Use transport layer security (TLS) to create secure connections from Db2® clients to the integrated Db2
database server deployed on IBM Cloud Pak for Data.
About this task
A Db2 deployment on Cloud Pak for Data
contains self-signed TLS support for connections to the Db2 database. This task
outlines how to extract the client certificate and enable TLS support for any Db2
client or application that uses IBM® Data Server Drivers.
For a detailed description of TLS and how it works in the context of a Db2
client connection, see TLS configuration of Db2.
Procedure
-
To get the Db2 secure sockets layer (SSL) certificate, click
Download SSL Certificate on the Access Information section of the database
details page.
-
Copy the Db2 TLS certificate chain over to the system that contains your Db2 client application. The procedure to install the TLS certificate depends on the
method that the application uses to connect to the Db2 database.
-
For non-Java™ clients such as CLI/CLP, ODBC, and .Net, see Configuring TLS support in non-Java
Db2 clients
-
For Java applications that use JDBC or JCC connections, see Configuring the Java Runtime
Environment to use TLS
-
You need to find the TLS NodePort on your cluster that is used by the Db2
database.
OpenShift®oc -n ${PROJECT_CPD_INSTANCE} get svc | grep db2u-engn-svc
On
Kubernetes-based
cluster:
oc -n ${PROJECT_CPD_INSTANCE} get svc | grep db2u-engn-svc
Consider
the following example
output:
mpp2-db2u-engn-svc NodePort 10.0.86.99 <none> 50000:32209/TCP,50001:31050/TCP 20h
-
Configure your database client application to use that NodePort value when it connects to the
database with the installed TLS certificate.
Using the previous example, you would configure your client application to use
10.0.86.99 as the IP address and port 31050 to connect to
the Db2 database server that is running on the Cloud Pak for Data cluster.