Connecting to watsonx.data on Red Hat OpenShift

Before Db2 can be connected to watsonx.data on Red Hat OpenShift a number of administrative steps must be taken on the watsonx.data deployment to enable the connection.

Exposing the metastore thrift endpoint

By default, the watsonx.data metastore server is not exposed to the outside network. The following procedure explains how to expose its thrift endpoint to enable communication between Db2 and watsonx.data. Once exposed the connection is still secured through encryption and authentication.

Follow the steps outlined in the Accessing Hive Metastore (HMS) using NodePort procedure to expose the Metastore Thrift endpoint.

Creating credentials for the connection to the Metastore

To allow a secure connection from Db2 to watsonx.data, credentials must exist on the watsonx.data side to permit the connection. Use the following steps to create the credentials:
  1. Open the IBM watsonx.data Console, go to Administration > Access Control and Add User. Create a user and set a password.
  2. Open the IBM watsonx.data instances page, locate the Lakehouse instance and open the Manage Access page from the right hand side drop down menu. Grant access to the user you have created at step one, and assign the Metastore Access role.
    Note: Using an API Key as credentials is not supported.

Retrieving the metastore TLS public certificate

In order to successfully establish an encrypted connection to the watsonx.data metastore, Db2 must hold a public certificate to validate the one presented by the metastore server. The following procedure must be performed by a watsonx.data administrator to retrieves the public certificate from watsonx.data:
  1. Using the OpenShift CLI, login to the OpenShift server hosting watsonx.data.
  2. Change to the namespace hosting the watsonx.data instance
    oc project <watsonx.data-namespace>
  3. Run the following command to retrieve the public certificate used to establish the SSL connection. Copy or capture its output into a file. Move this file to the Db2 environment.
    oc get secret ibm-lh-tls-secret -o yaml | grep " ca.crt" | sed 's/ \+[.a-z]\+: //' | base64 -d

Alternatively, you can login to the OpenShift console, locate the ibm-lh-tls-secret and copy the content of its ca.crt data element into a file.

Properties required to connect to a watsonx.data on OpenShift

To connect to the watsonx.data metastore, its URI is required and must be provided through the uri property. The URI scheme must be thrift:// and the hostname and port number can be obtained from the watsonx.data Infrastructure Manager screen, by clicking on the catalog you want to connect to and copy the value labelled Metastore host on the page.

The connection to the metastore server of watsonx.data on OpenShift instances is secured with SSL/TLS using a self signed or customer provided certificate. It is therefore required to indicate that the connection uses ssl (set the use.SSL property to true), and to provide the path to the public that has been retrieved from warsonx.data certificate file through the ssl.cert property.

The connection is authenticated using PLAIN authentication. This must be indicated by setting the auth.mode property to PLAIN, and to provide a user name and password through the auth.plain.credentials property. The user name and passwords are the ones that have been created by the administrator in the steps above.