Configuring post-installation DB2 secure access
After you install the TADDM server, you can configure secure DB2 access.
You must complete the following steps for each server in
installation, which has access to the database. Those servers are
the domain server, primary storage server, secondary storage server,
and enterprise server.
- Stop the TADDM server.
- Configure your DB2 instance to work in a secure mode. For the detailed instruction, refer to the section Configuring Secure Sockets Layer (SSL) support for a DB2 instance at http://www-01.ibm.com/support/knowledgecenter/SSEPGG_10.1.0/com.ibm.db2.luw.admin.sec.doc/doc/t0025241.html in DB2 documentation.
- If the database access data that was provided during the
installation is not valid, correct it in the collation.properties file.
com.collation.db.url
- a JDBC url for the primary database.com.collation.db.user
- a user name that is used to access the primary database.com.collation.db.password
- a password that is used to access the primary database.com.collation.db.archive.url
- a JDBC url for the archive database. It is usually the same as for the primary database.com.collation.db.archive.user
- a user name that is used to access the archive database.com.collation.db.archive.password
- a password that is used to access the archive database.
- Import DB2 certificate as trusted certificate.
- Run the following command:
keytool -import -file db2certificate.arm -keystore taddm_db2.truststore
where:certificate.arm
- is the DB2 instance SSL certificate. You might need to provide the full path.
taddm_db2.truststore
- is a truststore file where the certificate is to be stored.
- Copy the taddm_db2.truststore file
into the $COLLATION_HOME/dist/etc directory.
Note: The keytool program is available in the TADDM installation directory $COLLATION_HOME/dist/external/jdk-Linux-x86_64/bin. The jdk directory name varies depending on the operating system or architecture.
- Run the following command:
- Set the DB connection to a secure mode for both primary
and archive databases by adding the following properties in the collation.properties file:
com.ibm.cdb.db.connection.ssl.enable=true com.ibm.cdb.db.archive.connection.ssl.enable=true
- Set the truststore file location for the DB connection
for both primary and archive databases by adding the following properties
in the collation.properties file:
com.ibm.cdb.db.connection.ssl.truststore.file=taddm_db2.truststore com.ibm.cdb.db.archive.connection.ssl.truststore.file=taddm_db2.truststore
Note: The file name is the same as in the $COLLATION_HOME/dist/etc directory. - Set the password for the truststore file for both primary
and archive databases by adding the following properties in the collation.properties file
com.ibm.cdb.db.connection.ssl.truststore.password=password com.ibm.cdb.db.archive.connection.ssl.truststore.password=password
- Run either the encryptprops.sh file or the encryptprops.bat file. The file is in the $COLLATION_HOME/bin directory. This script encrypts the passwords.
- Restart the TADDM server.