Renewing the Db2 SSL certificate after the Cloud Pak for Data self-signed certificate is updated (Watson Knowledge Catalog)

When the Cloud Pak for Data self-signed certificate is updated, the SSL certificate that is used by Watson Knowledge Catalog must be refreshed to maintain connectivity to the service.

Before you begin

The symptoms for when the SSL certificates expire are when wdp-policy-service, wkc-workflow-service, wdp-business-glossaory, wdp-lineage-service are all failing with the following Db2 error:
“[jcc][t4][2030][11211][4.21.29] A communication error occurred during operations on the connection’s underlying socket, socket input stream, \
nor socket output stream. Error location: Reply.fill() - socketInputStream.read (-1). Message: Remote host terminated the handshake. ERRORCODE=-4499, SQLSTATE=08001",“thread”:“Default Executor-thread-22",“exception”:“\ncom.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][4.21.29] A communication error occurred during operations on the connection’s underlying socket, socket input stream, \
nor socket output stream. Error location: Reply.fill() - socketInputStream.read (-1). Message: Remote host terminated the handshake. ERRORCODE=-4499, SQLSTATE=08001
The two instances of Db2u used by WKC are:
c-db2oltp-wkc-db2u-0
c-db2oltp-iis-db2u-0 (this is ommited if `install_wkc_core_only: True` is used)

About this task

Follow these steps to renew the SSL certificate.

Procedure

  1. Verify the expiry date of the Db2 certificate by running the following within the Db2u containers:
    oc exec c-db2oltp-wkc-db2u-0 -- ksh -lc "cd /mnt/blumeta0/db2/ssl_keystore; gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert" 2>&1
    oc exec c-db2oltp-iis-db2u-0 -- ksh -lc "cd /mnt/blumeta0/db2/ssl_keystore; gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert" 2>&1
  2. Renew the Db2 certificates by running:
    oc exec -it c-db2oltp-wkc-db2u-0 -- bash -lic "/db2u/scripts/db2_rotate_ssl_certs.sh"
    oc exec -it c-db2oltp-iis-db2u-0 -- bash -lic "/db2u/scripts/db2_rotate_ssl_certs.sh"