Troubleshooting
Problem
When the Cloud Pak for Data self-signed certificate is updated, the Db2 SSL certificate also must be updated.
Diagnosing The Problem
To verify whether the certificate used by the db2u pod has expired , execute the following steps
1. Exec into the pod by running following command, oc rsh <db2upod> bash
2. As a db2inst1 user verify the location of key database (kdb) file used within the db2 instance,
db2 get dbm cfg|grep SSL_SVR SSL server keydb file (SSL_SVR_KEYDB) = /mnt/blumeta0/db2/ssl_keystore/bludb_ssl.kdb SSL server stash file (SSL_SVR_STASH) = /mnt/blumeta0/db2/ssl_keystore/bludb_ssl.sth SSL server certificate label (SSL_SVR_LABEL) = CN=zen-ca-cert3. Using gsk8capicmd_64 utility to verify the certificate expiry date, as shown in the following example,
gsk8capicmd_64 -cert -details -file /mnt/blumeta0/db2/ssl_keystore/bludb_ssl.kdb -stashed -label CN=zen-ca-cert Label : CN=zen-ca-cert Key Size : 2048 Version : X509 V3 Serial : 6457d474e7552ee59a6fde9c6e0a2a15 Issuer : CN=zen-ca-certificate Subject : CN=internal-tls-certificate Not Before : July 28, 2022 7:20:55 AM GMT+00:00 Not After : October 26, 2022 7:20:55 AM GMT+00:00Note: You can check whether the Cloud Pak for Data self-signed certificate was automatically rotated by following these steps:
1. Run the following command:
oc get secret internal-tls -o yaml
2. In the output from the command, copy the tls.crt value.
2. In the output from the command, copy the tls.crt value.
3. Run the command, echo "copied_value" | base64 -d > tlscert.pem
4. View the certificate:
openssl x509 -in tlscert.pem -text
5. Check the expiration date of tlscert.pem.
4. View the certificate:
openssl x509 -in tlscert.pem -text
5. Check the expiration date of tlscert.pem.
If the expiry date is old, you must delete the internal-tls secret, wait for the Db2U pod to restart, and then follow the procedures outlined in the following article.
Resolving The Problem
This procedure is for Cloud Pak for Data 4.0.4 and earlier. For 4.0.5 and later, see Updating the Db2 SSL certificate after the Cloud Pak for Data self-signed certificate is updated.
The steps to update the certificate differ depending on whether you have a Db2-as-a-Service with restricted-like SCC deployment or Db2 / Db2 Warehouse deployment. This step can be verified whether the etcd db2u pod is there or not. If the pod is there, then it is a Db2 / Db2 Warehouse deployment. Otherwise, it is Db2-as-a-Service with restricted-like SCC deployment. But for either of these configurations, you must first edit the db2_ssl_functions.sh script file that is installed with the Db2 service:
1. Open the /db2u/scripts/include/db2_ssl_functions.sh file in edit mode.
2. In the function rotate_ssl_certs(), change the line is_rootca_changed && return 0 to is_rootca_changed.
Steps for Db2-as-a-Service with restricted-like SCC deployment (such as Watson Knowledge Catalog)
1. Exec into the pod by doing oc rsh <DB2UPOD> bash -l.
2. Pause the liveness probe by doing, touch /db2u/tmp/.pause_probe
3. If your deployment has multiple databases, you must deactivate each database.
4. Deactivate the database, stop Db2, and perform an ipclean process:
db2 force application all && db2 deactivate db dbName && db2stop force && rah 'ipclean -a'
4. Reconfigure the Db2 SSL certificate to pick up the changes to the Cloud Pak for Data certificate:
source /db2u/scripts/include/db2_ssl_functions.sh && rotate_ssl_certs
5. Start Db2 and activate each database:
db2start && db2 activate db dbName
6. Unpause the liveness probe by doing, rm -f /db2u/tmp/.pause_probe
Steps for Db2 / Db2 Warehouse deployment
1. Exec into the pod by doing oc rsh <DB2UPOD> bash -l.
2. As default user db2uadm, disable the Wolverine high-availability monitoring process:
wvcli system disable
3. Change user to db2inst1 by doing su - db2inst1 -s /bin/bash
4. Deactivate the database, stop Db2, and perform an ipclean process:
db2 force application all && db2 deactivate db dbName && db2stop force && rah 'ipclean -a'
If your deployment has multiple databases, you must deactivate each database.
5. Reconfigure the Db2 SSL certificate to pick up the changes to the Cloud Pak for Data certificate:
source /db2u/scripts/include/db2_ssl_functions.sh && rotate_ssl_certs
6. Start Db2 and activate each database:
db2start && db2 activate db dbName
7. As default user db2uadm, re-enable Wolverine:
wvcli system enable
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB10","label":"Data and AI"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSHGYS","label":"IBM Cloud Pak for Data"},"ARM Category":[{"code":"a8m0z000000GoylAAC","label":"Troubleshooting"},{"code":"a8m0z000000GoylAAC","label":"Troubleshooting"},{"code":"a8m0z000000GoylAAC","label":"Troubleshooting"}],"ARM Case Number":"","Platform":[{"code":"PF040","label":"Red Hat OpenShift"}],"Version":"4.0.2"}]
Was this topic helpful?
Document Information
Modified date:
13 August 2022
UID
ibm16501339