Configuring TLS connections with Informix

Use transport layer security (TLS) to create secure connections from Informix clients to the integrated Informix database server deployed on IBM® Cloud Pak for Data.

About this task

An Informix deployment on Cloud Pak for Data has TLS connections enabled by default. This task outlines how to achieve the TLS certificate.

Procedure

  1. Use one of the following commands to find the namespace for your database deployment.
    kubectl get ns
    or
    oc get projects
  2. Use the Kubernetes app.kubernetes.io/name label selector to find the Informix pod name - we are using zen as the namespace here:
    oc get pods -n projectName --selector app.kubernetes.io/name=informix-server-cr
    Example:
    $ oc get pods -n zen --selector app.kubernetes.io/name=informix-server-cr
    NAME                                                   READY   STATUS    RESTARTS   AGE
    informix-1234567890123456-cm-0                         1/1     Running   1          4d22h
    informix-1234567890123456-cm-1                         1/1     Running   0          4d22h
    informix-1234567890123456-cp4dapi-66d66777b8-dvld2     1/1     Running   0          4d22h
    informix-1234567890123456-monitor-59466d46b4-mhpzg     1/1     Running   0          4d22h
    informix-1234567890123456-server-0                     1/1     Running   1          4d22h
    informix-1234567890123456-server-1                     1/1     Running   4          4d22h
    informix-1234567890123456-wlistener-586dd7c4b6-ndh6f   1/1     Running   0          4d22h
    informix-1234567890123456-wlistener-586dd7c4b6-z9qgb   1/1     Running   0          4d22h
  3. You can extract the TLS certificate by running the following command - we are using informix-123456789012345 as the Informix CR name here:
    oc extract secret/crName-informix-tls --keys=tls.crt --to=-

    The crname should be informix-someNumber for example informix-1234567890123456:

    Example:
    $ oc extract secret/informix-1234567890123456-informix-tls --keys=tls.crt --to=-
    # tls.crt
    -----BEGIN CERTIFICATE-----
    MIIDMzCCAtmgAwIBAgIRAKF9P8Epd9o48jyNJwnrpRAwCgYIKoZIzj0EAwIwFzEV
    MBMGA1UEChMMSUJNIEluZm9ybWl4MB4XDTIxMDkyMjEwMjQzNFoXDTIxMTIyMTEw
    MjQzNFowKjEVMBMGA1UEChMMSUJNIEluZm9ybWl4MREwDwYDVQQDEwhJbmZvcm1p
    eDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALyp0TZp/lqsh6XrihLZ
    KR6mNN49+K1gxvAOxErCfuNnfeH1du3s7nEO4Ymi69SpWoQNbNJqkPNmBDXH0tg6
    IgZ/srYJ7Q6T8wMOTwe+Ua6wAeoZw9EVxtUSqhk99fVZZ/nztYPl2XpQ1kLqhQSd
    xq1+wauX+SFOS24H43bwHpxLMbU9jxE5kya2uYTQcWIxFctEVpCi1AmrsQlI2hfW
    2AHNxBNHWxLnMydbpoXHZLaJCtGUeAZ4jq3cDWc5oKibdP2e0a5nM5aO9paU/nrA
    CcQnRJPeBPOrcal23HnLFquV3/vv4RTepf3C5bHJzfjt3B7f/6wIMpKTSYrhjr1l
    nPkCAwEAAaOCASYwggEiMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB8G
    A1UdIwQYMBaAFP9638X4SF+kerTPHeBGv5Y8+wnsMIHgBgNVHREEgdgwgdWCCElu
    Zm9ybWl4giNpbmZvcm1peC0xNjMyMzA2MjY1MTk4NzU2LWhsc2VydmljZYIpaW5m
    b3JtaXgtMTYzMjMwNjI2NTE5ODc1Ni1tb25pdG9yLXNlcnZpY2WCJGluZm9ybWl4
    LTE2MzIzMDYyNjUxOTg3NTYtY20tc2VydmljZYImaW5mb3JtaXgtMTYzMjMwNjI2
    NTE5ODc1Ni1jbS1obHNlcnZpY2WCK2luZm9ybWl4LTE2MzIzMDYyNjUxOTg3NTYt
    d2xpc3RlbmVyLXNlcnZpY2UwCgYIKoZIzj0EAwIDSAAwRQIhAPWz3NIvVJmZ9RGx
    NwhFsXCeYIz9iz9BUnOsU9PE/4ywAiAFdpsiBpoUPvfX+/8jdt2mS0LRwmBUiLuo
    L+ExmAm3/w==
    -----END CERTIFICATE-----
  4. You can extract the self-signed CA certificate by running the following command - we are using informix-123456789012345 as the Informix CR name here:
    oc extract secret/crName-informix-tls --keys=ca.crt --to=-
    Example:
    $ oc extract secret/informix-1632306265198756-informix-tls --keys=ca.crt --to=-
    # ca.crt
    -----BEGIN CERTIFICATE-----
    MIIBhTCCASqgAwIBAgIRAMDXSFuc/UAHxAJ6sFFaMRwwCgYIKoZIzj0EAwIwFzEV
    MBMGA1UEChMMSUJNIEluZm9ybWl4MB4XDTIxMDkyMjEwMjQyOVoXDTMxMDkyMjEw
    MjQyOVowFzEVMBMGA1UEChMMSUJNIEluZm9ybWl4MFkwEwYHKoZIzj0CAQYIKoZI
    zj0DAQcDQgAEmmhcwt3TVQEWHLX9/hRoisQv3iW89Ml/H7pcQJMAUqe3FmxwSOoh
    BCWTu3W6IC//Y7orToQBe6leqb9JNgl5q6NXMFUwDgYDVR0PAQH/BAQDAgKEMBMG
    A1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP96
    38X4SF+kerTPHeBGv5Y8+wnsMAoGCCqGSM49BAMCA0kAMEYCIQCkWHCeH/cAySQV
    hnRkKgD22bJJHceoCAVudyBnB3ORKgIhAI9MxG7dm31Vm49+8vWdaYJ3U/sjuvih
    vUxIJfWbrLkU
    -----END CERTIFICATE-----
  5. Follow the steps as described in Configuring a client for SSL connections.
    Note: If you need to access the keystore used for the Informix server, you can find them in the /opt/informix/server/ssl directory in the Informix server pod(s):
    $ cd /opt/informix/server/ssl
    $ ls -l
    total 12
    -rw-r--r--. 1 root     root      743 Sep 22 10:32 client.jks
    -rw-------. 1 informix informix 2976 Sep 22 10:32 ssl_informix0.p12
    -rw-------. 1 informix informix  193 Sep 22 10:32 ssl_informix0.sth
    
    Note: You can also extract the TLS certificate and the CA certificate from the Details page of the instance. You can reach this by clicking on the instance name in the instances page of CP4D - IBM Cloud Pak for Data ->Services ->Instances.