Updating Db2 password for a Multi-Master cluster

The Db2 password on the computers that host the master servers in a Multi-Master cluster must be the same. After you change or reset this password at the operating system level, you must update it in IBM Security Guardium Key Lifecycle Manager as well so that IBM Security Guardium Key Lifecycle Manager can continue to connect to the Db2 database.

Before you begin

Obtain the system token before you proceed with the Db2 password update. For steps to obtain the system token, see Recovering the system by using the system token.

About this task

The password of the Db2 Administrator user must be the same as that of the Db2 data source password in WebSphere Application Server Liberty.

You need to change the Db2 password at the operating system level in accordance with the password expiration policy as defined by your organization. If the password expires, the IBM Security Guardium Key Lifecycle Manager graphical user interface displays a data-loading error. You must then reset the Db2 password and update it in IBM Security Guardium Key Lifecycle Manager. To update the password on the operating system, you must be the database instance owner on an AIX® or Linux® system, or the Local Administrator on a Windows system.

Note: The password of the Db2 Administrator user must be the same on all the master servers of the IBM Security Guardium Key Lifecycle Manager Multi-Master cluster.
During the password change process, the Multi-Master cluster operates in maintenance mode. For more information, see Maintenance mode of a Multi-Master cluster.

Procedure

On every master server (HADR and non-HADR)

  1. Set the Db2PasswordChangeActivity property in the MMConfig.properties file to true.
  2. Update the Db2 password on the operating system.

On any master server

  1. Change the Db2 data source password that is configured in WebSphere Application Server Liberty:
    • Using graphical user interface
      1. Log in to the graphical user interface.
      2. On the header bar, click SKLM User and select Change Database Password.

        SKLM User is the user with which you have logged into the graphical user interface.

      3. In the Change Database Password window, type the new password.
      4. Click Submit.
    • Using REST interface
      1. Open a REST client.
      2. Run Update Db2 Password in Multi-Master Cluster REST Service. Specify the system token and the new password in the HTTP request when you run the REST service. For example, you can send the following HTTP request:
        PUT https://localhost:port/SKLM/rest/v1/ckms/changePassword/db2/multimaster
          -H 'accept: application/json' \
          -H 'Accept-Language: en' \
          -H 'System-Token: knp1LA4LFM/luCq2oKrVivU88m9sSWnvIrZFGSceBt8=' \
          -H 'Authorization: SKLMAuth userAuthId=237acb15-3a98-4c8e-8b0a-2cd7e09768bc' \
          -H 'Content-Type: application/json' \
          -d '{
          "newDb2Password": "SKLM@db2"
        }'

On every master server (HADR and non-HADR)

  1. Set the Db2PasswordChangeActivity property in the MMConfig.properties file to false.

Results

The Db2 password is updated and Guardium Key Lifecycle Manager server agent can connect to the Db2 database.
If updating the Db2 password for the Multi-Master cluster fails, you can update the password manually. For instructions, see Updating Db2 password for a Multi-Master cluster manually.