Preserving old certificate files during upgrade

If you are upgrading IAS from versions older than 1.0.23.2 to 1.0.23.2 or newer, or Db2 Warehouse from versions older than 11.5.4.0-CN2 to 11.5.4.0-CN2 or newer, you must specify the old certificates by using the SSL environment variables to retain a self-generated certificate.

1. Before you can start the upgrade procedure, you must extract the SSL certs from /mnt/blumeta0/db2/ssl_keystore/.
   Run the following commands inside the container:

   1. gsk8capicmd_64 -cert -export -db /mnt/blumeta0/db2/ssl_keystore/bludb_ssl.kdb -stashed -label 'CA-signed' -target /mnt/blumeta0/db2/ssl_keystore/db2_ssl.p12

      When you are prompted to input a password to use for encryption, use one that has at least 4 characters. The password does not have any other restrictions.

   2. openssl pkcs12 -in /mnt/blumeta0/db2/ssl_keystore/db2_ssl.p12 -info -nocerts -nodes > /mnt/blumeta0/db2/ssl_keystore/db2_ssl.key

   3. openssl pkcs12 -in /mnt/blumeta0/db2/ssl_keystore/db2_ssl.p12 -info -nokeys > /mnt/blumeta0/db2/ssl_keystore/db2_ssl.pem

2. Take a backup of the certificates that were generated in step 1 and save it to some persistent location.
   • For IAS:
     Example:

     cp /mnt/blumeta0/db2/ssl_keystore/rootCA.pem /scratch

     cp /mnt/blumeta0/db2/ssl_keystore/db2_ssl.pem /mnt/blumeta0/db2/ssl_keystore/db2_ssl.key /scratch

   • For Db2 Warehouse:

     cp /mnt/blumeta0/db2/ssl_keystore/rootCA.pem /mnt/bludata0/scratch/

     cp /mnt/blumeta0/db2/ssl_keystore/db2_ssl.pem /mnt/blumeta0/db2/ssl_keystore/db2_ssl.key /mnt/bludata0/scratch/

3. Edit the dashdb.env file and set the SSL environment variables to the location of the certificate files (the files that you preserved in step 2).
   Note: If you are on Db2 Warehouse, skip this step and go to step 4.
   The location of the dashdb.env file is /opt/ibm/appliance/storage/head/dashdb.env.

   SSL_CERT_KEY_FILE=/scratch/db2_ssl.key

   SSL_CERT_FILE=/scratch/db2_ssl.pem

   SSL_CERT_CA_FILE=/scratch/rootCA.pem

4. 
   
   • For Db2 Warehouse:
     While you are upgrading the container or containers, you must specify the SSL environment variables in the docker run or podman run command that is described in step 8 in Updating an IBM Db2 Warehouse MPP deployment on Linux.

     docker run -d -it --privileged=true --net=host --name=dashDB -e 
     SSL_CERT_CA_FILE=/mnt/bludata0/scratch/rootCA.pem -e 
     SSL_CERT_FILE=/mnt/bludata0/scratch/db2_ssl.pem  -e 
     SSL_CERT_KEY_FILE=/mnt/bludata0/scratch/db2_ssl.key -v 
     /mnt/clusterfs:/mnt/bludata0 -v /mnt/clusterfs:/mnt/blumeta0 
     icr.io/obs/hdm/db2wh_ee:v11.5.5.0-db2wh-linux

     podman run -d -it --privileged=true --net=host --name=dashDB -e 
     SSL_CERT_CA_FILE=/mnt/bludata0/scratch/rootCA.pem -e 
     SSL_CERT_FILE=/mnt/bludata0/scratch/db2_ssl.pem  -e 
     SSL_CERT_KEY_FILE=/mnt/bludata0/scratch/db2_ssl.key -v 
     /mnt/clusterfs:/mnt/bludata0 -v /mnt/clusterfs:/mnt/blumeta0 
     icr.io/obs/hdm/db2wh_ee:v11.5.5.0-db2wh-linux