Configuring hostname validation for TLS connections to Db2 pureScale clusters in HADR environments

HADR can be enabled between two pureScale clusters, with one cluster acting as the primary host and another acting as the standby node.

The processes for creating certificates for each pureScale cluster are sufficient if the fully qualified hostname of the standby member is used in the UPDATE ALTERNATE SERVER command that is run on the primary cluster.

UPDATE ALTERNATE SERVER FOR DATABASE <DATABASE
          ALIAS> USING HOST <HOSTNAME> PORT <PORT NUMBER>

This hostname is returned to the client as part of the server list. When the client connects to the standby member during automatic client reroute (ACR), it uses this hostname to check against the server certificate.

You should avoid using a short hostname or an IP address when configuring this alternate server. For more information, see Using IP addresses as SAN values and Using short hostnames. If your business requires you to use a short hostname or an IP address when configuring the alternate server, this value must be present in the certificate set up on the standby host that is acting as the alternate server.

The opposite applies when a primary host is acting as the alternate server for the standby cluster.