Creating the Db2 instance by using the stand-alone Db2U operator

You can create an IBM® Db2® instance that uses the stand-alone Db2U operator from the Red Hat® OpenShift® console or from the CLI.

Tip:

Before you begin

If your environment needs to be compliant with Federal Information Processing Standard (FIPS), in IBM Maximo Application Suite 8.10.1 or later, you must install a new instance of Db2 inside a Red Hat OpenShift cluster that is enabled for FIPS. The IPsec encryption must be enabled when you install the cluster, and the JDBC configuration must use the non-SSL connection.

For more information, see IPsec encryption configuration.

If you are planning to install Maximo Application Suite, ensure the following default ciphers for Java™ are supported when you enable FIPS.
sh-4.4$ java -Dsemeru.fips=true Ciphers
Default Cipher
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384

Installing by using the Red Hat OpenShift Container Platform web console

Procedure

  1. In the banner, click Import YAML (Plus icon). Enter the following YAML:
    
    ---
    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: "db2u-ca-issuer"
      namespace: "db2u"
    spec:
      selfSigned: {}
    
  2. Click Create to provision the self-signed CA certificate issuer.
  3. In the banner, click Import YAML (Plus icon). Enter the following YAML:
    
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: "db2u-ca-certificate"
      namespace: "db2u"
    spec:
      secretName: "db2u-ca"
      duration: "175200h0m0s"
      renewBefore: "2160h0m0s"
      issuerRef:
        name: "db2u-ca-issuer"
        kind: Issuer
    
      isCA: true
      keyAlgorithm: rsa
      keySize: 4096
      keyEncoding: pkcs8
    
      usages:
        - cert sign
        - digital signature
        - key encipherment
        - server auth
    
      commonName: "ca.db2u"
      organization:
        - "IBM Maximo Application Suite"
      subject:
        countries:
          - GB
        streetAddresses:
          - London
        localities:
          - London
        organizationalUnits:
          - IBM Maximo Application Suite DB2U
    
  4. Click the Create button to provision the self-signed CA certificate for Db2.
  5. In the banner, click Import YAML (Plus icon). Enter the following YAML. This YAML creates the Db2 server certificate issuer. This issuer references the secret that is created from the CA certificate issuer in the previous step.
    
    ---
    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: "db2u-issuer"
      namespace: "db2u"
    spec:
      ca:
        secretName: "db2u-ca"
    
  6. Verify that the secret db2u-ca exists, then click Create.
  7. In the banner, click Import YAML (Plus icon). Enter the following YAML:
    
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: "db2u-certificate"
      namespace: "db2u"
    spec:
      secretName: "db2u-certificate"
      duration: "175200h0m0s"
      renewBefore: "2160h0m0s"
      issuerRef:
        name: "db2u-issuer"
        kind: Issuer
      usages:
        - cert sign
        - digital signature
        - key encipherment
        - server auth
      commonName: "db2u"
      dnsNames:
        - "db2u-manage-db2u.apps.cluster1.example-cluster.com"
        - "*.db2u-manage-db2u.apps.cluster1.example-cluster.com"
        - "c-db2u-manage-db2u-engn-svc.db2u.svc"
        - "*.c-db2u-manage-db2u-engn-svc.db2u.svc"
      organization:
        - "IBM Maximo Application Suite"
      subject:
        countries:
          - GB
        streetAddresses:
          - London
        localities:
          - London
        organizationalUnits:
          - IBM Maximo Application Suite DB2U
    
    Note: For the DNS names, include the svc and routes that are used. Replace them with real environment information:
    • {{db2_instance_name}}-{{db2_namespace}}.{{cluster_subdomain}}
    • *.{{db2_instance_name}}-{{db2_namespace}}.{{cluster_subdomain}}
    • c-{{db2_instance_name}}-db2u-engn-svc.{{ db2_namespace }}.svc
    • *.c-{{db2_instance_name}}-db2u-engn-svc.{{ db2_namespace }}.svc
  8. Click the Create button to create the Db2 server certificate.
  9. In the banner, click Import YAML (Plus icon). Enter the following YAML:
    
    ---
    apiVersion: db2u.databases.ibm.com/v1
    kind: Db2uCluster
    metadata:
      name: "db2u-manage"
      namespace: "db2u"
    spec:
      account:
        privileged: true
      addOns:
        graph:
          enabled: false
        rest:
          enabled: false
      version: "11.5.7.0-cn4"
      size: 1
      environment:
        dbType: db2wh
        database:
          name: "BLUDB"
          settings:
            dftTableOrg: "ROW"
          ssl:
            secretName: "db2u-certificate"
            certLabel: "CN=db2u"
        instance:
          registry:
            DB2_4K_DEVICE_SUPPORT: "ON"
            DB2AUTH: 'OSAUTHDB,ALLOW_LOCAL_FALLBACK,PLUGIN_AUTO_RELOAD'
            DB2_FMP_RUN_AS_CONNECTED_USER: 'NO'
            DB2_WORKLOAD: MAXIMO
        mln:
          total: 1 
      license:
        accept: true
      podConfig:
        db2u:
          resource:
            db2u:
              requests:
                cpu: "2"
                memory: "12Gi"
              limits:
                cpu: "6"
                memory: "18Gi"
      storage:
        - name: meta
          type: create
          spec:
            storageClassName: "ocs-storagecluster-cephfs"
            accessModes:
              - ReadWriteMany
            resources:
              requests:
                storage: "100Gi"
        - name: data
          type: template
          spec:
            storageClassName: "ocs-storagecluster-ceph-rbd"
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: "500Gi"
        - name: backup
          type: create
          spec:
            accessModes:
            - ReadWriteMany
            resources:
              requests:
                storage: "500Gi"
            storageClassName: "ocs-storagecluster-cephfs"
        - name: activelogs
          spec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: "100Gi"
            storageClassName: "ocs-storagecluster-ceph-rbd"
          type: template
        - name: tempts
          spec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: "100Gi"
            storageClassName: "ocs-storagecluster-ceph-rbd"
          type: template
    
  10. Click the Create button to create the db2ucluster CR instance.
  11. Verify that the db2ucluster is created successfully.
    Click Home > Search page, select the db2u project and search for resource type Db2uCluster. Filter the service name keyword with db2u-manage. Then, click its details and wait until it is in Ready state. The process might take 10 minutes to complete.
  12. Check the Db2 instance login, URL, password and ca crt information.

    Check the internal service.

    On the Home > Search page, select the db2u project and search for resource type Service. Filter the service name keyword with db2u-engn-svc. In the search results, it shows the service name similar to c-db2wh-xxxx-db2u-engn-svc.

    Inside the cluster, the JDBC URL is:
    
    jdbc:db2://c-db2u-manage-db2u-engn-svc.db2u.svc:50001/BLUDB:sslConnection=true;
    
    Note: The name for the Db2 instance is the one provided in the db2ucluster YAML file. It is not a generated instance name.
    When you install Maximo Application Suite 8.10 or later in FIPS enabled Red Hat OpenShift cluster, configure the JDBC URL to use a non-SSL connection.
    1. Edit the JdbcConfig file from Adminstration > CustomResourceDefinitions and search JdbcCfg.
    2. Change sslEnabled to false.
    3. Change url to use non-ssl port.

    Check the Db2 instance password for default Db2 user db2inst1.

    Click Home > Search, select the db2u project and search for resource type Secret. Filter the service name keyword with -instancepassword. In the search results, it shows the service name similar to c-db2u-manage-instancepassword. Then, reveal its password.

    The JDBC user and password that is used to access the Db2 instance is:
    user: db2inst1
    password: xxx 
    Note: Consider the Authentication options for Db2U when you are working with Db2 user authentication.

    Check the internal TLS that is used for JDBC SSL access:

    Click Home > Search, select the db2u project and search for resource type Secret. Filter the service name keyword with db2u-certificate. Then, reveal its ca.crt.

Installing by using the Red Hat OpenShift command-line interface (CLI)

Procedure

  1. Create a Db2U Operator catalog YAML file called db2catalog.yaml.
    
    ---
    apiVersion: operators.coreos.com/v1alpha1
    kind: CatalogSource
    metadata:
      name: ibm-db2uoperator-catalog
      namespace: openshift-marketplace
    spec:
      sourceType: grpc
      image: icr.io/cpopen/ibm-db2uoperator-catalog:latest
      imagePullPolicy: Always
      displayName: IBM Db2U Catalog
      publisher: IBM
      updateStrategy:
        registryPoll:
          interval: 45m
    
  2. Apply the db2catalog.yaml file to the Red Hat OpenShift cluster.
    
    oc apply -f db2catalog.yaml
    
  3. Verify the catalog source status:
    
    oc get catalogsource -n openshift-marketplace ibm-db2uoperator-catalog -o jsonpath='{.status.connectionState.lastObservedState} {"\n"}'
    
  4. Create a namespace called db2u:
    
    oc new-project db2u
    
  5. Create the OperandRequest YAML file db2u-operator.yaml to install the Db2u Operator:
    
    ---
    apiVersion: operator.ibm.com/v1alpha1
    kind: OperandRequest
    metadata:
      name: db2u-request
      namespace: "db2u"
    spec:
      requests:
      - operands:
          - name: ibm-db2u-operator
        registry: common-service
        registryNamespace: ibm-common-services
    
  6. Apply the db2u-operator.yaml file to the Red Hat OpenShift cluster.
    
    oc apply -f db2u-operator.yaml
    
  7. Verify the Db2U operator is created and running successfully:
    
    oc get sub -n ibm-common-services ibm-db2u-operator -o jsonpath='{.status.installedCSV} {"\n"}'
    
    Sample output
    
    oc get csv -n ibm-common-services db2u-operator.v1.1.13 -o jsonpath='{ .status.phase } : {.status.message} {"\n"}'
    
    Sample output
    
    oc get deployments -n ibm-common-services db2u-operator-manager -o jsonpath="{.status.availableReplicas} {'\n'}"
    
    Sample output
  8. To provision the self-signed CA certificate issuer, create a CA Issuer YAML file called caissuer.yaml.
    
    ---
    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: "db2u-ca-issuer"
      namespace: "db2u"
    spec:
      selfSigned: {}
    
  9. Apply the caissuer.yaml file to the Red Hat OpenShift cluster.
    
    oc apply -f caissuer.yaml
    
  10. To provision the self-signed CA certificate for Db2, create a CA certificate YAML file called cacert.yaml.
    
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: "db2u-ca-certificate"
      namespace: "db2u"
    spec:
      secretName: "db2u-ca"
      duration: "175200h0m0s"
      renewBefore: "2160h0m0s"
      issuerRef:
        name: "db2u-ca-issuer"
        kind: Issuer
    
      isCA: true
      keyAlgorithm: rsa
      keySize: 4096
      keyEncoding: pkcs8
    
      usages:
        - cert sign
        - digital signature
        - key encipherment
        - server auth
    
      commonName: "ca.db2u"
      organization:
        - "IBM Maximo Application Suite"
      subject:
        countries:
          - GB
        streetAddresses:
          - London
        localities:
          - London
        organizationalUnits:
          - IBM Maximo Application Suite DB2U
    
  11. Verify that the CA certificate is created successfully.
    
    oc get certificates -n db2u
    NAME                  READY   SECRET    AGE   EXPIRATION
    db2u-ca-certificate   True    db2u-ca   26s   2042-05-04T08:26:02Z
    
  12. Create the YAML file issuer.yaml to create the Db2 server certificate issuer. This issuer references the secret that is created from the CA certificate issuer in the preceding step.
    
    ---
    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: "db2u-issuer"
      namespace: "db2u"
    spec:
      ca:
    secretName: "db2u-ca"
    
  13. Apply the issuer.yaml to the Red Hat OpenShift cluster.
    
    oc apply -f issuer.yaml
    
  14. Create the YAML file certificate.yaml to provision the Db2 server certificate:
    
    ---
     apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: "db2u-certificate"
      namespace: "db2u"
    spec:
      secretName: "db2u-certificate"
      duration: "175200h0m0s"
      renewBefore: "2160h0m0s"
      issuerRef:
        name: "db2u-issuer"
        kind: Issuer
    
      usages:
        - cert sign
        - digital signature
        - key encipherment
        - server auth
    
      commonName: "db2u"
      dnsNames:
        - "db2u-manage-db2u.apps.cluster1.example-cluster.com"
        - "*.db2u-manage-db2u.apps.cluster1.example-cluster.com"
        - "c-db2u-manage-db2u-engn-svc.db2u.svc"
        - "*.c-db2u-manage-db2u-engn-svc.db2u.svc"
      organization:
        - "IBM Maximo Application Suite"
      subject:
        countries:
          - GB
        streetAddresses:
          - London
        localities:
          - London
        organizationalUnits:
          - IBM Maximo Application Suite DB2U
    
    Note: For the DNS names, include the svc and routes that are used. Replace them with real environment information:
    • {{db2_instance_name}}-{{db2_namespace}}.{{cluster_subdomain}}
    • *.{{db2_instance_name}}-{{db2_namespace}}.{{cluster_subdomain}}
    • c-{{db2_instance_name}}-db2u-engn-svc.{{ db2_namespace }}.svc
    • *.c-{{db2_instance_name}}-db2u-engn-svc.{{ db2_namespace }}.svc
  15. Apply the certificate.yaml to the Red Hat OpenShift cluster.
    
    oc apply -f certificate.yaml
    
  16. Create the YAML file db2cluster.yaml to create the Db2 cluster:
    
    ---
    apiVersion: db2u.databases.ibm.com/v1
    kind: Db2uCluster
    metadata:
      name: "db2u-manage"
      namespace: "db2u"
    spec:
      account:
        privileged: true
      addOns:
        graph:
          enabled: false
        rest:
          enabled: false
      version: "11.5.7.0-cn4"
      size: 1
      environment:
        dbType: db2wh
        database:
          name: "BLUDB"
          settings:
            dftTableOrg: "ROW"
          ssl:
            secretName: "db2u-certificate"
            certLabel: "CN=db2u"
        instance:
          registry:
            DB2_4K_DEVICE_SUPPORT: "ON"
            DB2AUTH: 'OSAUTHDB,ALLOW_LOCAL_FALLBACK,PLUGIN_AUTO_RELOAD'
            DB2_FMP_RUN_AS_CONNECTED_USER: 'NO'
            DB2_WORKLOAD: MAXIMO
        mln:
          total: 1 
      license:
        accept: true
      podConfig:
        db2u:
          resource:
            db2u:
              requests:
                cpu: "2"
                memory: "12Gi"
              limits:
                cpu: "6"
                memory: "18Gi"
      storage:
        - name: meta
          type: create
          spec:
            storageClassName: "ocs-storagecluster-cephfs"
            accessModes:
              - ReadWriteMany
            resources:
              requests:
                storage: "100Gi"
        - name: data
          type: template
          spec:
            storageClassName: "ocs-storagecluster-ceph-rbd"
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: "500Gi"
        - name: backup
          type: create
          spec:
            accessModes:
            - ReadWriteMany
            resources:
              requests:
                storage: "500Gi"
            storageClassName: "ocs-storagecluster-cephfs"
        - name: activelogs
          spec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: "100Gi"
            storageClassName: "ocs-storagecluster-ceph-rbd"
          type: template
        - name: tempts
          spec:
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: "100Gi"
            storageClassName: "ocs-storagecluster-ceph-rbd"
          type: template
    
  17. Apply the db2cluster.yaml to the Red Hat OpenShift cluster.
    
    oc apply -f db2cluster.yaml
    
  18. Verify the Db2U cluster status:
    
    oc get db2ucluster -n db2u db2u-manage -o jsonpath='{.status.state} {"\n"}'
    
  19. Check the Db2 instance login, URL, and password.
    Check the internal service:
    
    oc get svc -n db2u | grep -i engn-svc
    
    Sample output
    Inside the cluster, the JDBC URL is:
    
    jdbc:db2://c-db2u-manage-db2u-engn-svc.db2u.svc:50001/BLUDB:sslConnection=true;
    
    Note: db2u-manage is the instance name for the Db2 instance.
    When you install Maximo Application Suite 8.10 or later in FIPS enabled Red Hat OpenShift cluster, configure the JDBC URL to use a non-SSL connection.
    1. Edit the JdbcConfig file from Adminstration > CustomResourceDefinitions and search JdbcCfg.
    2. Change sslEnabled to false.
    3. Change url to use non-ssl port.
    Check the Db2 instance password for default Db2 user db2inst1:
    
    oc extract secret/c-db2u-manage-instancepassword -n db2u --keys=password --to=-
    
    Sample output
    The JDBC user and password that is used to access the Db2 instance is:
    user: db2inst1
    password: PcJ1fKYfFdA5AtA
    Check the ca.crt used to connect the JDBC SSL port:
    
    oc extract secret/db2u-certificate -n db2u --keys=ca.crt --to=-
    
    Sample output

What to do next

Configuring IBM Db2 Warehouse