Configuring TLS connections with Informix
Use transport layer security (TLS) to create secure connections from Informix clients to the integrated Informix database server deployed on IBM® Cloud Pak for Data.
About this task
An Informix deployment on Cloud Pak for Data has TLS connections enabled by default. This task outlines how to achieve the TLS certificate.
Procedure
-
Use one of the following commands to find the namespace for your database
deployment.
orkubectl get ns
oc get projects
-
Use the Kubernetes
app.kubernetes.io/name
label selector to find the Informix pod name - we are using zen as the namespace here:
Example:oc get pods -n projectName --selector app.kubernetes.io/name=informix-server-cr
$ oc get pods -n zen --selector app.kubernetes.io/name=informix-server-cr NAME READY STATUS RESTARTS AGE informix-1234567890123456-cm-0 1/1 Running 1 4d22h informix-1234567890123456-cm-1 1/1 Running 0 4d22h informix-1234567890123456-cp4dapi-66d66777b8-dvld2 1/1 Running 0 4d22h informix-1234567890123456-monitor-59466d46b4-mhpzg 1/1 Running 0 4d22h informix-1234567890123456-server-0 1/1 Running 1 4d22h informix-1234567890123456-server-1 1/1 Running 4 4d22h informix-1234567890123456-wlistener-586dd7c4b6-ndh6f 1/1 Running 0 4d22h informix-1234567890123456-wlistener-586dd7c4b6-z9qgb 1/1 Running 0 4d22h
-
You can extract the TLS certificate by running the following command - we are using
informix-123456789012345 as the Informix CR name here:
oc extract secret/crName-informix-tls --keys=tls.crt --to=-
The crname should be informix-someNumber for example informix-1234567890123456:
Example:$ oc extract secret/informix-1234567890123456-informix-tls --keys=tls.crt --to=- # tls.crt -----BEGIN CERTIFICATE----- MIIDMzCCAtmgAwIBAgIRAKF9P8Epd9o48jyNJwnrpRAwCgYIKoZIzj0EAwIwFzEV MBMGA1UEChMMSUJNIEluZm9ybWl4MB4XDTIxMDkyMjEwMjQzNFoXDTIxMTIyMTEw MjQzNFowKjEVMBMGA1UEChMMSUJNIEluZm9ybWl4MREwDwYDVQQDEwhJbmZvcm1p eDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALyp0TZp/lqsh6XrihLZ KR6mNN49+K1gxvAOxErCfuNnfeH1du3s7nEO4Ymi69SpWoQNbNJqkPNmBDXH0tg6 IgZ/srYJ7Q6T8wMOTwe+Ua6wAeoZw9EVxtUSqhk99fVZZ/nztYPl2XpQ1kLqhQSd xq1+wauX+SFOS24H43bwHpxLMbU9jxE5kya2uYTQcWIxFctEVpCi1AmrsQlI2hfW 2AHNxBNHWxLnMydbpoXHZLaJCtGUeAZ4jq3cDWc5oKibdP2e0a5nM5aO9paU/nrA CcQnRJPeBPOrcal23HnLFquV3/vv4RTepf3C5bHJzfjt3B7f/6wIMpKTSYrhjr1l nPkCAwEAAaOCASYwggEiMA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB8G A1UdIwQYMBaAFP9638X4SF+kerTPHeBGv5Y8+wnsMIHgBgNVHREEgdgwgdWCCElu Zm9ybWl4giNpbmZvcm1peC0xNjMyMzA2MjY1MTk4NzU2LWhsc2VydmljZYIpaW5m b3JtaXgtMTYzMjMwNjI2NTE5ODc1Ni1tb25pdG9yLXNlcnZpY2WCJGluZm9ybWl4 LTE2MzIzMDYyNjUxOTg3NTYtY20tc2VydmljZYImaW5mb3JtaXgtMTYzMjMwNjI2 NTE5ODc1Ni1jbS1obHNlcnZpY2WCK2luZm9ybWl4LTE2MzIzMDYyNjUxOTg3NTYt d2xpc3RlbmVyLXNlcnZpY2UwCgYIKoZIzj0EAwIDSAAwRQIhAPWz3NIvVJmZ9RGx NwhFsXCeYIz9iz9BUnOsU9PE/4ywAiAFdpsiBpoUPvfX+/8jdt2mS0LRwmBUiLuo L+ExmAm3/w== -----END CERTIFICATE-----
-
You can extract the self-signed CA certificate by running the following command - we are using
informix-123456789012345 as the Informix CR name here:
Example:oc extract secret/crName-informix-tls --keys=ca.crt --to=-
$ oc extract secret/informix-1632306265198756-informix-tls --keys=ca.crt --to=- # ca.crt -----BEGIN CERTIFICATE----- MIIBhTCCASqgAwIBAgIRAMDXSFuc/UAHxAJ6sFFaMRwwCgYIKoZIzj0EAwIwFzEV MBMGA1UEChMMSUJNIEluZm9ybWl4MB4XDTIxMDkyMjEwMjQyOVoXDTMxMDkyMjEw MjQyOVowFzEVMBMGA1UEChMMSUJNIEluZm9ybWl4MFkwEwYHKoZIzj0CAQYIKoZI zj0DAQcDQgAEmmhcwt3TVQEWHLX9/hRoisQv3iW89Ml/H7pcQJMAUqe3FmxwSOoh BCWTu3W6IC//Y7orToQBe6leqb9JNgl5q6NXMFUwDgYDVR0PAQH/BAQDAgKEMBMG A1UdJQQMMAoGCCsGAQUFBwMBMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFP96 38X4SF+kerTPHeBGv5Y8+wnsMAoGCCqGSM49BAMCA0kAMEYCIQCkWHCeH/cAySQV hnRkKgD22bJJHceoCAVudyBnB3ORKgIhAI9MxG7dm31Vm49+8vWdaYJ3U/sjuvih vUxIJfWbrLkU -----END CERTIFICATE-----
-
Follow the steps as described in Configuring a client for SSL connections.
Note: If you need to access the keystore used for the Informix server, you can find them in the
/opt/informix/server/ssl
directory in the Informix server pod(s):$ cd /opt/informix/server/ssl $ ls -l total 12 -rw-r--r--. 1 root root 743 Sep 22 10:32 client.jks -rw-------. 1 informix informix 2976 Sep 22 10:32 ssl_informix0.p12 -rw-------. 1 informix informix 193 Sep 22 10:32 ssl_informix0.sth
Note: You can also extract the TLS certificate and the CA certificate from the Details page of the instance. You can reach this by clicking on the instance name in the instances page of CP4D - IBM Cloud Pak for Data ->Services ->Instances.