SQL1109N Database manager fails to load gsk8ssl_64.dll SQLSTATE=42724 for a DB2 DSN

0

I have created a DB2 (Db2 for Z/OS) DSN in my Windows machine(Windows Server 2016, 64 bit OS) and I am trying to connect to it using SSL mechanism by providing the SSL certificate as SSLServerCertificate=\path\name.arm and Security=SSL parameters in the connection string.

I am getting below error:

SQL1109N The command was not processed because the database manager failed to load gsk8ssl_64.dll SQLSTATE = 42724.

db2diag.log:

2020-07-10-16.59.47.758000+000 I1F1065              LEVEL: Event
PID     : 6636                 TID : 7736           PROC : db2cli.exe
INSTANCE:                      NODE : 000
HOSTNAME: t-b252c140c5170
EDUID   : 7736
FUNCTION: DB2 UDB, RAS/PD component, pdLogInternal, probe:120
START   : New Diagnostic Log file
DATA #1 : Build Level, 240 bytes
Instance "" uses "64" bits and DB2 code release "SQL11054"
with level identifier "0605010F".
Informational tokens are "DB2 v11.5.4000.1449", "s2006161200", "DYN2006161200WIN64", Fix Pack "0".
DATA #2 : System Info, 1760 bytes
System: WIN32_NT t-b252c140c5170  10.0 AMD64 Family 6, model 79, stepping 1
CPU: total:4 online:4 Cores per socket:4 Threading degree per core:1 SIMD:Y CPU Features:SSE2,SSE3,SSSE3,SSE4,AVX2
CPU binding: not in use
Physical Memory(MB): total:14336 free:10165 available:10165
Virtual  Memory(MB): total:16512 free:12341
Swap     Memory(MB): total:2176 free:2176
Information in this record is only valid at the time when this file was
created (see this record's time stamp)

2020-07-10-16.59.48.289000+000 I1069F625            LEVEL: Error
PID     : 6636                 TID : 7736           PROC : db2cli.exe
INSTANCE:                      NODE : 000
HOSTNAME: t-b252c140c5170
EDUID   : 7736
FUNCTION: DB2 UDB, common communication, sqlccCreateDefaultKeyDB, probe:275
MESSAGE : ZRC=0x00000002=2
          SQL0002N  The bind file name is not valid.

          DIA8002C A deadlock has occurred, rolling back transaction.
DATA #1 : <preformatted>
GSKKM_StoreCACert: GSKit Error = 2,
KeyDB = ,
EncPassLen = 32, PwdLen = 1024, DefaultKeyDBUsed = 1,
ServerCert = C:\PPATrustStore\db2cert.arm.

2020-07-10-16.59.48.289000+000 I1696F434            LEVEL: Error
PID     : 6636                 TID : 7736           PROC : db2cli.exe
INSTANCE:                      NODE : 000
HOSTNAME: t-b252c140c5170
EDUID   : 7736
FUNCTION: DB2 UDB, common communication, sqlccMapSSLErrorToDB2Error, probe:275
MESSAGE : DIA3604E The SSL function "GSKKM_StoreCACert" failed with the return 
          code "2" in "sqlccCreateDefaultKeyDB".

2020-07-10-16.59.48.289000+000 I2132F553            LEVEL: Error
PID     : 6636                 TID : 7736           PROC : db2cli.exe
INSTANCE:                      NODE : 000
HOSTNAME: t-b252c140c5170
EDUID   : 7736
FUNCTION: DB2 UDB, common communication, sqlccLoadSSLLibrary, probe:310
RETCODE : ZRC=0x0000005B=91
          SQL0091W  Precompilation or binding was ended with "" errors and "" 
          warnings.

          DIA8102C Conversion table not loaded. Source code page "", Target 
          code page "", method "", handle "".

2020-07-10-16.59.48.289000+000 I2687F553            LEVEL: Error
PID     : 6636                 TID : 7736           PROC : db2cli.exe
INSTANCE:                      NODE : 000
HOSTNAME: t-b252c140c5170
EDUID   : 7736
FUNCTION: DB2 UDB, common communication, sqlccLoadSSLLibrary, probe:310
RETCODE : ZRC=0x0000005B=91
          SQL0091W  Precompilation or binding was ended with "" errors and "" 
          warnings.

          DIA8102C Conversion table not loaded. Source code page "", Target 
          code page "", method "", handle "".

2020-07-10-16.59.48.289000+000 I3242F355            LEVEL: Error
PID     : 6636                 TID : 7736           PROC : db2cli.exe
INSTANCE:                      NODE : 000
HOSTNAME: t-b252c140c5170
EDUID   : 7736
FUNCTION: DB2 UDB, common communication, sqlccLoadSSLLibrary, probe:998
MESSAGE : DIA3603E SSL was not setup. Return code = "91".

2020-07-10-16.59.48.305000+000 I3599F527            LEVEL: Severe
PID     : 6636                 TID : 7736           PROC : db2cli.exe
INSTANCE:                      NODE : 000
HOSTNAME: t-b252c140c5170
EDUID   : 7736
FUNCTION: DB2 UDB, DRDA Communication Manager, sqljcCommConnect, probe:10
MESSAGE : ZRC=0x8636000A=-2043281398=SQLZ_RC_FNEX, SQLT_SQLJC
          "File Does Not Exist"
          DIA8411C A file "" could not be found.
DATA #1 : String, 11 bytes
CCI Error: 
DATA #2 : unsigned integer, 8 bytes
91
sql
ssl
db2
odbc
dsn
asked on Stack Overflow Jul 10, 2020 by Siddhant • edited Jul 13, 2020 by Siddhant

1 Answer

0

A stock Windows-server standard 2016 image will not include the Microsoft Visual C++ redistributable packages by default.

The part of the IBM clidriver used by odbcad32.exe for the test Connect has a dependency on these redistributables, and when these packages are not installed then the error message from odbcad32 (failing to load module gsk8ssl_64.dll, or similar) may not show the real cause of the error.

Currently there appears to be a dependency on Microsoft Visual C++ 2012 DLLs.

This happens despite the fact that the relevant DLLs (msvc*.dll) are present by default in the clidriver tree (depending on the clidriver version), but Windows is not searching in those directories ( for example with clidriver v11.5.4.0 under clidriver\msg\en_US\amd64.VC12.CRT for the 64-bit version. Other versions might have different paths or different contents). MS-Windows may need these DLLs to be present in its own system32 and Syswow64 directories.

It seems that the clidriver could have better dependency checking and better error messages.

You can download the relevant packages from microsoft.com (example, vcredist_x64.exe and vcredist.x64.exe), or ensure that the DLLs in clidriver\msg\en_US\amd64.VC12.CRT (depending on clidriver version) are on the system PATH.

One requirement is Db2 must be installed on a drive with short names enabled or a directory with no spaces such as E:\DB2\SQLLIB, which is documented here.

Apart from that, you may have other dependencies specifically because you aim to use the clidriver for certificate authentication to Db2-for-Z/OS.

Access from CLI to Db2-for-Z/OS is not free with IBM-supplied drivers, so a relevant license on the client side may be necessary unless your database is configured by db2connectactivate.

If you need more than one certificate file for a single connection, then you need to install GSK8 and then create and populate the keystore and stash. GSK8 is available from IBM fix central for users with correct entitlement.

GSK8 is not necessary for single certificate use-cases, such as when using TLS with SSLServerCertificate .

As you are connecting to Db2-for-Z/OS, the company will have an IBM support contract, enabling you to get the relevant software and accurate configuration details which the documentation might not yet cover in sufficient detail.

answered on Stack Overflow Jul 14, 2020 by mao • edited Jul 16, 2020 by mao

User contributions licensed under CC BY-SA 3.0