Depending on your configuration, you might have to do some more steps to configure Secure
Sockets Layer (SSL) access to some services.
About this task
In the following scenarios, extra configuration is needed to provide the required SSL certificate
to connect Db2® Big
SQL to a remote service.
- You are connecting to a Cloudera Hadoop cluster whose Cluster Manager server is accessed over
SSL.
- You are connecting to a Ranger service that is accessed over SSL.
- You are connecting, as part of a Ranger service integration, to a Key Management Service (KMS)
server that is accessed over SSL.
For each scenario that applies to you, add the required SSL certificate to the Db2 Big
SQL instance. In the following steps, replace the
data label with the appropriate value:
cmCertificate
for the Cloudera Cluster Manager server SSL certificate.Note: If the Cloudera Cluster Manager (CM)
server is configured for HTTPS, and the cmCertificate is not created, the provisioning pauses until
the certificate is provided. You can also see the following messages in the container logs from the
head
pod:
ERROR: certificate path must be set when connecting to Cloudera Manager with https cmdWithRetry Execution of setup_client_configs failed (2).
cmdWithRetry Retrying (3) in 30 seconds.
Failed to deploy client configs with rc=2. Aborting the deployment
The container
restarts and continues to reattempt to connect to CM until the certificate is provided.
rangerSslCert
for the Ranger Admin service SSL certificate.
rangerKmsSslCert
for the certificate that is used for Ranger to integrate with
the KMS server.
hdfsKmsSslCert
for the certificate that is used by HDFS to integrate with the
KMS server.
Procedure
- Log in to the IBM Cloud Pak® for Data web
interface.
- Open the Instance page and identify the Db2 Big
SQL instance for which you want to enable
SSL.
- Identify the name of the Db2 Big
SQL
custom resource that is associated with the Db2 Big
SQL instance.
In the command, replace any uppercase letters in the Db2 Big
SQL instance name with the equivalent lowercase
letters.
cr_name=$(oc get cm bigsql-lowercase-instance-name-cm -o custom-columns=CR_NAME:.metadata.labels.app --no-headers=true)
The custom resource name is saved in the cr_name
shell
variable.
- From
the custom resource name, identify the Db2 Big
SQL
secret to update:
oc get secrets |grep bigsql-secret |awk '{print $1}' c-bigsql-<instance_id>-bigsql-secret
The secret to update is
c-bigsql-<instance_id>-bigsql-secret
, where
<instance_id> is the same as the Db2 Big
SQL custom resource name. This secret does not exist immediately after upon deployment, and is created only after the
database is configured. You must wait until the secret is created before you
proceed to the next step.
- Update the secret to add the SSL
certificate data as a Privacy Enhanced Mail (PEM) file under the relevant data label:
secret=$(base64 cert_pem_file_path | awk ' { secret = secret $0 }; END { print secret } ')
oc patch secret c-${cr_name}-bigsql-secret --patch '{"data": {"label": "'$secret'"}}'
- Verify that the secret was uploaded on the Db2 Big
SQL head pod:
oc exec -it c-$cr_name-db2u-0 -c "db2u" -- ls -l /secrets/external/bigsql-secret-credentials/<label>
A file with the name label is now present. If the file is not present, verify
that the secret update was successful, wait a few minutes, and check again.
If the secret is not present on the pod, do not proceed to the next
step.
- Trigger the refresh of the Hadoop
configuration on the cluster by updating the Db2 Big
SQL custom resource generation field:
oc patch bigsql $cr_name --patch '{"spec": {"hadoopCluster": {"generation": 1}}}' --type merge
- Wait for the Db2 Big
SQL custom
resource to move from the Error to the Ready state:
- Restart the Db2 Big
SQL
instance:
oc exec -it c-$cr_name-db2u-0 -- su - db2inst1 -c 'bigsql stop; bigsql start'