Configuring TLS client connections with Db2 or Db2 Warehouse

Use transport layer security (TLS) to create secure connections from Db2 and Db2 Warehouse clients to the integrated database server deployed on Red Hat OpenShift and Kubernetes.

About this task

A Db2 or Db2 Warehouse deployment on Red Hat OpenShift and Kubernetes contains self-signed TLS support for connections to the Db2 or Db2 Warehouse database. This task outlines how to extract the client certificate and enable TLS support for any Db2 or Db2 Warehouse client or application that uses IBM® Data Server Drivers.

For a detailed description of TLS and how it works in the context of a Db2 or Db2 Warehouse client connection, see TLS configuration of Db2.

Procedure

  1. You can copy the self-signed TLS certificate keychain using the name of your Db2uInstance/Db2uCluster. If you do not provide a certificate when deploying your Db2uInstance or Db2uCluster custom resource, the operator issues a new certificate and mounts it on your custom resource. The values of the new certificate keychain are stored in a secret and you can run the following command to retrieve them:
    OpenShift®
    export DB2U=<db2ucluster/instance name>
oc extract secret/c-${DB2U}-db2ssl -n [namespace]
    On Kubernetes-based cluster:
    export DB2U=<db2ucluster/instance name>
kubectl get secret/c-${DB2U}-db2ssl -n [namespace] -oyaml
  2. Copy the Db2 or Db2 Warehouse TLS certificate chain over to the system that contains your Db2 client application. The procedure to install the TLS certificate depends on the method that the application uses to connect to the Db2® database.
    1. For non-Java™ clients such as CLI/CLP, ODBC, and .Net, see Configuring TLS support in non-Java Db2 clients.
    2. For Java applications that use JDBC or JCC connections, see Configuring the Java Runtime Environment to use TLS.
  3. You need to find the TLS NodePort on your cluster that is used by the Db2 database.
    OpenShift
    oc -n [project] get svc | grep db2u-engn-svc
    On Kubernetes-based cluster:
    kubectl -n [namespace] get svc | grep db2u-engn-svc
    Replace project or namespace with the project or namespace where your Db2 or Db2 Warehouse database is deployed. Consider the following example output:
    mpp2-db2u-engn-svc    NodePort    10.0.86.99     <none>        50000:32209/TCP,50001:31050/TCP      20h
  4. Configure your database client application to use that NodePort value when it connects to the database with the installed TLS certificate.
    Using the previous example, you would configure your client application to use 10.0.86.99 as the IP address and port 31050 to connect to the Db2 or Db2 Warehouse database server that is running on the Red Hat OpenShift cluster.