Updating the Db2 SSL certificate after the Cloud Pak for Data self-signed certificate is updated

When the Cloud Pak for Data self-signed certificate is updated, you must also update the Db2® SSL certificate.

About this task

Follow this procedure for Cloud Pak for Data 4.0.5 and later. For previous releases, see Updating the Db2 SSL certificate after the Cloud Pak for Data self-signed certificate is updated.

Procedure

  1. Check whether the Cloud Pak for Data self-signed certificate was automatically update by following these steps:
    1. Run the following command: 
      oc get secret internal-tls -o yaml
    2. In the output from the command, copy the tls.crt value.
    3. Run the following command, substituting the tls.crt value. 
      echo tls.crt | base64 -d > tlscert.pem
    4. Open the certificate to view its contents: 
      openssl x509 -in tlscert.pem -text
    5. Check the expiration date of tlscert.pem. If the expiration date is old, you must delete the internal-tls secret, wait for the Db2U pod to restart, and then proceed to Step 2.
  2. Run the following command to launch the certificate update tool in the Db2U engine pod: 
    oc exec -it db2u-engine-pod -- /db2u/scripts/db2_rotate_ssl_certs.sh