The Db2® Warehouse that is employed by Guardium® Insights includes OpenLDAP, which can be configured with the JDBC protocol for user
management.
Before you begin
Before you can set up JDBC for user management, you must apply a YAML file that enables the
connection. Create a YAML file similar to this example:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: db2-jdbc-ingress
spec:
ingress:
- ports:
- port: 50000
protocol: TCP
podSelector:
matchLabels:
component: db2wh
role: db
type: engine
policyTypes:
- Ingress
Procedure
- Apply the file by issuing this command:
oc apply -f <yaml_file> -n=<guardium_insights_namespace>
where:
<yaml_file>
is the file that you created based on the above example.
<guardium_insights_namespace>
is the Guardium Insights
OpenShift® namespace that you created when preparing your
environment.
- To enable the JDBC connection, enable the node port service
(
nodeportservice
) on the Db2
deployment:
- For the
db2uInstance
, issue this command:
oc patch $(oc get guardiuminsights -oname --no-headers) -p '{"spec":{"dependency-db2":{"db2instance":{"disableNodePortService":"false"}}}}' --type=merge
- For the
db2ucluster
, issue this command:
oc patch $(oc get guardiuminsights -oname --no-headers) -p '{"spec":{"dependency-db2":{"db2":{"disableNodePortService":"false"}}}}' --type=merge
- To verify and obtain the port number, run this command:
oc get svc | grep db2
The results should be similar to:
c-sysqa-db2-db2u ClusterIP 172.30.172.220 <none> 50000/TCP,50001/TCP,25000/TCP,25001/TCP,25002/TCP,25003/TCP,25004/TCP,25005/TCP 35h
c-sysqa-db2-db2u-engn-svc NodePort 172.30.156.103 <none> 50001:32098/TCP,50000:32612/TCP 35h
c-sysqa-db2-db2u-head-engn-svc NodePort 172.30.110.130 <none> 50001:32356/TCP,50000:30905/TCP 35h
c-sysqa-db2-db2u-internal ClusterIP None <none> 50000/TCP,9443/TCP,50052/TCP 35h
c-sysqa-db2-etcd ClusterIP None <none> 2379/TCP,2380/TCP 35h
c-sysqa-db2-ldap ClusterIP 172.30.188.64 <none> 50389/TCP 35h
c-sysqa-db2-tools ClusterIP 172.30.13.12 <none> 53/TCP,53/UDP 35h
db2u-day2-ops-controller-manager-metrics-service ClusterIP 172.30.51.243 <none> 8443/TCP 35h
sysqa-db2-store ClusterIP 172.30.254.200 <none> 30101/TCP,9093/TCP 35h
Where the port listed for c-db2name-engn-svc
is the correct port number to use.
In the above example, port number 32612
for
c-sysqa-db2-db2u-engn-svc
is the correct one to use (see https://www.ibm.com/docs/SSQNUZ_latest/svc-db2/aese-connect.html for more information).
For users with environments that are locked down (for example, those with firewalls), it is
recommended that you open the port that is returned from the above step - or that you allow port
forwarding for the 30000-32767 range (this is the OpenShift
NodePort
range).
What to do next
After enabling JDBC for user management above, follow the instructions for managing users in
https://www.ibm.com/docs/en/db2/11.5?topic=ldap-managing-users.