Creating the Db2 instance by using the stand-alone Db2U operator
You can create an IBM® Db2® instance that uses the stand-alone Db2U operator from the Red Hat® OpenShift® console or from the CLI.
- This task maps to the following Ansible role: db2. For more information, see IBM Maximo Application Suite installation with Ansible collection.
- When you install Db2 on IBM Cloud® and use IBM File Storage for IBM Cloud follow the steps that are outlined in the following topic to enable no_root_squash. For more information, see Configuring IBM Cloud File Storage .
Before you begin
If your environment needs to be compliant with Federal Information
Processing Standard (FIPS), in IBM Maximo Application Suite 8.10.1 or later, you must
install a new instance of Db2 inside a Red Hat OpenShift cluster that is enabled for FIPS. The IPsec encryption must
be enabled when you install the cluster, and the JDBC configuration must use the
non-SSL
connection.
For more information, see IPsec encryption configuration.
sh-4.4$ java -Dsemeru.fips=true Ciphers
Default Cipher
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
* TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
* TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
* TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Installing by using the Red Hat OpenShift Container Platform web console
Procedure
-
In the banner, click Import YAML (). Enter the following YAML:
--- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: "db2u-ca-issuer" namespace: "db2u" spec: selfSigned: {}
- Click Create to provision the self-signed CA certificate issuer.
-
In the banner, click Import YAML (). Enter the following YAML:
--- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: "db2u-ca-certificate" namespace: "db2u" spec: secretName: "db2u-ca" duration: "175200h0m0s" renewBefore: "2160h0m0s" issuerRef: name: "db2u-ca-issuer" kind: Issuer isCA: true keyAlgorithm: rsa keySize: 4096 keyEncoding: pkcs8 usages: - cert sign - digital signature - key encipherment - server auth commonName: "ca.db2u" organization: - "IBM Maximo Application Suite" subject: countries: - GB streetAddresses: - London localities: - London organizationalUnits: - IBM Maximo Application Suite DB2U
- Click the Create button to provision the self-signed CA certificate for Db2.
-
In the banner, click Import YAML ().
Enter the following YAML. This YAML creates the Db2
server certificate issuer. This issuer references the secret that is created from the CA certificate
issuer in the previous step.
--- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: "db2u-issuer" namespace: "db2u" spec: ca: secretName: "db2u-ca"
- Verify that the secret db2u-ca exists, then click Create.
-
In the banner, click Import YAML (). Enter the following YAML:
--- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: "db2u-certificate" namespace: "db2u" spec: secretName: "db2u-certificate" duration: "175200h0m0s" renewBefore: "2160h0m0s" issuerRef: name: "db2u-issuer" kind: Issuer usages: - cert sign - digital signature - key encipherment - server auth commonName: "db2u" dnsNames: - "db2u-manage-db2u.apps.cluster1.example-cluster.com" - "*.db2u-manage-db2u.apps.cluster1.example-cluster.com" - "c-db2u-manage-db2u-engn-svc.db2u.svc" - "*.c-db2u-manage-db2u-engn-svc.db2u.svc" organization: - "IBM Maximo Application Suite" subject: countries: - GB streetAddresses: - London localities: - London organizationalUnits: - IBM Maximo Application Suite DB2U
Note: For the DNS names, include thesvc
androutes
that are used. Replace them with real environment information:{{db2_instance_name}}-{{db2_namespace}}.{{cluster_subdomain}}
*.{{db2_instance_name}}-{{db2_namespace}}.{{cluster_subdomain}}
c-{{db2_instance_name}}-db2u-engn-svc.{{ db2_namespace }}.svc
*.c-{{db2_instance_name}}-db2u-engn-svc.{{ db2_namespace }}.svc
- Click the Create button to create the Db2 server certificate.
-
In the banner, click Import YAML (). Enter the following YAML:
--- apiVersion: db2u.databases.ibm.com/v1 kind: Db2uCluster metadata: name: "db2u-manage" namespace: "db2u" spec: account: privileged: true addOns: graph: enabled: false rest: enabled: false version: "11.5.7.0-cn4" size: 1 environment: dbType: db2wh database: name: "BLUDB" settings: dftTableOrg: "ROW" ssl: secretName: "db2u-certificate" certLabel: "CN=db2u" instance: registry: DB2_4K_DEVICE_SUPPORT: "ON" DB2AUTH: 'OSAUTHDB,ALLOW_LOCAL_FALLBACK,PLUGIN_AUTO_RELOAD' DB2_FMP_RUN_AS_CONNECTED_USER: 'NO' DB2_WORKLOAD: MAXIMO mln: total: 1 license: accept: true podConfig: db2u: resource: db2u: requests: cpu: "2" memory: "12Gi" limits: cpu: "6" memory: "18Gi" storage: - name: meta type: create spec: storageClassName: "ocs-storagecluster-cephfs" accessModes: - ReadWriteMany resources: requests: storage: "100Gi" - name: data type: template spec: storageClassName: "ocs-storagecluster-ceph-rbd" accessModes: - ReadWriteOnce resources: requests: storage: "500Gi" - name: backup type: create spec: accessModes: - ReadWriteMany resources: requests: storage: "500Gi" storageClassName: "ocs-storagecluster-cephfs" - name: activelogs spec: accessModes: - ReadWriteOnce resources: requests: storage: "100Gi" storageClassName: "ocs-storagecluster-ceph-rbd" type: template - name: tempts spec: accessModes: - ReadWriteOnce resources: requests: storage: "100Gi" storageClassName: "ocs-storagecluster-ceph-rbd" type: template
- Click the Create button to create the db2ucluster CR instance.
-
Verify that the db2ucluster is created successfully.
Click Home > Search page, select the db2u project and search for resource type Db2uCluster. Filter the service name keyword with db2u-manage. Then, click its details and wait until it is in Ready state. The process might take 10 minutes to complete.
-
Check the Db2 instance login, URL, password and ca crt information.
Check the internal service.
On the Home > Search page, select the db2u project and search for resource type Service. Filter the service name keyword with db2u-engn-svc. In the search results, it shows the service name similar to c-db2wh-xxxx-db2u-engn-svc.
Inside the cluster, the JDBC URL is:jdbc:db2://c-db2u-manage-db2u-engn-svc.db2u.svc:50001/BLUDB:sslConnection=true;
Note: The name for the Db2 instance is the one provided in the db2ucluster YAML file. It is not a generated instance name.When you install Maximo Application Suite 8.10 or later in FIPS enabled Red Hat OpenShift cluster, configure the JDBC URL to use a non-SSL connection.- Edit the JdbcConfig file from
Adminstration >
CustomResourceDefinitions and search
JdbcCfg
. - Change
sslEnabled
tofalse
. - Change
url
to usenon-ssl
port.
Check the Db2 instance password for default Db2 user db2inst1.
Click Home > Search, select the db2u project and search for resource type Secret. Filter the service name keyword with -instancepassword. In the search results, it shows the service name similar to c-db2u-manage-instancepassword. Then, reveal its password.
The JDBC user and password that is used to access the Db2 instance is:user: db2inst1 password: xxx
Note: Consider the Authentication options for Db2U when you are working with Db2 user authentication.Check the internal TLS that is used for JDBC SSL access:
Click Home > Search, select the db2u project and search for resource type Secret. Filter the service name keyword with db2u-certificate. Then, reveal its ca.crt.
- Edit the JdbcConfig file from
Adminstration >
CustomResourceDefinitions and search
Installing by using the Red Hat OpenShift command-line interface (CLI)
Procedure
-
Create a Db2U Operator catalog YAML file called db2catalog.yaml.
--- apiVersion: operators.coreos.com/v1alpha1 kind: CatalogSource metadata: name: ibm-db2uoperator-catalog namespace: openshift-marketplace spec: sourceType: grpc image: icr.io/cpopen/ibm-db2uoperator-catalog:latest imagePullPolicy: Always displayName: IBM Db2U Catalog publisher: IBM updateStrategy: registryPoll: interval: 45m
-
Apply the db2catalog.yaml file to the Red Hat OpenShift cluster.
oc apply -f db2catalog.yaml
-
Verify the catalog source status:
oc get catalogsource -n openshift-marketplace ibm-db2uoperator-catalog -o jsonpath='{.status.connectionState.lastObservedState} {"\n"}'
-
Create a namespace called db2u:
oc new-project db2u
-
Create the OperandRequest YAML file db2u-operator.yaml to install the Db2u
Operator:
--- apiVersion: operator.ibm.com/v1alpha1 kind: OperandRequest metadata: name: db2u-request namespace: "db2u" spec: requests: - operands: - name: ibm-db2u-operator registry: common-service registryNamespace: ibm-common-services
-
Apply the db2u-operator.yaml file to the Red Hat OpenShift cluster.
oc apply -f db2u-operator.yaml
-
Verify the Db2U operator is created and running successfully:
oc get sub -n ibm-common-services ibm-db2u-operator -o jsonpath='{.status.installedCSV} {"\n"}'
Sample outputdb2u-operator.v1.1.13
oc get csv -n ibm-common-services db2u-operator.v1.1.13 -o jsonpath='{ .status.phase } : {.status.message} {"\n"}'
Sample outputSucceeded : install strategy completed with no errors
oc get deployments -n ibm-common-services db2u-operator-manager -o jsonpath="{.status.availableReplicas} {'\n'}"
Sample output1
-
To provision the self-signed CA certificate issuer, create a CA Issuer YAML file called
caissuer.yaml.
--- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: "db2u-ca-issuer" namespace: "db2u" spec: selfSigned: {}
-
Apply the caissuer.yaml file to the Red Hat OpenShift cluster.
oc apply -f caissuer.yaml
-
To provision the self-signed CA certificate for Db2, create a CA certificate YAML file called
cacert.yaml.
--- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: "db2u-ca-certificate" namespace: "db2u" spec: secretName: "db2u-ca" duration: "175200h0m0s" renewBefore: "2160h0m0s" issuerRef: name: "db2u-ca-issuer" kind: Issuer isCA: true keyAlgorithm: rsa keySize: 4096 keyEncoding: pkcs8 usages: - cert sign - digital signature - key encipherment - server auth commonName: "ca.db2u" organization: - "IBM Maximo Application Suite" subject: countries: - GB streetAddresses: - London localities: - London organizationalUnits: - IBM Maximo Application Suite DB2U
-
Verify that the CA certificate is created successfully.
oc get certificates -n db2u NAME READY SECRET AGE EXPIRATION db2u-ca-certificate True db2u-ca 26s 2042-05-04T08:26:02Z
-
Create the YAML file issuer.yaml to create the Db2 server certificate
issuer. This issuer references the secret that is created from the CA certificate issuer in the
preceding step.
--- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: "db2u-issuer" namespace: "db2u" spec: ca: secretName: "db2u-ca"
-
Apply the issuer.yaml to the Red Hat OpenShift cluster.
oc apply -f issuer.yaml
-
Create the YAML file certificate.yaml to provision the Db2 server
certificate:
--- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: "db2u-certificate" namespace: "db2u" spec: secretName: "db2u-certificate" duration: "175200h0m0s" renewBefore: "2160h0m0s" issuerRef: name: "db2u-issuer" kind: Issuer usages: - cert sign - digital signature - key encipherment - server auth commonName: "db2u" dnsNames: - "db2u-manage-db2u.apps.cluster1.example-cluster.com" - "*.db2u-manage-db2u.apps.cluster1.example-cluster.com" - "c-db2u-manage-db2u-engn-svc.db2u.svc" - "*.c-db2u-manage-db2u-engn-svc.db2u.svc" organization: - "IBM Maximo Application Suite" subject: countries: - GB streetAddresses: - London localities: - London organizationalUnits: - IBM Maximo Application Suite DB2U
Note: For the DNS names, include the svc and routes that are used. Replace them with real environment information:{{db2_instance_name}}-{{db2_namespace}}.{{cluster_subdomain}}
*.{{db2_instance_name}}-{{db2_namespace}}.{{cluster_subdomain}}
c-{{db2_instance_name}}-db2u-engn-svc.{{ db2_namespace }}.svc
*.c-{{db2_instance_name}}-db2u-engn-svc.{{ db2_namespace }}.svc
-
Apply the certificate.yaml to the Red Hat OpenShift cluster.
oc apply -f certificate.yaml
-
Create the YAML file db2cluster.yaml to create the Db2 cluster:
--- apiVersion: db2u.databases.ibm.com/v1 kind: Db2uCluster metadata: name: "db2u-manage" namespace: "db2u" spec: account: privileged: true addOns: graph: enabled: false rest: enabled: false version: "11.5.7.0-cn4" size: 1 environment: dbType: db2wh database: name: "BLUDB" settings: dftTableOrg: "ROW" ssl: secretName: "db2u-certificate" certLabel: "CN=db2u" instance: registry: DB2_4K_DEVICE_SUPPORT: "ON" DB2AUTH: 'OSAUTHDB,ALLOW_LOCAL_FALLBACK,PLUGIN_AUTO_RELOAD' DB2_FMP_RUN_AS_CONNECTED_USER: 'NO' DB2_WORKLOAD: MAXIMO mln: total: 1 license: accept: true podConfig: db2u: resource: db2u: requests: cpu: "2" memory: "12Gi" limits: cpu: "6" memory: "18Gi" storage: - name: meta type: create spec: storageClassName: "ocs-storagecluster-cephfs" accessModes: - ReadWriteMany resources: requests: storage: "100Gi" - name: data type: template spec: storageClassName: "ocs-storagecluster-ceph-rbd" accessModes: - ReadWriteOnce resources: requests: storage: "500Gi" - name: backup type: create spec: accessModes: - ReadWriteMany resources: requests: storage: "500Gi" storageClassName: "ocs-storagecluster-cephfs" - name: activelogs spec: accessModes: - ReadWriteOnce resources: requests: storage: "100Gi" storageClassName: "ocs-storagecluster-ceph-rbd" type: template - name: tempts spec: accessModes: - ReadWriteOnce resources: requests: storage: "100Gi" storageClassName: "ocs-storagecluster-ceph-rbd" type: template
-
Apply the db2cluster.yaml to the Red Hat OpenShift cluster.
oc apply -f db2cluster.yaml
-
Verify the Db2U cluster status:
oc get db2ucluster -n db2u db2u-manage -o jsonpath='{.status.state} {"\n"}'
-
Check the Db2 instance login, URL, and password.
Check the internal service:
oc get svc -n db2u | grep -i engn-svc
Sample outputc-db2u-manage-db2u-engn-svc NodePort 172.30.120.206 <none> 50000:30601/TCP,50001:30036/TCP
Inside the cluster, the JDBC URL is:jdbc:db2://c-db2u-manage-db2u-engn-svc.db2u.svc:50001/BLUDB:sslConnection=true;
Note:db2u-manage
is the instance name for the Db2 instance.When you install Maximo Application Suite 8.10 or later in FIPS enabled Red Hat OpenShift cluster, configure the JDBC URL to use a non-SSL connection.- Edit the JdbcConfig file from
Adminstration >
CustomResourceDefinitions and search
JdbcCfg
. - Change
sslEnabled
tofalse
. - Change
url
to usenon-ssl
port.
Check the Db2 instance password for default Db2 user db2inst1:oc extract secret/c-db2u-manage-instancepassword -n db2u --keys=password --to=-
Sample output# password PcJ1fKYfFdA5AtA
The JDBC user and password that is used to access the Db2 instance is:user: db2inst1 password: PcJ1fKYfFdA5AtA
Check the ca.crt used to connect the JDBC SSL port:oc extract secret/db2u-certificate -n db2u --keys=ca.crt --to=-
Sample output# ca.crt -----BEGIN CERTIFICATE----- MIIDuzCCAqOgAwIBAgIQf4KcTIk5y8EEZeiUti0EOTANBgkqhkiG9w0BAQsFADBt MQswCQYDVQQGEwJHQjEPMA0GA1UEBxMGTG9uZG9uMQ8wDQYDVQQJEwZMb25kb24x KjAoBgNVBAsTIUlCTSBNYXhpbW8gQXBwbGljYXRpb24gU3VpdGUgREIyVTEQMA4G A1UEAxMHY2EuZGIydTAeFw0yMjA1MDkxOTA2MjZaFw00MjA1MDQxOTA2MjZaMG0x CzAJBgNVBAYTAkdCMQ8wDQYDVQQHEwZMb25kb24xDzANBgNVBAkTBkxvbmRvbjEq MCgGA1UECxMhSUJNIE1heGltbyBBcHBsaWNhdGlvbiBTdWl0ZSBEQjJVMRAwDgYD VQQDEwdjYS5kYjJ1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAopzw Gz6FFCc1dsPAYJuxx7KnNsNJqyHCabo+VgQG4QkNzyMCwP2YmZZbvi7iajC+U2O/ dMME06LeHdcBFsmkRE7dYcGw8YewsQ8mRTwYveP92h/yLUGzQ8IuhRZ70HZ5ozgt 4Cs5K0p0zqnkkOBbFltJZkWdnGerEnu025LUcwEfJlsV3LmBTuOodKNLQ6VW5MWF 6HrLK4I2jPfPFno1v/9V+rtRUiFXZSEwsmO2imQTgVw9yM+oLZx4be05hYlfWE3c nwVfHkygZKVxIsbd4zm/U7k/oHaEhIPt9gyWXLA3pjdYo2jGXX2btp8xS8UcuI1w Qew0QtrK6Kc56CgobwIDAQABo1cwVTAOBgNVHQ8BAf8EBAMCAqQwEwYDVR0lBAww CgYIKwYBBQUHAwEwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUmk4PmrKaFUWO 18/P9Zgs6J9Tv9IwDQYJKoZIhvcNAQELBQADggEBAEmgttI/N5/9lSDRH8AVTMyr prOQYvt9Wsm5hYvHIkulDtFMpkg6SZ7HzUnRIiGBzlXqC7TvAiQLauacpOJciBoq Wgkh5OgBBldl/KZS8CuNk/KEym+DPw+cb8LrllpPNW/nKuc/0I8mDNsEv8zwkYki yymaTSr+MmNjztz+iqtmiOnWLVome721x1lbEmcWUo6oxQxU9MbPmJiJOPzkcDx7 dZi087RuJ9aQxDkhzDwhZEUssGFDbql+tlXZxy1DtE2spVAxXBai6wqScUceK8sE geUcQRO4VjMEb4RTrOb8QjJOVOeOqE71nARyWTEjcVscHstgRrpcGnSlAVfLE7w= -----END CERTIFICATE-----
- Edit the JdbcConfig file from
Adminstration >
CustomResourceDefinitions and search