After enabling encryption on your database, the keystore must be authenticated every time you open it.

If you enable autostart, the authentication is done automatically. If autostart is not enabled, every utility, server, or client that opens the database must manually authenticate the keystore by supplying a passphrase.

ABL clients specify a passphrase for keystore authentication by adding the -KeyStorePassPhrase argument, followed by the passphrase to the CONNECT statement, as shown:

-KeyStorePassPhrase passphrase

If the database is configured with HSM authentication, a second authentication step is needed. ABL clients must also supply the -KeyStorePin argument, as shown: 

-KeyStorePin pin

The ABL application must prompt for the PIN before executing the CONNECT statement, because the PIN is not allowed on the CONNECT statement, on the command line, or in a .pf file. The client may require the passphrase, PIN, or both. For example, the prompt for both passphrase and PIN appears as follows:

Database utilities, servers, and self-service clients indicate that they require a prompt for keystore authentication by adding one or more parameters to the command line. You may prompt for the passphrase, as follows: 

-Passphrase

You will be prompted for the passphrase, but keystrokes do not echo to the window.

If your database has HSM authentication configured, you may also prompt for the PIN, as follows: 

-Pin

You will be prompted for the PIN, but there is no echoing of keystrokes to the window.

If access to the keystore cannot be successfully authenticated, the database cannot be opened.