Removing non-SSL ports in Db2

You can edit the Db2 configuration to remove non-SSL ports from your deployment to prevent non-SSL connections to the service and guarantee the highest security.

Procedure

  1. Run the following command to get the database instance identifier:
    kubectl get pods --namespace=${PROJECT_CPD_INSTANCE} | grep db2oltp

    The command returns a string that contains an instance identifier number, similar to the following example:

    c-db2oltp-1605722434029496-db2u-0

    In this example, the instance identifier of the database is 1605722434029496.

  2. Run the following patch to disable non-SSL port:
    kubectl patch --namespace=${PROJECT_CPD_INSTANCE} db2ucluster db2oltp-INSTANCE_ID --type=merge --patch '{"spec":{"environment":{"database":{"ssl":{"allowSslOnly": true}}}}}'
  3. Run the following command to ensure the corresponding db2uconfig ConfigMap has changed the value of DB2_ALLOW_SSL_ONLY to true:
    kubectl get cm --namespace=${PROJECT_CPD_INSTANCE} c-db2oltp-INSTANCE_ID-db2uconfig -o yaml | grep DB2_ALLOW_SSL_ONLY
  4. Apply the change to the Db2 pod by running the following command:
    kubectl exec -it --namespace=${PROJECT_CPD_INSTANCE} c-db2oltp-INSTANCE_ID-db2u-0 -- bash -lc "sudo rm -f /db2u/tmp/os_envar_configmap && apply-db2cfg-settings"
  5. Ensure that the Db2 instance has only enabled SSL by inspecting the db2 registry variable DB2COMM:
    kubectl exec -it --namespace=${PROJECT_CPD_INSTANCE} c-db2oltp-INSTANCE_ID-db2u-0 -- sh -c "su - db2inst1 -c 'db2set DB2COMM'"

    The output should be similar to the following example:

    Defaulted container "db2u" out of: db2u, init-labels (init), init-kernel (init)
    
    SSL