When the Cloud Pak for Data self-signed certificate is updated, the SSL
certificate that is used by Data
Virtualization must be refreshed to maintain connectivity to the
service.
About this task
By default, the Cloud Pak for Data self-signed
certificate is updated once every 395 days, and the certificate is set to expire
425 days from the issue date. You must rotate the SSL certificate that is used by Data
Virtualization to establish TLS encryption of client JDBC connections.
Procedure
- Log in to Red Hat® OpenShift® Container Platform as a cluster administrator.
- Change to the project where Data
Virtualization pods are
installed.
oc project ${PROJECT_CPD_INSTANCE}
- Log in to the Data
Virtualization head pod.
oc rsh c-db2u-dv-db2u-0 bash
- Switch to the Data
Virtualization database instance owner
db2inst1.
- Run the following commands to verify that the Data
Virtualization
certificate has expired.
cd /mnt/blumeta0/db2/ssl_keystore
gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert | grep "Not After"
Confirm that the notAfter date is not in the past. This test indicates that the
Data
Virtualization has expired.
- Stop the Data
Virtualization instance and do an
ipclean process.
db2 force application all && db2 deactivate db BIGSQL && bigsql stop && rah 'ipclean -a'
- Reconfigure Data
Virtualization to pick up the changes to the
Cloud Pak for Data certificate by running the following
command.
source /db2u/scripts/include/db2_ssl_functions.sh && rotate_ssl_certs
- Start the Data
Virtualization instance.
- Reactivate the database.