When the Cloud Pak for Data self-signed certificate is updated, the SSL
certificate that is used by Data Virtualization must be refreshed to maintain connectivity to the
service.
About this task
By default, the Cloud Pak for Data self-signed
certificate is updated once every 60 days, and the certificate is set to expire 90 days from the
issue date. You must rotate the SSL certificate that is used by Data Virtualization to establish
TLS encryption of client JDBC connections.
Procedure
- Log in to Red Hat® OpenShift® Container Platform as a cluster
administrator.
oc login OpenShift_URL:port
- Change to the project where Data Virtualization pods are
installed.
- Log in to the Data Virtualization head
pod.
oc rsh c-db2u-dv-db2u-0 bash
- Switch to the Data Virtualization database instance owner
db2inst1.
- Run the following commands to verify that the Data Virtualization certificate has
expired.
cd /mnt/blumeta0/db2/ssl_keystore
gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert | grep "Not After"
Confirm that the notAfter date is not in the past. This test indicates that the
Data Virtualization has expired.
- Stop the Data Virtualization instance and do an
ipclean process.
db2 force application all && db2 deactivate db BIGSQL && bigsql stop && rah 'ipclean -a'
- Optional: If you are on Cloud Pak for Data 4.0.2, run the following steps.
- Edit the
/db2u/scripts/include/db2_ssl_functions.sh file with
sudo
vi.
- In the
rotate_ssl_certs() function,
change the line is_rootca_changed && return 0 to
is_rootca_changed.
- Before
-
rotate_ssl_certs()
{
is_rootca_changed && return 0
・・・・
- After
-
rotate_ssl_certs()
{
is_rootca_changed
・・・・
- Save and quit.
- Reconfigure Data Virtualization to pick up the changes to the
Cloud Pak for Data certificate by running the following
command.
source /db2u/scripts/include/db2_ssl_functions.sh && rotate_ssl_certs
- Start the Data Virtualization instance.
- Reactivate the database.