Console certificate

To replicate data, the source and target machines must present valid signed security certificates for secure interaction with each other.

If a signed certificate is already available, you can start with Uploading a certificate.

If no valid signed certificate is available, you can generate a self-signed certificate.

Generating a self-signed certificate

To generate a self-signed certificate for each server, follow these steps:

  1. Issue the following command to generate the certificate (certificate.pem) and key (key.pem) files:
    openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem

    You are prompted for the following information (shown below with example entries):

    Country Name (2 letter code) []: CA
State or Province Name (full name) []: ON
Locality Name (eg, city) []: Toronto
Organization Name (eg, company) []: IBM
Organizational Unit Name (eg, section) []: Analytics
Common Name (eg, fully qualified host name) []: myserver.ibm.com
Email Address []:email@ca.ibm.com

    Common Name (CN): Fully qualified virtual hostname or IP address of the system to be used by replication. If a private network is used for replication, the virtual hostname or IP address should be that of the private network.

    You can find a list of country codes here.

  2. Convert the certificate file into a new file (cert.p12) in the pkcs12 format that is accepted by the web console. Provide a password for this file when prompted.
    openssl pkcs12 -export -in certificate.pem -inkey key.pem -out cert.p12
  3. Repeat the steps on the other server, using its Common Name.

Uploading a certificate

Follow these steps to upload each certificate to their respective consoles.

  1. Log on to the UI console as an administrator.
  2. Click Settings > System Settings.
    IIAS web console menu showing Settings > System Settings
  3. Click the toggle button for Enable user provided certificate.
  4. Click Select a certificate file (PKCS #12) and browse to the certificate file (cert.p12 in the example above).
    Area on console for enabling user-provided certificates and browsing to certificate file
  5. Select the certificate file, click Open in the browse window, and provide the password when prompted. Click Apply.

    The server restarts and begins using your new certificate.

Updating the Db2 SSL certificate

You must ensure that the correct Db2 Secure Sockets Layer (SSL) certificates are in place at the source and target databases. This step is also required any time that you upgrade the Db2 container at the source or target. See Db2 SSL certificate for details.