You can connect the application discovery service of an OCP deployment of Agile Service
Manager with an on-prem Db2 installation. This topic describes how to do so using SSL.
Before you begin
Before setting up the application discovery service for Agile Service Manager on OCP to run with
an on-prem version of Db2, you must download and install DB2 Version 11.5 Enterprise Server Edition.
See the Db2 documentation for more installation and configuration information.
Important: Before configuring a secure (SSL) connection between the OCP application
discovery service and the on-prem Db2 server, you must complete steps 1 - 5 of the
TCPIP setup.
About this task
Note: TCPIP (or insecure) mode is enabled by default when DB2 is installed.
Procedure
DB2 server prerequisites
-
On the Db2 server, and as the root user, create a key database called
mydbserver.kdb and a stash file called mydbserver.sth
using the GSKCapiCmd tool.
Tip: The GSKCapiCmd tool is packaged with DB2 and can be found in the
/opt/ibm/db2/V11.5/gskit/bin directory.
Run the following commands:
export LD_LIBRARY_PATH=/opt/ibm/db2/V11.5/lib64/gskit_db2
cd /opt/ibm/db2/V11.5/gskit/bin
./gsk8capicmd_64 -keydb -create -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -stash
-
As the root user, add (create) a certificate for your server to the key
database.
The server sends this certificate to clients during the SSL handshake to provide
authentication for the server.
Example command to create a self-signed
certificate:
./gsk8capicmd_64 -cert -create -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -label "myselfsigned" -dn "CN=myhost.mycompany.com,O=myOrganization,OU=myOrganizationUnit,L=myLocation,ST=ON,C=CA"
-
As the root user, extract the certificate created to a file.
This certificate can be distributed to computers running clients. In this case, the
application discovery service can use this certificate to establish SSL connections to the DB2
server. The following command extracts the certificate to the
mydbserver.arm
file.
./gsk8capicmd_64 -cert -extract -db "mydbserver.kdb" -pw "myServerPassw0rdpw0" -label "myselfsigned" -target "mydbserver.arm" -format ascii -fips
-
Set up the Db2 server for SSL support:
chmod 744 mydbserver.kdb mydbserver.sth
su db2inst1
db2 update dbm cfg using SSL_SVR_KEYDB /opt/ibm/db2/V11.5/gskit/bin/mydbserver.kdb
db2 update dbm cfg using SSL_SVR_STASH /opt/ibm/db2/V11.5/gskit/bin/mydbserver.sth
db2 update dbm cfg using SSL_SVR_LABEL myselfsigned
db2 update dbm cfg using SSL_SVCENAME 60000
db2set -i db2inst1 DB2COMM=SSL,TCPIP
db2stop
db2start
-
As the db2inst1 user, verify that both SSL and TCPIP modes are
enabled.
-
Run the following command:
[db2inst1@taddmvm162095 root]$ db2 get dbm cfg | grep SVCE
System
output:
TCP/IP Service name (SVCENAME) = 50000
SSL service name (SSL_SVCENAME) = 60000
The
system output shows that the SSL and TCPIP ports are enabled for connection with the DB2
server.
-
Run the following command:
[db2inst1@taddmvm162095 root]$ db2set -i
System
output:
DB2_EVALUNCOMMITTED=YES
DB2_SELECTIVITY=DSCC
DB2COMM=SSL,TCPIP
DB2AUTOSTART=YES
The
system output for DB2COMM shows that SSL and TCPIP modes are enabled.
OCP application discovery server configuration
-
On the OCP application discovery server, perform the following steps:
-
Copy the previously created mydbserver.arm certificate to the application
discovery client server.
-
Rename themydbserver.arm certificate 'tls.crt'.
cp mydbserver.arm tls.crt
-
Create a secret in the same namespace in which the application discovery service is installed
using the tls.crt certificate.
oc create secret generic "db-cert" --from-file=/root/tls.crt -n app-disco-namespace
Remember: The following step requires that the first five steps of the TCPIP setup have
been completed.
-
Populate the database details in the Netcool Operations Insight on Red Hat OpenShift Operator
properties.
The following sample shows the database parameters to connect the application discovery
service with the pre-configured database in secure (SSL) mode:
appDisco:
enabled: true
dburl : 'db2hostname.com'
dbsecret: 'db2-secret'
secure: true
certSecret: 'db-cert'
- dburl
- The URL of the server on which DB2 is installed.
- dbsecret
- The name of the secret in the same namespace as the instance to be installed.
- It must contain the following keys:
- DBUSER
- The name of the DB2 user.
- DB_PASSWORD
- The password of the DB2 user.
- DBARCHIVEUSER
- The name of the DB2 archive user.
- DB_ARCH_PASSWORD
- The password of the DB2 archive user.
- secure
- 'True' if the connection to DB2 is secure.
- certSecret
- Applicable only if 'secure' property is 'true'.
- This is the secret name created earlier.
- This secret must contain the DB2 certificate 'tls.crt'.