Renewing the Db2 SSL certificate after the Cloud Pak for Data self-signed certificate is updated

Before you begin

“[jcc][t4][2030][11211][4.21.29] A communication error occurred during operations on the connection’s underlying socket, socket input stream, \
nor socket output stream. Error location: Reply.fill() - socketInputStream.read (-1). Message: Remote host terminated the handshake. ERRORCODE=-4499, SQLSTATE=08001",“thread”:“Default Executor-thread-22",“exception”:“\ncom.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][4.21.29] A communication error occurred during operations on the connection’s underlying socket, socket input stream, \
nor socket output stream. Error location: Reply.fill() - socketInputStream.read (-1). Message: Remote host terminated the handshake. ERRORCODE=-4499, SQLSTATE=08001

c-db2oltp-wkc-db2u-0
c-db2oltp-iis-db2u-0 (this is ommited if `install_wkc_core_only: True` is used)

About this task

For users on Cloud Pak for Data 4.0.8 and later, certificates will expire in a year, but for users on Cloud Pak for Data 4.0.7 and earlier, you will have to renew the certificate every three months.

Follow these steps to renew the SSL certificate.

Procedure

1. Verify the expiry date of the Db2 certificate by running the following within the Db2u containers:

   oc exec c-db2oltp-wkc-db2u-0 -- ksh -lc "cd /mnt/blumeta0/db2/ssl_keystore; gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert" 2>&1
   oc exec c-db2oltp-iis-db2u-0 -- ksh -lc "cd /mnt/blumeta0/db2/ssl_keystore; gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert" 2>&1

2. Renew the Db2 certificates by running:

   oc exec -it c-db2oltp-wkc-db2u-0 -- bash -lic "/db2u/scripts/db2_rotate_ssl_certs.sh"
   oc exec -it c-db2oltp-iis-db2u-0 -- bash -lic "/db2u/scripts/db2_rotate_ssl_certs.sh"