Renewing the Db2 SSL certificate after the Cloud Pak for Data self-signed certificate is updated (IBM Knowledge Catalog)

Important: IBM Cloud Pak® for Data Version 4.8 will reach end of support (EOS) on 31 July, 2025. For more information, see the Discontinuance of service announcement for IBM Cloud Pak for Data Version 4.X.

Upgrade to IBM Software Hub Version 5.1 before IBM Cloud Pak for Data Version 4.8 reaches end of support. For more information, see Upgrading from IBM Cloud Pak for Data Version 4.8 to IBM Software Hub Version 5.1.

When the Cloud Pak for Data self-signed certificate is updated, the SSL certificate that is used by IBM Knowledge Catalog must be refreshed to maintain connectivity to the service.

Before you begin

The symptoms for when the SSL certificates expire are when wdp-policy-service, wkc-workflow-service, wdp-business-glossary, wdp-lineage-service are all failing with the following Db2 error:
“[jcc][t4][2030][11211][4.21.29] A communication error occurred during operations on the connection’s underlying socket, socket input stream, \
nor socket output stream. Error location: Reply.fill() - socketInputStream.read (-1). Message: Remote host terminated the handshake. ERRORCODE=-4499, SQLSTATE=08001",“thread”:“Default Executor-thread-22",“exception”:“\ncom.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][4.21.29] A communication error occurred during operations on the connection’s underlying socket, socket input stream, \
nor socket output stream. Error location: Reply.fill() - socketInputStream.read (-1). Message: Remote host terminated the handshake. ERRORCODE=-4499, SQLSTATE=08001
The instance of Db2u used by IBM Knowledge Catalogis:
c-db2oltp-wkc-db2u-0

About this task

Follow these steps to renew the SSL certificate.

Procedure

  1. Verify the expiry date of the Db2® certificate by running the following within the Db2u container:
    oc exec c-db2oltp-wkc-db2u-0 -- ksh -lc "cd /mnt/blumeta0/db2/ssl_keystore; gsk8capicmd_64 -cert -details -db bludb_ssl.kdb -stashed -label CN=zen-ca-cert" 2>&1
  2. Renew the Db2 certificate by running:
    oc exec -it c-db2oltp-wkc-db2u-0 -- bash -lic "/db2u/scripts/db2_rotate_ssl_certs.sh"