Removing non-SSL ports in Db2
You can edit the Db2 configuration to remove non-SSL ports from your deployment to prevent non-SSL connections to the service and guarantee the highest security.
Procedure
-
Run the following command to get the database instance identifier:
kubectl get pods --namespace=${PROJECT_CPD_INSTANCE} | grep db2oltp
The command returns a string that contains an instance identifier number, similar to the following example:
c-db2oltp-1605722434029496-db2u-0
In this example, the instance identifier of the database is
1605722434029496
. -
Run the following patch to disable non-SSL port:
kubectl patch --namespace=${PROJECT_CPD_INSTANCE} db2ucluster db2oltp-INSTANCE_ID --type=merge --patch '{"spec":{"environment":{"database":{"ssl":{"allowSslOnly": true}}}}}'
-
Run the following command to ensure the corresponding db2uconfig ConfigMap has changed the
value of DB2_ALLOW_SSL_ONLY to true:
kubectl get cm --namespace=${PROJECT_CPD_INSTANCE} c-db2oltp-INSTANCE_ID-db2uconfig -o yaml | grep DB2_ALLOW_SSL_ONLY
- Apply the change to the Db2 pod by running the following command:
kubectl exec -it --namespace=${PROJECT_CPD_INSTANCE} c-db2oltp-INSTANCE_ID-db2u-0 -- bash -lc "sudo rm -f /db2u/tmp/os_envar_configmap && apply-db2cfg-settings"
- Ensure that the Db2 instance has only enabled SSL by inspecting the db2
registry variable DB2COMM:
kubectl exec -it --namespace=${PROJECT_CPD_INSTANCE} c-db2oltp-INSTANCE_ID-db2u-0 -- sh -c "su - db2inst1 -c 'db2set DB2COMM'"
The output should be similar to the following example:
Defaulted container "db2u" out of: db2u, init-labels (init), init-kernel (init) SSL