Manually rotating the SSL certificate used by Watson Query

When the Cloud Pak for Data self-signed certificate is updated, the SSL certificate that is used by Watson Query is automatically rotated to maintain connectivity to the service. However, you can also rotate the certificate manually.

About this task

By default, the Cloud Pak for Data self-signed certificate is updated automatically. You can manually rotate the SSL certificate that is used by Watson Query to establish TLS encryption of client JDBC connections.

Procedure

To rotate the SSL certificate used by Watson Query, follow these steps.

  1. Log in to Red Hat® OpenShift® Container Platform as a cluster administrator.
    oc login ${OCP_URL}
  2. Change to the project where Watson Query pods are installed.
    oc project ${PROJECT_CPD_INSTANCE}
  3. Run the following command to regenerate the dv-internal-tls secret.
    oc delete secret dv-internal-tls -n ${PROJECT_CPD_INSTANCE}

    The certificate manager regenerates a new certificate and re-creates the secret for that certificate. Wait 1 minute for the secret mount to be updated in the pods.

  4. Log in to the Watson Query head pod.
    oc rsh c-db2u-dv-db2u-0 bash
  5. Switch to the Watson Query database instance owner db2inst1.
    su - db2inst1
  6. Run the following command to connect to the database.
    db2 connect to bigsql
  7. Run the following stored procedure to pick up the changes to the Watson Query certificate.
    db2 "CALL ROTATECERT()"

    Confirm that the command completes with the following response.

    Return Status = 0