Configuring SSL access in Db2 Big SQL

Depending on your configuration, you might have to do some more steps to configure Secure Sockets Layer (SSL) access to some services.

About this task

In the following scenarios, extra configuration is needed to provide the required SSL certificate to connect Db2® Big SQL to a remote service.

  • You are connecting to a Cloudera Hadoop cluster whose Cluster Manager server is accessed over SSL.
  • You are connecting to a Ranger service that is accessed over SSL.
  • You are connecting, as part of a Ranger service integration, to a Key Management Service (KMS) server that is accessed over SSL.

For each scenario that applies to you, add the required SSL certificate to the Db2 Big SQL instance. In the following steps, replace the data label with the appropriate value:

  • cmCertificate for the Cloudera Cluster Manager server SSL certificate.
    Note: If the Cloudera Cluster Manager (CM) server is configured for HTTPS, and the cmCertificate is not created, the provisioning pauses until the certificate is provided. You can also see the following messages in the container logs from the head pod:
    ERROR: certificate path must be set when connecting to Cloudera Manager with https cmdWithRetry Execution of setup_client_configs failed (2).
    cmdWithRetry Retrying (3) in  30 seconds.
    Failed to deploy client configs with rc=2. Aborting the deployment

    The container restarts and continues to reattempt to connect to CM until the certificate is provided.

  • rangerSslCert for the Ranger Admin service SSL certificate.
  • rangerKmsSslCert for the certificate that is used for Ranger to integrate with the KMS server.
  • hdfsKmsSslCert for the certificate that is used by HDFS to integrate with the KMS server.

Procedure

  1. Log in to the IBM Cloud Pak® for Data web interface.
  2. Open the Instance page and identify the Db2 Big SQL instance for which you want to enable SSL.
  3. Identify the name of the Db2 Big SQL custom resource that is associated with the Db2 Big SQL instance.

    In the command, replace any uppercase letters in the Db2 Big SQL instance name with the equivalent lowercase letters.

    cr_name=$(oc get cm bigsql-lowercase-instance-name-cm -o custom-columns=CR_NAME:.metadata.labels.app --no-headers=true)
    The custom resource name is saved in the cr_name shell variable.
  4. From the custom resource name, identify the Db2 Big SQL secret to update:
    oc get secrets |grep bigsql-secret |awk '{print $1}' c-bigsql-<instance_id>-bigsql-secret

    The secret to update is c-bigsql-<instance_id>-bigsql-secret, where <instance_id> is the same as the Db2 Big SQL custom resource name. This secret does not exist immediately after upon deployment, and is created only after the database is configured. You must wait until the secret is created before you proceed to the next step.

  5. Update the secret to add the SSL certificate data as a Privacy Enhanced Mail (PEM) file under the relevant data label:
    secret=$(base64 cert_pem_file_path | awk ' { secret = secret $0 }; END { print secret } ')
    oc patch secret c-${cr_name}-bigsql-secret --patch '{"data": {"label": "'$secret'"}}'
  6. Verify that the secret was uploaded on the Db2 Big SQL head pod:
    oc exec -it c-$cr_name-db2u-0 -c "db2u" -- ls -l /secrets/external/bigsql-secret-credentials/<label>

    A file with the name label is now present. If the file is not present, verify that the secret update was successful, wait a few minutes, and check again. If the secret is not present on the pod, do not proceed to the next step.

  7. Trigger the refresh of the Hadoop configuration on the cluster by updating the Db2 Big SQL custom resource generation field:
    oc patch bigsql $cr_name --patch '{"spec": {"hadoopCluster": {"generation": 1}}}' --type merge
  8. Wait for the Db2 Big SQL custom resource to move from the Error to the Ready state:
    oc get bigsql
  9. Restart the Db2 Big SQL instance:
    oc exec -it c-$cr_name-db2u-0 -- su - db2inst1 -c 'bigsql stop; bigsql start'