAY_TYPE = PHYSICAL
                        HADR_SYNCMODE = NEARSYNC
                           STANDBY_ID = 1
                        LOG_STREAM_ID = 0
                           HADR_STATE = PEER
                           HADR_FLAGS = 
                  PRIMARY_MEMBER_HOST = 192.168.124.133
                     PRIMARY_INSTANCE = db2inst1
                       PRIMARY_MEMBER = 0
                  STANDBY_MEMBER_HOST = 192.168.124.143
                     STANDBY_INSTANCE = db2inst2
                       STANDBY_MEMBER = 0
                  HADR_CONNECT_STATUS = CONNECTED
             HADR_CONNECT_STATUS_TIME = 05/19/2015 07:26:14.821049 (1432045574)
          HEARTBEAT_INTERVAL(seconds) = 30
                     HEARTBEAT_MISSED = 0
                   HEARTBEAT_EXPECTED = 1
                HADR_TIMEOUT(seconds) = 120
        TIME_SINCE_LAST_RECV(seconds) = 16
             PEER_WAIT_LIMIT(seconds) = 0
           LOG_HADR_WAIT_CUR(seconds) = 0.000
    LOG_HADR_WAIT_RECENT_AVG(seconds) = 0.000000
   LOG_HADR_WAIT_ACCUMULATED(seconds) = 0.000
                  LOG_HADR_WAIT_COUNT = 0
SOCK_SEND_BUF_REQUESTED,ACTUAL(bytes) = 0, 19800
SOCK_RECV_BUF_REQUESTED,ACTUAL(bytes) = 0, 87380
            PRIMARY_LOG_FILE,PAGE,POS = S0000000.LOG, 0, 44933825
            STANDBY_LOG_FILE,PAGE,POS = S0000000.LOG, 0, 44933825
                  HADR_LOG_GAP(bytes) = 0
     STANDBY_REPLAY_LOG_FILE,PAGE,POS = S0000000.LOG, 0, 44933825
       STANDBY_RECV_REPLAY_GAP(bytes) = 3979691
                     PRIMARY_LOG_TIME = 05/19/2015 07:08:41.000000 (1432044521)
                     STANDBY_LOG_TIME = 05/19/2015 07:08:41.000000 (1432044521)
              STANDBY_REPLAY_LOG_TIME = 05/19/2015 07:08:41.000000 (1432044521)
         STANDBY_RECV_BUF_SIZE(pages) = 4298
             STANDBY_RECV_BUF_PERCENT = 0
           STANDBY_SPOOL_LIMIT(pages) = 25600
                STANDBY_SPOOL_PERCENT = 0
                   STANDBY_ERROR_TIME = NULL
                 PEER_WINDOW(seconds) = 0
             READS_ON_STANDBY_ENABLED = N
### On db2inst2
# Check HADR state from standby
[db2inst2@localhost ~]$ db2pd -db daveenc1 -hadr

Database Member 0 -- Database DAVEENC1 -- Standby -- Up 0 days 00:10:47 -- Date 2015-05-19-07.28.36.424548

                            HADR_ROLE = STANDBY
                          REPLAY_TYPE = PHYSICAL
                        HADR_SYNCMODE = NEARSYNC
                           STANDBY_ID = 0
                        LOG_STREAM_ID = 0
                           HADR_STATE = PEER
                           HADR_FLAGS = 
                  PRIMARY_MEMBER_HOST = 192.168.124.133
                     PRIMARY_INSTANCE = db2inst1
                       PRIMARY_MEMBER = 0
                  STANDBY_MEMBER_HOST = 192.168.124.143
                     STANDBY_INSTANCE = db2inst2
                       STANDBY_MEMBER = 0
                  HADR_CONNECT_STATUS = CONNECTED
             HADR_CONNECT_STATUS_TIME = 05/19/2015 07:26:14.810373 (1432045574)
          HEARTBEAT_INTERVAL(seconds) = 30
                     HEARTBEAT_MISSED = 0
                   HEARTBEAT_EXPECTED = 4
                HADR_TIMEOUT(seconds) = 120
        TIME_SINCE_LAST_RECV(seconds) = 22
             PEER_WAIT_LIMIT(seconds) = 0
           LOG_HADR_WAIT_CUR(seconds) = 0.000
    LOG_HADR_WAIT_RECENT_AVG(seconds) = 0.000000
   LOG_HADR_WAIT_ACCUMULATED(seconds) = 0.000
                  LOG_HADR_WAIT_COUNT = 0
SOCK_SEND_BUF_REQUESTED,ACTUAL(bytes) = 0, 19800
SOCK_RECV_BUF_REQUESTED,ACTUAL(bytes) = 0, 87380
            PRIMARY_LOG_FILE,PAGE,POS = S0000000.LOG, 0, 44933825
            STANDBY_LOG_FILE,PAGE,POS = S0000000.LOG, 0, 44933825
                  HADR_LOG_GAP(bytes) = 0
     STANDBY_REPLAY_LOG_FILE,PAGE,POS = S0000000.LOG, 0, 44933825
       STANDBY_RECV_REPLAY_GAP(bytes) = 3979691
                     PRIMARY_LOG_TIME = 05/19/2015 07:08:41.000000 (1432044521)
                     STANDBY_LOG_TIME = 05/19/2015 07:08:41.000000 (1432044521)
              STANDBY_REPLAY_LOG_TIME = 05/19/2015 07:08:41.000000 (1432044521)
         STANDBY_RECV_BUF_SIZE(pages) = 4298
             STANDBY_RECV_BUF_PERCENT = 0
           STANDBY_SPOOL_LIMIT(pages) = 25600
                STANDBY_SPOOL_PERCENT = 0
                   STANDBY_ERROR_TIME = NULL
                 PEER_WINDOW(seconds) = 0
             READS_ON_STANDBY_ENABLED = N

3. Column-organized tables enhancements

3.1. Additional operating systems

Column-organized tables are now supported on

Linux on zSeries see System requirements for IBM DB2 for Linux, UNIX, and Windows

Windows operating systems that are supported by DB2 Advanced Enterprise Server Edition and DB2 Advanced Workgroup Server Edition, see also Additional installation considerations (Windows)

Only a single processor group is supported. BLU Acceleration for Windows has the same recommended minimums as all other platforms, specifically 8 cores, and 64 GB RAM. 
In addition, a maximum of four sockets is supported. If you are running more than one socket, set performance variable DB2_RESOURCE_POLICY to AUTOMATIC.

Windows Installer 3.0 is required. 

IBM Data Server Provider for .NET client applications and CLR server-side procedures require .NET 2.0 or later framework runtime. In an x64 environment, 32-bit IBM data server provider for .NET applications runs in the WOW64 emulation mode.

If you plan to use LDAP (Lightweight Directory Access Protocol), use either a Microsoft LDAP client or the IBM Tivoli® Directory Server v6 client (also known as the IBM LDAP client which is included with DB2 database products). Before installation of the Microsoft Active Directory, you must extend your directory schema using the db2schex utility, which can be found on the installation media under the db2\Windows\utilities directory.

The Microsoft LDAP client is included with Windows operating systems.

The computer name of the Windows workstation on which the DB2 installation files are located, must be 15 characters or less in length.

Note: DB2 database products support the hardware-enforced Data Execution Prevention (DEP) feature that is built into some Windows operating systems.

4. HADR enhancements

4.1. BLU+HADR on Windows

DB2 BLU and HADR are now supported on Windows

4.2. IBM Tivoli System Automation for Multiplatforms Version 4.1

IBM Tivoli System Automation for Multiplatforms Version 4.1 is now supported with HADR

5. Purescale enhancements

5.1. Geographically dispersed DB2 pureScale cluster

Geographically dispersed DB2 pureScale cluster are now supported on any x64 Intel compatible rack mounted server

which supports these Ethernet RoCE adapters:

Mellanox ConnectX-2 generation card supporting RDMA over converged Ethernet (RoCE)
Mellanox ConnectX-3 generation card supporting RDMA over converged Ethernet (RoCE)

5.2. Cluster caching facility (CF) self-tuning memory

Cluster caching facility (CF) self-tuning memory can now be explicitly enabled to

help optimize performance and avoid out of memory conditions.

CF self-tuning memory is enabled by setting registry variable DB2_DATABASE_CF_MEMORY to AUTO.

When enabled, CF self-tuning memory avoids out of memory conditions by tuning database memory parameters

cf_db_mem_sz, cf_gbp_sz, cf_lock_sz, and cf_sca_sz.

CF memory is shared by these parameters. The values of these four database memory parameters are interdependent.

In a multiple database environment, CF memory is configured automatically based on workload and available memory.

Databases that are already active automatically give up CF memory for newly activated databases until a workload-based

distribution of CF memory is reached.

When a database is added, there is no downtime to reconfigure CF memory allocation.

6. Application interface enhancements

6.1. CLI Driver Enhancements

You can now establish SSL connections to a database server by setting the Security CLI keyword or the SecurityTransportMode IBM® data server driver configuration keyword to SSL without separately installing and configuring the GSkit product.
You can now establish SSL connection using a self-signed certificate or a certificate authority (CA) certificate by setting the SSLServerCertificate keyword. By setting the SSLServerCertificate keyword, you avoid having to set the SSLClientKeystoredb keyword with the SSLClientKeystoreDBPassword or SSLClientKeyStash keyword.
You can now issue the db2dsdcfgfill command to read in the LDAP database entries in the local database directory and create the IBM data server driver configuration file.
You can now retrieve the default client information register values that are set on the DB2 for z/OS server by setting the enableDefaultClientInfo IBM data server driver configuration keyword to True.
You can now retrieve the extended table information about the IBM DB2 Analytics Accelerator for IBM z/OS (IDAA) table by setting the ExtendedTableInfo keyword to True.
You can now obtain additional diagnostic logs when a selected SQLCODE is first encountered in a connection to the DB2 for z/OS server with the db2dumpSQLCodes IBM data server driver configuration keyword.

6.2. IBM Data Server Provider for .NET Enhancements

The IBM Data Server Provider for .NET supports the Entity Framework 6.0 features that are related to the Database First approach.
You can now retrieve the default client information register values that are set by the DB2 for z/OS server by setting the enableDefaultClientInfo IBM data server driver configuration keyword to True.
You can now retrieve the extended table information about the IBM DB2 Analytics Accelerator for IBM z/OS (IDAA) table by setting the ExtendedTableInfo keyword to True.
You can now establish SSL connection using a self-signed certificate or a certificate authority (CA) certificate by setting the SSLServerCertificate keyword or the SSLServerCertificate property. By setting the SSLServerCertificate keyword or the SSLServerCertificate property, you avoid having to set the SSLClientKeystoredb keyword with the SSLClientKeystoreDBPassword or SSLClientKeyStash keyword.

6.3. Client information IBM data server driver configuration keywords with embedded SQL applications

See Use of the db2dsdriver.cfg configuration file by embedded SQL applications

Embedded SQL applications support use of the IBM® data server driver configuration file (db2dsdriver.cfg) for high availability solutions with supported servers.
You can use the IBM data server driver configuration file (db2dsdriver.cfg) for work load balancing (WLB) and automatic client reroute (ACR) with supported servers.
The WLB and ACR associated keywords are available for use with the embedded applications.
You can use the IBM data server driver configuration file (db2dsdriver.cfg) to set the client information registers.
The embedded SQL application cannot perform seamless failover.
The ability to resolve the data source name (DSN) with <dsncollection> section entry in the db2dsdriver.cfg file is only supported with IBM Data Server Driver Package.
Embedded SQL applications can use timeout values in the db2dsdriver.cfg file
Any unrecognized data server keywords are ignored silently by the embedded SQL application.

7. Miscellaneous enhancements

7.1. Scalar UDF exeuction improved with column-organized tables

This enhancement can be particularly beneficial when scalar UDFs that

meet the following criteria are included in the predicate of a query.

UDFs are defined as NO SQL and ALLOW PARALLEL
Input and output data types are supported in column-organized tables.

7.2. Exclusive access provided for 1 or more network cards per member

One or more network interface cards (NICs) can now be specified through which a DB2 member can acquire exclusive access to a specific port.

NICs can be specified by IP address or by the host name that maps to that address in the nicbinding.cfg file

When a DB2 member starts, it attempts to acquire exclusive access to a specific port on all NICs on the host, any other DB2 instance on the same host must be configured to use a different port to service remote clients or drivers.

Starting in Version 10.5 Fix Pack 5, you can specify one or more NICs through which a DB2 member can acquire exclusive access to a specific port, thereby avoiding contention for the same port number.

This can be done for a subset of members

You can specify a particular NIC by its IP address or by the host name that maps to that address in the nicbinding.cfg file, which you can find in the ~/sqllib/cfg directory (or the ~/sqllib_shared/cfg directory in DB2 pureScale® environments).

To specify multiple NICs, use a multihomed host name that maps to the IP addresses for those NICs.

If the specified port on a specified NIC is already owned by another DB2 instance, or the specified host name or IP address does not represent any valid NIC on the host, the pairing is considered invalid, and SQL5043N is returned when the DB2 member starts.

Add binding information to the nicbinding.cfg file. Each line in the configuration file represents a binding between a single DB2 member and its NIC.


Here all 3 members are bound to specific NICs:

0 9.1.2.1
1 9.1.2.2
2 host1.newyork.mycompany.com

Here member 2 is not bound to a NIC so will bind to all NICs on the host:

0 host1
1 host2.chicago.mycompany.com
3 9.1.2.4

Multi-homed hostnames can be used to bind to mulitple NICs:

0 host67m1 # Multi-homed address -> 3 NICs
3 host68m1 # Multi-homed address -> 2 NICs
6 9.2.5.6  # IP address -> 1 NIC

MON_GET_INSTANCE table function can be used to get NIC binding information:

db2
  "select MEMBER,
     substr(NETWORK_INTERFACE_BOUND,1,16)
       as NETWORK_INTERFACE_ID
     from table(MON_GET_INSTANCE(-2))"

MEMBER NETWORK_INTERFACE_ID
------ --------------------
     1 host67e1  
     0 9.2.3.3

7.3. db2cli Enhancements

7.3.1. IBM data server driver configuration file with LDAP catalog entries

The IBM data server driver configuration file (db2dsdriver.cfg) can be configured with information from LDAP catalog entries using the -refreshldap option

See db2cli - DB2 interactive CLI command

7.3.2. LDAP catalog entries to register DSNs with Microsoft ODBC Driver Manager

LDAP catalog entries can be used to register data source names (DSNs) in the Microsoft ODBC Driver Manager

with the -includeldap option.

See db2cli - DB2 interactive CLI command

7.3.3. IBM Tivoli System Automation for Multiplatforms (SA MP) Version 4.1 on supported AIX operating systems

IBM Tivoli System Automation for Multiplatforms (SA MP) Version 4.1 is now supported on supported AIX environments

7.3.4. User IDs and group IDs can now be up to 128 bytes on Linux and UNIX operating systems

User IDs and group IDs can now be up to 128 bytes on Linux and UNIX operating systems, this is increased from 8 characters in previous versions

Any operating system level naming restrictions still apply