Setting the TLS version in an HADR environment

Changing the value of the SSL_VERSIONS configuration parameter for an HADR node requires an instance restart of that node. You can change the TLS version without bringing down both nodes at the same time.

Procedure

  1. Stop the standby node. 
    db2 stop hadr on db <db>
  2. Set the SSL_VERSIONS configuration parameter to either TLSV12 or TLSV13. 
    db2 update dbm cfg using SSL_VERSIONS TLSV13
    This action ensures that either TLS 1.2 or TLS 1.3 is used for HADR connections to the standby.
  3. Restart the standby instance. 
    db2stop; db2start
  4. Bring up the standby node (the old primary node) and perform a takeover. 
    db2 stop hadr on db <db>
  5. Stop the new standby node and set the value of SSL_VERSIONS to what was set earlier. 
    db2 update dbm cfg using SSL_VERSIONS TLSV13
    This action ensures that the specified TLS version is used for HADR connections to the primary.
  6. Restart the instance. 
    db2stop; db2start
  7. Bring up the standby node and restore the original configuration. 
    db2 start hadr on db <db>; db2 takeover hadr on db <db>;

What to do next

For more information about SSL_VERSIONS, see ssl_versions - Supported SSL versions at the server configuration parameter.