Configuring on-prem Db2 with OCP application discovery (SSL)

You can connect the application discovery service of an OCP deployment of Agile Service Manager with an on-prem Db2 installation. This topic describes how to do so using SSL.

Before you begin

Before setting up the application discovery service for Agile Service Manager on OCP to run with an on-prem version of Db2, you must download and install DB2 Version 11.5 Enterprise Server Edition. See the Db2 documentation for more installation and configuration information.

Important: Before configuring a secure (SSL) connection between the OCP application discovery service and the on-prem Db2 server, you must complete steps 1 - 5 of the TCPIP setup.

About this task

Note: TCPIP (or insecure) mode is enabled by default when DB2 is installed.

Procedure

DB2 server prerequisites

  1. On the Db2 server, and as the root user, create a key database called mydbserver.kdb and a stash file called mydbserver.sth using the GSKCapiCmd tool.
    Tip: The GSKCapiCmd tool is packaged with DB2 and can be found in the /opt/ibm/db2/V11.5/gskit/bin directory.
    Run the following commands:
    export LD_LIBRARY_PATH=/opt/ibm/db2/V11.5/lib64/gskit_db2
    
    cd /opt/ibm/db2/V11.5/gskit/bin
    
    ./gsk8capicmd_64 -keydb -create -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -stash
  2. As the root user, add (create) a certificate for your server to the key database.
    The server sends this certificate to clients during the SSL handshake to provide authentication for the server.
    Example command to create a self-signed certificate:
    ./gsk8capicmd_64 -cert -create -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -label "myselfsigned" -dn "CN=myhost.mycompany.com,O=myOrganization,OU=myOrganizationUnit,L=myLocation,ST=ON,C=CA"
  3. As the root user, extract the certificate created to a file.
    This certificate can be distributed to computers running clients. In this case, the application discovery service can use this certificate to establish SSL connections to the DB2 server. The following command extracts the certificate to the mydbserver.arm file.
    ./gsk8capicmd_64 -cert -extract -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -label "myselfsigned" -target "mydbserver.arm" -format ascii -fips
  4. Set up the Db2 server for SSL support:
    chmod 744 mydbserver.kdb mydbserver.sth
    su db2inst1
    db2 update dbm cfg using SSL_SVR_KEYDB /opt/ibm/db2/V11.5/gskit/bin/mydbserver.kdb
    db2 update dbm cfg using SSL_SVR_STASH /opt/ibm/db2/V11.5/gskit/bin/mydbserver.sth
    db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
    db2 update dbm cfg using SSL_SVCENAME 60000
    db2set -i db2inst1 DB2COMM=SSL,TCPIP
    db2stop
    db2start
    
  5. As the db2inst1 user, verify that both SSL and TCPIP modes are enabled.
    1. Run the following command:
      [db2inst1@taddmvm162095 root]$ db2 get dbm cfg | grep SVCE
      System output:
      
       TCP/IP Service name        (SVCENAME) = 50000
       SSL service name           (SSL_SVCENAME) = 60000
      
      The system output shows that the SSL and TCPIP ports are enabled for connection with the DB2 server.
    2. Run the following command:
      [db2inst1@taddmvm162095 root]$ db2set -i
      
      System output:
      DB2_EVALUNCOMMITTED=YES
      DB2_SELECTIVITY=DSCC
      DB2COMM=SSL,TCPIP
      DB2AUTOSTART=YES
      
      The system output for DB2COMM shows that SSL and TCPIP modes are enabled.

OCP application discovery server configuration

  1. On the OCP application discovery server, perform the following steps:
    1. Copy the previously created mydbserver.arm certificate to the application discovery client server.
      ssh root@MASTER-1-IP
    2. Rename themydbserver.arm certificate 'tls.crt'.
      cp mydbserver.arm tls.crt
    3. Create a secret in the same namespace in which the application discovery service is installed using the tls.crt certificate.
      oc create secret generic "db-cert" --from-file=/root/tls.crt -n app-disco-namespace

Remember: The following step requires that the first five steps of the TCPIP setup have been completed.

  1. Populate the database details in the Netcool Operations Insight on Red Hat OpenShift Operator properties.
    The following sample shows the database parameters to connect the application discovery service with the pre-configured database in secure (SSL) mode:
    appDisco:
      enabled: true
      dburl : 'db2hostname.com'
      dbsecret: 'db2-secret'
      secure: true
      certSecret: 'db-cert'
    
    dburl
    The URL of the server on which DB2 is installed.
    dbsecret
    The name of the secret in the same namespace as the instance to be installed.
    It must contain the following keys:
    DBUSER
    The name of the DB2 user.
    DB_PASSWORD
    The password of the DB2 user.
    DBARCHIVEUSER
    The name of the DB2 archive user.
    DB_ARCH_PASSWORD
    The password of the DB2 archive user.
    secure
    'True' if the connection to DB2 is secure.
    certSecret
    Applicable only if 'secure' property is 'true'.
    This is the secret name created earlier.
    This secret must contain the DB2 certificate 'tls.crt'.