Updating the Db2 password secrets

The Db2 administration accounts on your IBM® Cloud Pak for Data cluster are protected by password secrets. During deployment of Db2 Warehouse, these password secrets are automatically generated and securely stored for these accounts. These accounts are used by Db2 Warehouse to handle administrative tasks on the database. If you need to change them to comply with specific password regulations, or if your security situation changes, you can use this method to update the password secrets at any point in time.

About this task

These commands update the passwords for both the Db2 instance user account, and the Db2 admin account, which is kept in the local Db2 LDAP service. This change must be run on the master node, and requires the kubectl command. You need a user account with sufficient authority to run the kubectl patch and kubectl delete commands in the namespace where your Db2 Warehouse instance is running.

Procedure

  1. Run the following kubectl command to get the database instance identifier: 
    kubectl get pods -n NAMESPACE | grep db2wh

    Replace NAMESPACE with the namespace where your database instance is running on the cluster. The command returns a string that contains the instance identifier number: 

    c-db2wh-1605722434029496-db2u-0

    In this example, the instance identifier of the database is 1605722434029496.

  2. Run the following kubectl commands to update the password in the secret object. 
    kubectl patch -n NAMESPACE $(kubectl get secret -n NAMESPACE -o name | grep "INSTANCE_ID-instancepassword") \
-p $"{\"data\":{\"password\": \"$(echo INSTANCE_NEW_PASSWORD | base64)\"}}"

    Replace NAMESPACE with the namespace where your Db2 instance is running and INSTANCE_ID with the numerical identifier that was returned from the previous step. Replace INSTANCE_NEW_PASSWORD with the new password for the Db2 instance.

  3. Run the following command on any running Db2 engine pod (for example, c-db2wh-1605722434029496-db2u-0). 
    oc exec -it c-DBTYPE-INSTANCE_ID-db2u-0 -- sudo python <<EOF
import json

with open("/mnt/blumeta0/db2_config/users.json", 'r') as fd:
    parsed = json.load(fd)

if 'db2inst1' in parsed['users']:
    del parsed['users']['db2inst1']

with open("/mnt/blumeta0/db2_config/users.json", 'w') as fd:
    json.dump(parsed, fd, indent=2)
EOF
  4. Restart the affected cluster pods.

    In the following commands, replace NAMESPACE with the namespace where your Db2 instance is running and INSTANCE_ID with the numerical identifier that was returned from the earlier command.

    • Restart the Db2 database pods:
      kubectl delete -n NAMESPACE $(kubectl get po -n NAMESPACE -o name | grep -E "INSTANCE_ID-db2u-[0-9]")
    • Restart the Db2 tools pod:
      kubectl delete -n NAMESPACE $(kubectl get po -n NAMESPACE -o name | grep "INSTANCE_ID-db2u-tools")