Replacing certificates for Data Gate and the remote target database

If the SSL certificates used by the remote Db2 instance are approaching their expiration date, they must be renewed or replaced before they expire. After the certificates are updated on the remote Db2 server, the corresponding TLS secret used by Data Gate must also be refreshed to contain the new certificates. Failure to update the TLS secret after certificate renewal can result in SSL handshake failures and loss of connectivity between Data Gate and the remote Db2 instance.

Before you begin

Ensure that you are logged into the OpenShift cluster and have created a secret which has the TLS certificates.

Procedure

  1. Stop replication in the instance.
    1. Run the following command to access the data-gate-apply container: 
      oc exec -it -n ${PROJECT_CPD_INST_OPERANDS} ${DG_POD} -c data-gate-apply bash
    2. Stop the synchronization function by running the following command: 
      /head/tools/datagate-apply/stop_apply.sh

      If the command runs successfully, the screen output looks like this:

      Datagate-Apply-Stop: Stopping the datagate-apply instance:[XY1A]. It usually takes up to 1 minute.
Datagate-Apply-Stop: Suspend the datagate-apply instance:[XY1A].
SUCCESS - Instance XY1A is now SUSPENDED.
Datagate-Apply-Stop: Suspend the datagate-apply instance:[XY1A] successfully.
SUCCESS - Instance XY1A is now stopped.
Datagate-Apply-Stop: Stop the datagate-apply instance:[XY1A] successfully.
  2. Update the secret to contain the newest certificate.
  3. Patch the Data Gate instance CustomResource to reference the custom certificate secret name: 
    DG_INSTANCE_ID=''
CUSTOM_CERT_SECRET_NAME=''
oc patch dginstance "dg${DG_INSTANCE_ID}" --type=merge -p \
  '{
    "spec": {
      "metadata": {
        "target_database_tls_secret_name": "'"${CUSTOM_CERT_SECRET_NAME}"'"
      }
    }
  }'
  4. The pods will be recreated automatically. Wait until Data Gate restarts and generates new pods that pick up the updated Db2 SSL certificate.
  5. Restart the synchronization function of the Data Gate instance.
    1. Run the following command to access the data-gate-apply container: 
      oc exec -it -n ${PROJECT_CPD_INST_OPERANDS} ${DG_POD} -c data-gate-apply bash
    2. Start the synchronization function by running the following command: 
      /head/tools/datagate-apply/start_apply.sh