Creating the Db2 instance by using the stand-alone Db2U operator
You can create an IBM® Db2® instance that uses the stand-alone Db2U operator from the Red Hat® OpenShift® console or from the CLI.
- This task maps to the following Ansible role: db2. For more information, see IBM Maximo Application Suite installation with Ansible collection.
- When you install Db2 on IBM Cloud® and use IBM File Storage for IBM Cloud follow the steps that are outlined in the following topic to enable no_root_squash. For more information, see Configuring IBM Cloud File Storage .
Before you begin
If your environment needs to be compliant with Federal Information
Processing Standard (FIPS), in IBM Maximo Application Suite 8.10.1 or later, you must
install a new instance of Db2 inside a Red Hat OpenShift cluster that is enabled for FIPS. The IPsec encryption must
be enabled when you install the cluster, and the JDBC configuration must use the
non-SSL
connection.
For more information, see IPsec encryption configuration.
sh-4.4$ java -Dsemeru.fips=true Ciphers
Default Cipher
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Installing by using the Red Hat OpenShift Container Platform web console
Procedure
-
In the banner, click Import YAML (
). Enter the following YAML:
--- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: "db2u-ca-issuer" namespace: "db2u" spec: selfSigned: {}
- Click Create to provision the self-signed CA certificate issuer.
-
In the banner, click Import YAML (
). Enter the following YAML:
--- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: "db2u-ca-certificate" namespace: "db2u" spec: secretName: "db2u-ca" duration: "175200h0m0s" renewBefore: "2160h0m0s" issuerRef: name: "db2u-ca-issuer" kind: Issuer isCA: true keyAlgorithm: rsa keySize: 4096 keyEncoding: pkcs8 usages: - cert sign - digital signature - key encipherment - server auth commonName: "ca.db2u" organization: - "IBM Maximo Application Suite" subject: countries: - GB streetAddresses: - London localities: - London organizationalUnits: - IBM Maximo Application Suite DB2U
- Click the Create button to provision the self-signed CA certificate for Db2.
-
In the banner, click Import YAML (
). Enter the following YAML. This YAML creates the Db2 server certificate issuer. This issuer references the secret that is created from the CA certificate issuer in the previous step.
--- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: "db2u-issuer" namespace: "db2u" spec: ca: secretName: "db2u-ca"
- Verify that the secret db2u-ca exists, then click Create.
-
In the banner, click Import YAML (
). Enter the following YAML:
--- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: "db2u-certificate" namespace: "db2u" spec: secretName: "db2u-certificate" duration: "175200h0m0s" renewBefore: "2160h0m0s" issuerRef: name: "db2u-issuer" kind: Issuer usages: - cert sign - digital signature - key encipherment - server auth commonName: "db2u" dnsNames: - "db2u-manage-db2u.apps.cluster1.example-cluster.com" - "*.db2u-manage-db2u.apps.cluster1.example-cluster.com" - "c-db2u-manage-db2u-engn-svc.db2u.svc" - "*.c-db2u-manage-db2u-engn-svc.db2u.svc" organization: - "IBM Maximo Application Suite" subject: countries: - GB streetAddresses: - London localities: - London organizationalUnits: - IBM Maximo Application Suite DB2U
Note: For the DNS names, include thesvc
androutes
that are used. Replace them with real environment information:{{db2_instance_name}}-{{db2_namespace}}.{{cluster_subdomain}}
*.{{db2_instance_name}}-{{db2_namespace}}.{{cluster_subdomain}}
c-{{db2_instance_name}}-db2u-engn-svc.{{ db2_namespace }}.svc
*.c-{{db2_instance_name}}-db2u-engn-svc.{{ db2_namespace }}.svc
- Click the Create button to create the Db2 server certificate.
-
In the banner, click Import YAML (
). Enter the following YAML:
--- apiVersion: db2u.databases.ibm.com/v1 kind: Db2uCluster metadata: name: "db2u-manage" namespace: "db2u" spec: account: privileged: true addOns: graph: enabled: false rest: enabled: false version: "11.5.7.0-cn4" size: 1 environment: dbType: db2wh database: name: "BLUDB" settings: dftTableOrg: "ROW" ssl: secretName: "db2u-certificate" certLabel: "CN=db2u" instance: registry: DB2_4K_DEVICE_SUPPORT: "ON" DB2AUTH: 'OSAUTHDB,ALLOW_LOCAL_FALLBACK,PLUGIN_AUTO_RELOAD' DB2_FMP_RUN_AS_CONNECTED_USER: 'NO' DB2_WORKLOAD: MAXIMO mln: total: 1 license: accept: true podConfig: db2u: resource: db2u: requests: cpu: "2" memory: "12Gi" limits: cpu: "6" memory: "18Gi" storage: - name: meta type: create spec: storageClassName: "ocs-storagecluster-cephfs" accessModes: - ReadWriteMany resources: requests: storage: "100Gi" - name: data type: template spec: storageClassName: "ocs-storagecluster-ceph-rbd" accessModes: - ReadWriteOnce resources: requests: storage: "500Gi" - name: backup type: create spec: accessModes: - ReadWriteMany resources: requests: storage: "500Gi" storageClassName: "ocs-storagecluster-cephfs" - name: activelogs spec: accessModes: - ReadWriteOnce resources: requests: storage: "100Gi" storageClassName: "ocs-storagecluster-ceph-rbd" type: template - name: tempts spec: accessModes: - ReadWriteOnce resources: requests: storage: "100Gi" storageClassName: "ocs-storagecluster-ceph-rbd" type: template
- Click the Create button to create the db2ucluster CR instance.
-
Verify that the db2ucluster is created successfully.
Click Home > Search page, select the db2u project and search for resource type Db2uCluster. Filter the service name keyword with db2u-manage. Then, click its details and wait until it is in Ready state. The process might take 10 minutes to complete.
-
Check the Db2 instance login, URL, password and ca crt information.
Check the internal service.
On the Home > Search page, select the db2u project and search for resource type Service. Filter the service name keyword with db2u-engn-svc. In the search results, it shows the service name similar to c-db2wh-xxxx-db2u-engn-svc.
Inside the cluster, the JDBC URL is:jdbc:db2://c-db2u-manage-db2u-engn-svc.db2u.svc:50001/BLUDB:sslConnection=true;
Note: The name for the Db2 instance is the one provided in the db2ucluster YAML file. It is not a generated instance name.When you install Maximo Application Suite 8.10 or later in FIPS enabled Red Hat OpenShift cluster, configure the JDBC URL to use a non-SSL connection.- Edit the JdbcConfig file from
Adminstration >
CustomResourceDefinitions and search
JdbcCfg
. - Change
sslEnabled
tofalse
. - Change
url
to usenon-ssl
port.
Check the Db2 instance password for default Db2 user db2inst1.
Click Home > Search, select the db2u project and search for resource type Secret. Filter the service name keyword with -instancepassword. In the search results, it shows the service name similar to c-db2u-manage-instancepassword. Then, reveal its password.
The JDBC user and password that is used to access the Db2 instance is:user: db2inst1 password: xxx
Note: Consider the Authentication options for Db2U when you are working with Db2 user authentication.Check the internal TLS that is used for JDBC SSL access:
Click Home > Search, select the db2u project and search for resource type Secret. Filter the service name keyword with db2u-certificate. Then, reveal its ca.crt.
- Edit the JdbcConfig file from
Adminstration >
CustomResourceDefinitions and search
Installing by using the Red Hat OpenShift command-line interface (CLI)
Procedure
-
Create a Db2U Operator catalog YAML file called db2catalog.yaml.
--- apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: ibm-db2uoperator-catalog namespace: openshift-marketplace spec: sourceType: grpc image: icr.io/cpopen/ibm-db2uoperator-catalog:latest imagePullPolicy: Always displayName: IBM Db2U Catalog publisher: IBM updateStrategy: registryPoll: interval: 45m
-
Apply the db2catalog.yaml file to the Red Hat OpenShift cluster.
oc apply -f db2catalog.yaml
-
Verify the catalog source status:
oc get catalogsource -n openshift-marketplace ibm-db2uoperator-catalog -o jsonpath='{.status.connectionState.lastObservedState} {"\n"}'
-
Create a namespace called db2u:
oc new-project db2u
-
Create the OperandRequest YAML file db2u-operator.yaml to install the Db2u
Operator:
--- apiVersion: operator.ibm.com/v1alpha1 kind: OperandRequest metadata: name: db2u-request namespace: "db2u" spec: requests: - operands: - name: ibm-db2u-operator registry: common-service registryNamespace: ibm-common-services
-
Apply the db2u-operator.yaml file to the Red Hat OpenShift cluster.
oc apply -f db2u-operator.yaml
-
Verify the Db2U operator is created and running successfully:
oc get sub -n ibm-common-services ibm-db2u-operator -o jsonpath='{.status.installedCSV} {"\n"}'
Sample outputdb2u-operator.v1.1.13
oc get csv -n ibm-common-services db2u-operator.v1.1.13 -o jsonpath='{ .status.phase } : {.status.message} {"\n"}'
Sample outputSucceeded : install strategy completed with no errors
oc get deployments -n ibm-common-services db2u-operator-manager -o jsonpath="{.status.availableReplicas} {'\n'}"
Sample output1
-
To provision the self-signed CA certificate issuer, create a CA Issuer YAML file called
caissuer.yaml.
--- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: "db2u-ca-issuer" namespace: "db2u" spec: selfSigned: {}
-
Apply the caissuer.yaml file to the Red Hat OpenShift cluster.
oc apply -f caissuer.yaml
-
To provision the self-signed CA certificate for Db2, create a CA certificate YAML file called
cacert.yaml.
--- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: "db2u-ca-certificate" namespace: "db2u" spec: secretName: "db2u-ca" duration: "175200h0m0s" renewBefore: "2160h0m0s" issuerRef: name: "db2u-ca-issuer" kind: Issuer isCA: true keyAlgorithm: rsa keySize: 4096 keyEncoding: pkcs8 usages: - cert sign - digital signature - key encipherment - server auth commonName: "ca.db2u" organization: - "IBM Maximo Application Suite" subject: countries: - GB streetAddresses: - London localities: - London organizationalUnits: - IBM Maximo Application Suite DB2U
-
Verify that the CA certificate is created successfully.
oc get certificates -n db2u NAME READY SECRET AGE EXPIRATION db2u-ca-certificate True db2u-ca 26s 2042-05-04T08:26:02Z
-
Create the YAML file issuer.yaml to create the Db2 server certificate
issuer. This issuer references the secret that is created from the CA certificate issuer in the
preceding step.
--- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: "db2u-issuer" namespace: "db2u" spec: ca: secretName: "db2u-ca"
-
Apply the issuer.yaml to the Red Hat OpenShift cluster.
oc apply -f issuer.yaml
-
Create the YAML file certificate.yaml to provision the Db2 server
certificate:
--- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: "db2u-certificate" namespace: "db2u" spec: secretName: "db2u-certificate" duration: "175200h0m0s" renewBefore: "2160h0m0s" issuerRef: name: "db2u-issuer" kind: Issuer usages: - cert sign - digital signature - key encipherment - server auth commonName: "db2u" dnsNames: - "db2u-manage-db2u.apps.cluster1.example-cluster.com" - "*.db2u-manage-db2u.apps.cluster1.example-cluster.com" - "c-db2u-manage-db2u-engn-svc.db2u.svc" - "*.c-db2u-manage-db2u-engn-svc.db2u.svc" organization: - "IBM Maximo Application Suite" subject: countries: - GB streetAddresses: - London localities: - London organizationalUnits: - IBM Maximo Application Suite DB2U
Note: For the DNS names, include the svc and routes that are used. Replace them with real environment information:{{db2_instance_name}}-{{db2_namespace}}.{{cluster_subdomain}}
*.{{db2_instance_name}}-{{db2_namespace}}.{{cluster_subdomain}}
c-{{db2_instance_name}}-db2u-engn-svc.{{ db2_namespace }}.svc
*.c-{{db2_instance_name}}-db2u-engn-svc.{{ db2_namespace }}.svc
-
Apply the certificate.yaml to the Red Hat OpenShift cluster.
oc apply -f certificate.yaml
-
Create the YAML file db2cluster.yaml to create the Db2 cluster:
--- apiVersion: db2u.databases.ibm.com/v1 kind: Db2uCluster metadata: name: "db2u-manage" namespace: "db2u" spec: account: privileged: true addOns: graph: enabled: false rest: enabled: false version: "11.5.7.0-cn4" size: 1 environment: dbType: db2wh database: name: "BLUDB" settings: dftTableOrg: "ROW" ssl: secretName: "db2u-certificate" certLabel: "CN=db2u" instance: registry: DB2_4K_DEVICE_SUPPORT: "ON" DB2AUTH: 'OSAUTHDB,ALLOW_LOCAL_FALLBACK,PLUGIN_AUTO_RELOAD' DB2_FMP_RUN_AS_CONNECTED_USER: 'NO' DB2_WORKLOAD: MAXIMO mln: total: 1 license: accept: true podConfig: db2u: resource: db2u: requests: cpu: "2" memory: "12Gi" limits: cpu: "6" memory: "18Gi" storage: - name: meta type: create spec: storageClassName: "ocs-storagecluster-cephfs" accessModes: - ReadWriteMany resources: requests: storage: "100Gi" - name: data type: template spec: storageClassName: "ocs-storagecluster-ceph-rbd" accessModes: - ReadWriteOnce resources: requests: storage: "500Gi" - name: backup type: create spec: accessModes: - ReadWriteMany resources: requests: storage: "500Gi" storageClassName: "ocs-storagecluster-cephfs" - name: activelogs spec: accessModes: - ReadWriteOnce resources: requests: storage: "100Gi" storageClassName: "ocs-storagecluster-ceph-rbd" type: template - name: tempts spec: accessModes: - ReadWriteOnce resources: requests: storage: "100Gi" storageClassName: "ocs-storagecluster-ceph-rbd" type: template
-
Apply the db2cluster.yaml to the Red Hat OpenShift cluster.
oc apply -f db2cluster.yaml
-
Verify the Db2U cluster status:
oc get db2ucluster -n db2u db2u-manage -o jsonpath='{.status.state} {"\n"}'
-
Check the Db2 instance login, URL, and password.
Check the internal service:
oc get svc -n db2u | grep -i engn-svc
Sample outputc-db2u-manage-db2u-engn-svc NodePort 172.30.120.206 <none> 50000:30601/TCP,50001:30036/TCP
Inside the cluster, the JDBC URL is:jdbc:db2://c-db2u-manage-db2u-engn-svc.db2u.svc:50001/BLUDB:sslConnection=true;
Note:db2u-manage
is the instance name for the Db2 instance.When you install Maximo Application Suite 8.10 or later in FIPS enabled Red Hat OpenShift cluster, configure the JDBC URL to use a non-SSL connection.- Edit the JdbcConfig file from
Adminstration >
CustomResourceDefinitions and search
JdbcCfg
. - Change
sslEnabled
tofalse
. - Change
url
to usenon-ssl
port.
Check the Db2 instance password for default Db2 user db2inst1:oc extract secret/c-db2u-manage-instancepassword -n db2u --keys=password --to=-
Sample output# password PcJ1fKYfFdA5AtA
The JDBC user and password that is used to access the Db2 instance is:user: db2inst1 password: PcJ1fKYfFdA5AtA
Check the ca.crt used to connect the JDBC SSL port:oc extract secret/db2u-certificate -n db2u --keys=ca.crt --to=-
Sample output# ca.crt -----BEGIN CERTIFICATE----- MIIDuzCCAqOgAwIBAgIQf4KcTIk5y8EEZeiUti0EOTANBgkqhkiG9w0BAQsFADBt MQswCQYDVQQGEwJHQjEPMA0GA1UEBxMGTG9uZG9uMQ8wDQYDVQQJEwZMb25kb24x KjAoBgNVBAsTIUlCTSBNYXhpbW8gQXBwbGljYXRpb24gU3VpdGUgREIyVTEQMA4G A1UEAxMHY2EuZGIydTAeFw0yMjA1MDkxOTA2MjZaFw00MjA1MDQxOTA2MjZaMG0x CzAJBgNVBAYTAkdCMQ8wDQYDVQQHEwZMb25kb24xDzANBgNVBAkTBkxvbmRvbjEq MCgGA1UECxMhSUJNIE1heGltbyBBcHBsaWNhdGlvbiBTdWl0ZSBEQjJVMRAwDgYD VQQDEwdjYS5kYjJ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopzw Gz6FFCc1dsPAYJuxx7KnNsNJqyHCabo+VgQG4QkNzyMCwP2YmZZbvi7iajC+U2O/ dMME06LeHdcBFsmkRE7dYcGw8YewsQ8mRTwYveP92h/yLUGzQ8IuhRZ70HZ5ozgt 4Cs5K0p0zqnkkOBbFltJZkWdnGerEnu025LUcwEfJlsV3LmBTuOodKNLQ6VW5MWF 6HrLK4I2jPfPFno1v/9V+rtRUiFXZSEwsmO2imQTgVw9yM+oLZx4be05hYlfWE3c nwVfHkygZKVxIsbd4zm/U7k/oHaEhIPt9gyWXLA3pjdYo2jGXX2btp8xS8UcuI1w Qew0QtrK6Kc56CgobwIDAQABo1cwVTAOBgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAww CgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUmk4PmrKaFUWO 18/P9Zgs6J9Tv9IwDQYJKoZIhvcNAQELBQADggEBAEmgttI/N5/9lSDRH8AVTMyr prOQYvt9Wsm5hYvHIkulDtFMpkg6SZ7HzUnRIiGBzlXqC7TvAiQLauacpOJciBoq Wgkh5OgBBldl/KZS8CuNk/KEym+DPw+cb8LrllpPNW/nKuc/0I8mDNsEv8zwkYki yymaTSr+MmNjztz+iqtmiOnWLVome721x1lbEmcWUo6oxQxU9MbPmJiJOPzkcDx7 dZi087RuJ9aQxDkhzDwhZEUssGFDbql+tlXZxy1DtE2spVAxXBai6wqScUceK8sE geUcQRO4VjMEb4RTrOb8QjJOVOeOqE71nARyWTEjcVscHstgRrpcGnSlAVfLE7w= -----END CERTIFICATE-----
- Edit the JdbcConfig file from
Adminstration >
CustomResourceDefinitions and search