Manage the OpenEdge Database

Reconstruct a keystore secured with HSM

Save PDF

Reconstruct a keystore secured with HSM

Save PDF

Last Updated: January 16, 2024
3 minute read

OpenEdge
Version 12.8
Documentation

Under strict conditions, you can reconstruct damaged or lost keystores secured with HSM if they are created using a password-based encryption cipher for the database master key.

If the database has TDE encryption with the PPE cipher, you must supply PPE passphrase with the admin user passphrase in the keystore reconstruction command. Make sure that the environment variable points to the database token.

Use the PROREST -describe utility to examine the database, for example:

prorest sports2020 -C describe

The Database Features section of the output shows that TDE encryption and HSM authentication are enabled:

Database Features 
 ID           Feature                     Active    Details
----          ----------------------     -------    -------
   5          Large Files                Yes
   9          64 Bit DBKEYS              Yes
  10          Large Keys                 Yes
  11          64 Bit Sequences           Yes
  13          Encryption                 Yes
  29          TDE DB Policy Management   Yes
  30          HSM KMK Support            Yes

Autostart database

Verify that autostart is enabled:

proutil -c epolicy view autostart

Autostart: Enabled

Then view the keystore:

proutil sports2020 -c epolicy view keystore

Keystore created : 01.21.2021 01:17 GMT
Keystore updated : 02.09.2021 21:51 GMT
KMK location : HSM
HSM details : SlotID=1052770088 Library+/tools/linuxx8664/softhsmm-2.6.2/libsofthsm2.so
Administrator account valid : True
User account valid : True
DMK valid : True
DMK_1 id : rt6IQS/Yo7V6FCoKgLqfBA
DMK_1 state : Active
DMK_1 created : 02.09.2021 21:51 GMT
DMK_1 updated : 02.09.2021 21:51 GMT
DMK_1 cipher : AES256_CBC_PBE
DBCtx valid : True
DBCtx DB id : 5qZZ52yLqLB4FBfSAO5yYA
DBCtx_1 DB policy id : rt6IQS/Yo7V6FCoKkIZ4BA
DBCtx_1 DB policy state : Current
DBCtx_1 DB policy version : 0
DBCtx_1 DMK cipher : AES256_CBC_PBE
DBCtx_1 DMK id : rt6IQS/Yo7V6FCoKgLqfBA

If the keystore is missing or damaged, the epolicy view keystore command returns a message like this:

Key store validation error -449: (keystore) missing key-store file {02020398} (15568)

When the keystore is missing, an attempt to start the database returns errors like these:

13:43:32 BROKER  0:  dbecA181PolicyInsert: Internal security service error {2} (dksp) Key store load failed (15014)
[2]13:43:32 BROKER  0:  dbecA181PolicyInsert: Internal security service error {2} (keystore) missing key-store file {02020dec} (15014)
[2]13:43:32 BROKER  0:  dbecA181PolicyInsert: Internal error from dskp -101

For a missing keystore, run the keystore reconstruct utility:

proutil sports2020 -c epolicy manage keystore reconstruct

The command prompts for your PBE passphrase and administrator passphrase. After manage keystore reconstruct completes, back up your keystore file.

The command shuts off autostart, so you need to restart it, for example:

proutil sports2020 -c epolicy manage keystore autostart admin -Passphrase < adminphrase.txt

After manage keystore autostart completes, back up your keystore file again. You may then verify that autostart is enabled and view the keystore, using the commands described earlier. If both commands return the expected results, you may restart the database.

Manual start database

When you start the encrypted database manually, you need to supply both its administrator passphrase and the PIN number for the HSM.

prosrv -S 4325 sports2020 -Passphrase -Pin < adminhsmpin.txt

Reset the environment variable that identifies the HSM for this database:

$ SOFTHSM2_CONF=/largedisk/cora/lin64/125/hsm/softhsm2.conf; export SOFTHSM2_CONF

Then view the keystore:

proutil sports2020 -c epolicy view keystore -Passphrase -Pin < adminhsmpin.txt

Keystore created : 01.21.2021 01:17 GMT
Keystore updated : 02.09.2021 21:51 GMT
KMK location : HSM
HSM details : SlotID=1052770088 Library+/tools/linuxx8664/softhsmm-2.6.2/libsofthsm2.so
Administrator account valid : True
User account valid : True
DMK valid : True
DMK_1 id : rt6IQS/Yo7V6FCoKgLqfBA
DMK_1 state : Active
DMK_1 created : 02.09.2021 21:51 GMT
DMK_1 updated : 02.09.2021 21:51 GMT
DMK_1 cipher : AES256_CBC_PBE
DBCtx valid : True
DBCtx DB id : 5qZZ52yLqLB4FBfSAO5yYA
DBCtx_1 DB policy id : rt6IQS/Yo7V6FCoKkIZ4BA
DBCtx_1 DB policy state : Current
DBCtx_1 DB policy version : 0
DBCtx_1 DMK cipher : AES256_CBC_PBE
DBCtx_1 DMK id : rt6IQS/Yo7V6FCoKgLqfBA

If the keystore is missing or damaged, the epolicy view keystore command returns a message like this:

Key store validation error -449: (keystore) missing key-store file {02020398} (15568)

When the keystore is missing, an attempt to start the database returns errors like these when the keystore is missing:

13:43:32 BROKER  0:  dbecA181PolicyInsert: Internal security service error {2} (dksp) Key store load failed (15014)
[2]13:43:32 BROKER  0:  dbecA181PolicyInsert: Internal security service error {2} (keystore) missing key-store file {02020dec} (15014)
[2]13:43:32 BROKER  0:  dbecA181PolicyInsert: Internal error from dskp -101

For a missing keystore, run the keystore reconstruct utility:

proutil sports2020 -c epolicy manage keystore reconstruct -Pin

The command prompts for your PBE passphrase, administrator passphrase, and HSM PIN. After manage keystore reconstruct completes, back up your keystore file.

Verify that autostart remains disabled:

proutil -c epolicy view autostart -Passphrase -Pin < adminhsmpin.txt

Autostart: Disabled

You may then run the epolicy view keystore command again to verify that the keystore is reconstructed, and if so, you may restart the database.