Updating the Db2 Warehouse password secrets

The Db2 Warehouse administration accounts on your IBM Software Hub cluster are protected by password secrets. During deployment of Db2 Warehouse, these password secrets are automatically generated and securely stored for these accounts. These accounts are used by Db2 Warehouse to handle administrative tasks on the database. If you need to change them to comply with specific password regulations, or if your security situation changes, you can use this method to update the password secrets at any point in time.

About this task

These commands update the passwords for both the Db2 Warehouse instance user account, and the Db2 Warehouse admin account, which is kept in the local Db2 Warehouse LDAP service. You need a user account with sufficient authority to run the oc patch and oc delete commands in the namespace where your Db2 Warehouse instance is running.

Procedure

Note: If you have multiple deployments, use the Details page in the UI to identify the instance identifier for the instance that you want to update. The Db2uCluster or Db2uInstance name contains the instance identifier.

Obtain the name of the Db2uCluster or Db2uInstance and assign it to a variable:

oc get db2ucluster,db2uinstance

Example result:

NAME                       STATE   MAINTENANCESTATE   AGE
db2wh-1605722434029496     Ready   None               46d

Export the Db2uCluster name or Db2uInstance name to a variable:

export DB2_CR_ID=<db2ucluster resource name>/<db2uinstance resource name>

Complete the following steps to update the password in the secret object.
1. Export the new password to a variable:
```
export NEW_PASSWORD="my_new_password"
```
2. Run the following command to update the password in the secret object:
```
oc patch -n ${PROJECT_CPD_INST_OPERANDS} $(oc get secret c-${DB2_CR_ID}-instancepassword -oname) -p "{\"data\":{\"password\": \"$(echo -n ${NEW_PASSWORD} | base64)\"}}"
```
Attention: If the Db2 Warehouse instance is either the primary or principal standby in an HADR configuration, the Governor configuration file must also be updated with the new password.
1. Exec into the Db2 Warehouse pod with catalog partition and switch to the database instance owner.
```
su - db2inst1
```
2. Change the password in the /mnt/blumeta0/home/db2inst1/governor/db2.yml Governor configuration file.
```
db2:
...
 authentication:
  username: db2inst1
  password: XCouid9KSLi1TYC     # Change this to the new password
```

Run the following command on any running Db2 Warehouse engine pod. For example, c-db2wh-1605722434029496-db2u-0.

oc exec -i c-${DB2_CR_ID}-db2u-0 -- sudo python <<EOF
import json

with open("/mnt/blumeta0/db2_config/users.json", 'r') as fd:
    parsed = json.load(fd)

if 'db2inst1' in parsed['users']:
    del parsed['users']['db2inst1']

with open("/mnt/blumeta0/db2_config/users.json", 'w') as fd:
    json.dump(parsed, fd, indent=2)
EOF

Restart the Db2 Warehouse engine pod or pods, and tools pod (tools pod is only applicable for Db2WH MPP):

oc delete -n ${PROJECT_CPD_INST_OPERANDS} $(oc get po -n ${PROJECT_CPD_INST_OPERANDS} -o name | grep -E "${DB2_CR_ID}-db2u-[0-9]")

What to do next

If you have any instances of the Db2 Data Management Console, extra steps are required to update those database secrets. See Updating the database password secrets managed by Db2 Warehouse for details.