Updating the Db2 SSL certificate after the Cloud Pak for Data self-signed certificate is updated

Important: IBM Cloud Pak® for Data Version 4.7 will reach end of support (EOS) on 31 July, 2025. For more information, see the Discontinuance of service announcement for IBM Cloud Pak for Data Version 4.X.

Upgrade to IBM Software Hub Version 5.1 before IBM Cloud Pak for Data Version 4.7 reaches end of support. For more information, see Upgrading IBM Software Hub in the IBM Software Hub Version 5.1 documentation.

When the Cloud Pak for Data self-signed certificate is updated, you must also update the Db2 SSL certificate.

About this task

Attention: Starting with Cloud Pak for Data 4.6.0, the Db2 SSL certificate is automatically rotated. You are no longer required to do this task.

Follow this procedure for Cloud Pak for Data 4.0.5 and later. For previous releases, see Updating the Db2 SSL certificate after the Cloud Pak for Data self-signed certificate is updated.

Procedure

  1. Check whether the Cloud Pak for Data self-signed certificate was automatically updated by following these steps:
    1. Run the following command: 
      oc get secret internal-tls -o yaml
    2. In the output from the command, copy the tls.crt value.
    3. Run the following command, substituting the tls.crt value. 
      echo tls.crt | base64 -d > tlscert.pem
    4. Open the certificate to view its contents: 
      openssl x509 -in tlscert.pem -text
    5. Check the expiration date of tlscert.pem. If the expiration date is old, you must delete the internal-tls secret, wait for the Db2U pod to restart, and then proceed to Step 2.
  2. Run the following command to launch the certificate update tool in the Db2U engine pod: 
    oc exec -it db2u-engine-pod -- bash -l /db2u/scripts/db2_rotate_ssl_certs.sh