Use transport layer security (TLS) to create secure connections from Db2® clients to the integrated Db2
Warehouse
database server deployed on IBM Cloud Pak for Data.
About this task
A Db2
Warehouse deployment on Cloud Pak for Data
contains self-signed TLS support for connections to the Db2
Warehouse database. This task
outlines how to extract the client certificate and enable TLS support for any Db2 client or application that uses IBM® Data Server Drivers.
For a detailed description of TLS and how it works in the context of a Db2 client connection, see TLS configuration of Db2.
Procedure
-
To get the Db2
Warehouse secure sockets layer (SSL) certificate, click
Download SSL Certificate on the Access Information section of the database
details page.
-
Copy that Db2
Warehouse TLS certificate chain over to the system that contains your
Db2 client application. The procedure to
install the TLS certificate depends on the method that the application uses to connect to the Db2
Warehouse database.
-
For non-Java™ clients such as CLI/CLP, ODBC, and .Net, see Configuring TLS support in non-Java
Db2 clients
-
For Java applications that use JDBC or JCC connections, see Configuring the Java Runtime
Environment to use TLS
-
You need to find the TLS NodePort on your cluster that is used by the Db2
Warehouse
database.
OpenShift®oc -n ${PROJECT_CPD_INSTANCE} get svc | grep db2u-engn-svc
On
Kubernetes-based
cluster:
oc -n ${PROJECT_CPD_INSTANCE} get svc | grep db2u-engn-svc
Consider
the following example
output:
mpp2-db2u-engn-svc NodePort 10.0.86.99 <none> 50000:32209/TCP,50001:31050/TCP 20h
-
Configure your database client application to use that NodePort value when it connects to the
database with the installed TLS certificate.
Using the previous example, you would configure your client application to use
10.0.86.99 as the IP address and port 31050 to connect to
the Db2
Warehouse database server that is running on the Cloud Pak for Data cluster.