The Db2 administration accounts on your IBM Cloud Pak for Data cluster are protected by password secrets.
During deployment of Db2, these password secrets are automatically generated and
securely stored for these accounts. These accounts are used by Db2 to handle
administrative tasks on the database. If you need to change them to comply with specific password
regulations, or if your security situation changes, you can use this method to update the password
secrets at any point in time.
About this task
These commands update the passwords for both the Db2 instance user account, and the Db2 admin account, which is kept in
the local Db2 LDAP service.
You
need a user account with sufficient authority to run the kubectl patch and
kubectl delete commands in the namespace where your Db2 instance
is running.
Procedure
Note: If you have multiple deployments, use the Details page in the UI to
identify the instance identifier for the instance that you want to update. The Db2uCluster name will
contain the instance identifier.
- Obtain
the name of the db2ucluster and assign it to a variable:
# oc get db2ucluster
Example result:
NAME STATE MAINTENANCESTATE AGE
db2oltp-1657844758916344 Ready None 46d
Assign the Db2uCluster name to a
variable:
DB2UCLUSTER_ID=db2oltp-1657844758916344
-
Complete the following steps to update the password in the secret object.
- Assign the new password to a variable:
NEW_PASSWORD="my_new_password"
- Run the following kubectl command to update the password in the
secret object:
kubectl patch -n ${PROJECT_CPD_INSTANCE} $(kubectl get secret c-${DB2UCLUSTER_ID}-instancepassword -oname) -p $"{\"data\":{\"password\": \"$(echo -n ${NEW_PASSWORD} | base64)\"}}"
Attention: If the
Db2 instance is either the primary or principal standby in an HADR configuration, the
Governor configuration file must also be updated with the new password.
- Exec into the Db2 pod and switch to the database instance
owner.
su - db2inst1
- Change the password in the
/mnt/blumeta0/home/db2inst1/governor/db2.yml
Governor configuration file.
db2:
...
authentication:
username: db2inst1
password: XCouid9KSLi1TYC # Change this to the new password
-
Run the following command on any running Db2 engine pod (for example,
c-db2oltp-1605722434029496-db2u-0
):
oc exec -i c-${DB2UCLUSTER_ID}-db2u-0 -- sudo python <<EOF
import json
with open("/mnt/blumeta0/db2_config/users.json", 'r') as fd:
parsed = json.load(fd)
if 'db2inst1' in parsed['users']:
del parsed['users']['db2inst1']
with open("/mnt/blumeta0/db2_config/users.json", 'w') as fd:
json.dump(parsed, fd, indent=2)
EOF
- Restart the Db2 engine pod:
kubectl delete -n ${PROJECT_CPD_INSTANCE} $(kubectl get po -n ${PROJECT_CPD_INSTANCE} -o name | grep -E "${DB2UCLUSTER_ID}-db2u-[0-9]")
What to do next
If you have any instances of the Db2® Data Management
Console,
additional steps are required to update those database secrets. See Updating the database password secrets managed by for details.