Communication security for DB2 HADR

When a DB2 database is used with the High Availability and Disaster Recovery (HADR) feature enabled, a set of ports is used by DB2 that is not encrypted using SSL / TLS. The administrator must provide network layer security that is appropriate. This can be done using mechanisms such as a private network, virtual private network, or VLAN.

The DB2 High Availability and Disaster Recovery feature is used to provide a highly available DB2 database in a high availability environment. The HADR function uses an additional port for each database to keep the databases synchronized on each database server. DB2 does not support encrypted communication for these ports even when DB2 is configured to provide encrypted connections for database client application.

Configuring the network interface used by DB2 HADR

DB2 HADR communication uses the network interface that is identified by the openstack.endpoints.db.bind_interface environment attribute. The controller node management interface is used by default.

If you are deploying a prescribed configuration using the knife os manage deploy cloud command, the network is configured by adding openstack.endpoints.db.bind_interface to the override_attributes section of the environment information section of the cloud YAML file. See the following example for reference:

environment:
  base: example-ibm-os-ha-controller-n-compute
  default_attributes:
    # (Optional) Add Default Environment Attributes

  override_attributes:
    # (Optional) Add Override Environment Attributes
    ntp.servers: [0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org, 3.pool.ntp.org]
    openstack.endpoints.db.bind_interface: eth2

If you are performing an advanced deployment using the knife os manage deploy topology command, the network is identified by the openstack.endpoints.db.bind_interface attribute in the default_attributes section of your cloud environment file.

Configuring the DB2 HADR port assignments

The DB2 HADR port assignments can be changed by setting the following attributes in the default_attributes section of your cloud environment:

Table 1.
Attribute	Default value
ibm-openstack.ha.db2-hadr.services.compute.port	25010
ibm-openstack.ha.db2-hadr.services.dashboard.port	25011
ibm-openstack.ha.db2-hadr.services.identity.port	25012
ibm-openstack.ha.db2-hadr.services.image.port	25013
ibm-openstack.ha.db2-hadr.services.network.port	25014
ibm-openstack.ha.db2-hadr.services.telemetry.port	25015
ibm-openstack.ha.db2-hadr.services.block-storage.port	25016
ibm-openstack.ha.db2-hadr.services.orchestration.port	25017