Removing non-TLS ports from a Db2 or Db2 Warehouse on OpenShift deployment

You can edit the Db2 or Db2 Warehouse configuration to remove non-Transport Layer Security (TLS) ports from your deployment to prevent non-TLS connections to the service and guarantee the highest security.

1. Determine the DB2U_IDENTIFIER to use that matches your Db2 deployment. It is the name of the custom resource used to deploy Db2.

   For Db2uCluster deployments:

    oc get db2ucluster --namespace=${PROJECT_DB2_INSTANCE}

   For Db2uInstance deployments:

   oc get db2uinstance --namespace=${PROJECT_DB2_INSTANCE} 

2. Run the patch command to change the value of allowSslOnly to true in the Db2 custom resource.

   For Db2uCluster deployments:

   kubectl patch --namespace=${PROJECT_DB2_INSTANCE} db2ucluster ${DB2U_IDENTIFIER} --type=merge --patch '{"spec":{"environment":{"database":{"ssl":{"allowSslOnly": true}}}}}'

   For Db2uInstance deployments:

   kubectl patch --namespace=${PROJECT_DB2_INSTANCE} db2uinstance ${DB2U_IDENTIFIER} --type=merge --patch '{"spec":{"environment":{"ssl":{"allowSslOnly": true}}}}'

3. Ensure that the corresponding db2uconfig ConfigMap has changed the value of DB2_ALLOW_SSL_ONLY to true:

   kubectl get cm --namespace=${PROJECT_DB2_INSTANCE} c-${DB2U_IDENTIFIER}-db2uconfig -o yaml | grep DB2_ALLOW_SSL_ONLY

4. Apply the change to the Db2® pod:

   kubectl exec -it -c --namespace=${PROJECT_DB2_INSTANCE} c-${DB2U_IDENTIFIER}-db2u-0 -- bash -lc "sudo rm -f /db2u/tmp/os_envar_configmap && apply-db2cfg-settings --setting regvar"

5. Ensure that the Db2 or Db2 Warehouse instance has only enabled SSL by inspecting the db2 registry variable DB2COMM:

   kubectl exec -it -c db2u --namespace=${PROJECT_DB2_INSTANCE} c-${DB2U_IDENTIFIER}-db2u-0 -- sh -c "su - db2inst1 -c 'db2set DB2COMM'"

   The command is successful when the output is SSL.