Setting up JDBC for user management

The Db2® Warehouse that is employed by Guardium® Insights includes OpenLDAP, which can be configured with the JDBC protocol for user management.

Before you begin

Before you can set up JDBC for user management, you must apply a YAML file that enables the connection. Create a YAML file similar to this example:

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: db2-jdbc-ingress
spec:
  ingress:
  - ports:
    - port: 50000
      protocol: TCP
  podSelector:
    matchLabels:
      component: db2wh
      role: db
      type: engine
  policyTypes:
  - Ingress

Procedure

  1. Apply the file by issuing this command:
    oc apply -f <yaml_file> -n=<guardium_insights_namespace>

    where:

    • <yaml_file> is the file that you created based on the above example.
    • <guardium_insights_namespace> is the Guardium Insights OpenShift® namespace that you created when preparing your environment.
  2. To enable the JDBC connection, enable the node port service (nodeportservice) on the Db2 deployment:
    1. For the db2uInstance, issue this command:
      oc patch $(oc get guardiuminsights -oname --no-headers) -p '{"spec":{"dependency-db2":{"db2instance":{"disableNodePortService":"false"}}}}' --type=merge
    2. For the db2ucluster, issue this command:
      oc patch $(oc get guardiuminsights -oname --no-headers) -p '{"spec":{"dependency-db2":{"db2":{"disableNodePortService":"false"}}}}' --type=merge 
  3. To verify and obtain the port number, run this command:
    oc get svc | grep db2

    The results should be similar to:

    c-sysqa-db2-db2u                                   ClusterIP      172.30.172.220   <none>        50000/TCP,50001/TCP,25000/TCP,25001/TCP,25002/TCP,25003/TCP,25004/TCP,25005/TCP   35h
    c-sysqa-db2-db2u-engn-svc                          NodePort       172.30.156.103   <none>        50001:32098/TCP,50000:32612/TCP                                                   35h
    c-sysqa-db2-db2u-head-engn-svc                     NodePort       172.30.110.130   <none>        50001:32356/TCP,50000:30905/TCP                                                   35h
    c-sysqa-db2-db2u-internal                          ClusterIP      None             <none>        50000/TCP,9443/TCP,50052/TCP                                                      35h
    c-sysqa-db2-etcd                                   ClusterIP      None             <none>        2379/TCP,2380/TCP                                                                 35h
    c-sysqa-db2-ldap                                   ClusterIP      172.30.188.64    <none>        50389/TCP                                                                         35h
    c-sysqa-db2-tools                                  ClusterIP      172.30.13.12     <none>        53/TCP,53/UDP                                                                     35h
    db2u-day2-ops-controller-manager-metrics-service   ClusterIP      172.30.51.243    <none>        8443/TCP                                                                          35h
    sysqa-db2-store                                    ClusterIP      172.30.254.200   <none>        30101/TCP,9093/TCP                                                                35h

    Where the port listed for c-db2name-engn-svc is the correct port number to use. In the above example, port number 32612 for c-sysqa-db2-db2u-engn-svc is the correct one to use (see https://www.ibm.com/docs/SSQNUZ_latest/svc-db2/aese-connect.html for more information).

    For users with environments that are locked down (for example, those with firewalls), it is recommended that you open the port that is returned from the above step - or that you allow port forwarding for the 30000-32767 range (this is the OpenShift NodePort range).

What to do next

After enabling JDBC for user management above, follow the instructions for managing users in https://www.ibm.com/docs/en/db2/11.5?topic=ldap-managing-users.