Db2 SSL certificate
After you upgrade your Db2® source or target databases, you must take steps to ensure that the correct Secure Sockets Layer (SSL) certificates are in place at the source and target databases and that the trust target certificate process is run.
About this task
- To ensure SSL security for a new installation, see Console certificate.
- If you are upgrading the Db2 common container from v11.5.4-CN2 to v11.5.5.1, the replication web console does not open on the upgraded source or target system because of a problem with the SSL certificate exchange. Follow this workaround to address the problem.
Procedure
- If both source and target are at IAS 1.0.25.0 (Db2 v11.5.5.1) and newer
- Ensure that the file rootCA.pem exists at /mnt/blumeta0/db2/ssl_keystore on both the source and target systems.
- Run the bludr-configure-certs.sh script on the source system.
- The script is packaged with Db2 11.5.5.
- You must run the script under the dsadm user ID.
- If you are enabling replication for the first time, the script asks for a database user ID and password for both the source and target.
The format of the command to run the script is as follows:
/opt/ibm/bludr/scripts/bin/bludr-configure-certs.sh source_hostname target_hostname
- source_hostname: The fully qualified host name of the source. This name should match the CN in the HTTPS certificate.
- target_hostname: The fully qualified host name of the target. This name should match the CN in the HTTPS certificate.
The script asks if you want to trust or not. Always enter Y.
The script exchanges the Db2 SSL certificates between source and target so that the replication source can access the target Db2 database. It also restarts the replication REST servers on the source and target so that the changes take effect.
- If both source and target are at IAS 1.0.24.0 (Db2 v11.5.5.0)
- Ensure that the file rootCA.pem exists at /mnt/blumeta0/db2/ssl_keystore on both the source and target systems.
- Run the bludr-configure-certs.sh script on the source system.
- The script is packaged with Db2 11.5.5.
- You must run the script under the dsadm user ID.
The format of the command to run the script is as follows:
/opt/ibm/bludr/scripts/bin/bludr-configure-certs.sh source_hostname source_username source_password target_hostname target_username target_password trust/notrust
- source_hostname: The fully qualified host name of the source. This name should match the CN in the HTTPS certificate.
- target_hostname: The fully qualified host name of the target. This name should match the CN in the HTTPS certificate.
trust/notrust
: You can always use thetrust
option.
The script exchanges the Db2 SSL certificates between source and target so that the replication source can access the target Db2 database. It also restarts the replication REST servers on the source and target so that the changes take effect.
- If either source or target is at IAS 1.0.23.2 (Db2 v11.5.4.0-CN2) or IAS 1.0.23.1 (Db2 v11.5.4.0-CN1)
- Ensure that a valid Db2 SSL certificate must be in the source and target keystores and the rootCA.pem file must be in the /mnt/blumeta0/db2/ssl_keystore directory.
- Import the source Db2 SSL certificate in /mnt/blumeta0/db2/ssl_keystore/rootCA.pem to the source replication trust store.
- Import the target Db2 SSL certificate into the target system Db2 SSL keystore, replication trust store, and DSWEB JDK trust store.
- Copy the target certificate rootCA.pem that is located at /mnt/blumeta0/db2/ssl_keystore to the source server and place it at the location ${BLUDR_SHARED_DIR}/certificates in the format rootCA_target_hostname.pem.
- Copy the source certificate rootCA.pem that is located at /mnt/blumeta0/db2/ssl_keystore to the target server and place it at the location ${BLUDR_SHARED_DIR}/certificates in the format rootCA_source_hostname.pem.
- On both the source and target systems, download the bludr-add-db2-sslcert.sh script file from the IBM® support site. The script imports the certificate for a specific hostname located at ${BLUDR_SHARED_DIR}/certificates in the format rootCA_hostname.pem into the local DB2® client keystore and the replication keystore.
- Save the script file to the /opt/ibm/bludr/scripts/bin directory inside the
Db2 container. The directory is owned by
dsadm:db2iadm1
with permission bits 640. - Run the script on the source, providing the target hostname. The syntax is as
follows:
/opt/ibm/bludr/scripts/bin/bludr-add-db2-sslcert.sh target-hostname
- Run the script on the target, providing the source hostname. The syntax is as
follows:
/opt/ibm/bludr/scripts/bin/bludr-add-db2-sslcert.sh source-hostname
- If you are running the script on the source, restart the replication REST server on the source system. If you are running the script on the target, restart the replication REST server on the target system.
- If either source or target is at IAS 1.0.23.0 (Db2 v11.5.4)