Renewing the Db2 SSL certificate after the Cloud Pak for Data self-signed certificate is updated (Watson Knowledge Catalog)
When the Cloud Pak for Data self-signed certificate is updated, the SSL certificate that is used by Watson Knowledge Catalog must be refreshed to maintain connectivity to the service.
Before you begin
The symptoms for when the SSL certificates expire are when
wdp-policy-service
,
wkc-workflow-service
, wdp-business-glossaory
,
wdp-lineage-service
are all failing with the following Db2
error:“[jcc][t4][2030][11211][4.21.29] A communication error occurred during operations on the connection’s underlying socket, socket input stream, \
nor socket output stream. Error location: Reply.fill() - socketInputStream.read (-1). Message: Remote host terminated the handshake. ERRORCODE=-4499, SQLSTATE=08001",“thread”:“Default Executor-thread-22",“exception”:“\ncom.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][4.21.29] A communication error occurred during operations on the connection’s underlying socket, socket input stream, \
nor socket output stream. Error location: Reply.fill() - socketInputStream.read (-1). Message: Remote host terminated the handshake. ERRORCODE=-4499, SQLSTATE=08001
The two instances of Db2u used by WKC are:
c-db2oltp-wkc-db2u-0
c-db2oltp-iis-db2u-0 (this is ommited if `install_wkc_core_only: True` is used)
About this task
Follow these steps to renew the SSL certificate.
Procedure
- Verify the expiry date of the Db2 certificate by running the following within the Db2u
containers:
oc exec c-db2oltp-wkc-db2u-0 -- ksh -lc "cd /mnt/blumeta0/db2/ssl_keystore; gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert" 2>&1 oc exec c-db2oltp-iis-db2u-0 -- ksh -lc "cd /mnt/blumeta0/db2/ssl_keystore; gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert" 2>&1
- Renew the Db2 certificates by
running:
oc exec -it c-db2oltp-wkc-db2u-0 -- bash -lic "/db2u/scripts/db2_rotate_ssl_certs.sh" oc exec -it c-db2oltp-iis-db2u-0 -- bash -lic "/db2u/scripts/db2_rotate_ssl_certs.sh"