Manually rotating the SSL certificate used by Db2 Big SQL

When the Cloud Pak for Data self-signed certificate is updated, the SSL certificate that is used by Db2® Big SQL is automatically rotated to maintain connectivity to the service. However, you can rotate the certificate manually.

About this task

By default, the Cloud Pak for Data self-signed certificate is updated automatically. You can manually rotate the SSL certificate that is used by Db2 Big SQL to establish TLS encryption of the client JDBC connections.

Procedure

  1. Log in to Red Hat® OpenShift® Container Platform as a user with sufficient permissions to complete the task:
    oc login ${OCP_URL}
  2. Change to the project where the Cloud Pak for Data control plane is installed:
    oc project ${PROJECT_CPD_INSTANCE}
    Note: This command uses an environment variable so that you can run the command exactly as written. For information about sourcing environment variables, see Setting up installation environment variables.
  3. Identify the Db2 Big SQL instance ID:
    oc get cm -l component=db2bigsql -o custom-columns="Instance Id:{.data.instance_id},Instance Name:{.data.instance_name},Created:{.metadata.creationTimestamp}"
  4. Regenerate the Db2 Big SQL certificate:
    oc delete secret bigsql-<instance-id>-internal-tls
    The certificate manager regenerates a new certificate and re-creates the secret for that certificate. Wait 1 minute for the secret mount to be updated in the pods.
  5. Log in to the Db2 Big SQL head pod:
    oc rsh c-bigsql-<instance-id>-db2u-0 bash
  6. Switch to the Db2 Big SQL database instance owner db2inst1:
    su - db2inst1
  7. Connect to the database:
    db2 connect to bigsql
  8. Run the following procedure to pick up the changes to the Db2 Big SQL certificate:
    db2 "CALL ROTATECERT()"
  9. Confirm that the command completes with the following response:
    Return Status = 0