The security certificates (SSL certificates) for Data Gate and your target database expire after twelve
months. They are renewed automatically before the expiration date, but this scheduled renewal causes
an outage of 10 to 20 minutes. During that time, the Data Gate service and the Db2 or Db2 Warehouse service will be unavailable.
You are notified of the scheduled certificate renewal ahead of time on the Data Gate user interface, but the outage caused by it
might come at an inconvenient time. To avoid an unplanned or unexpected outage, you can renew the
certificates manually before the scheduled renewal date.
About this task
During the renewal of the Data Gate
certificate, the Data Gate pod is restarted.
During the renewal of the Db2 or Db2 Warehouse certificate, the Data Gate pod and the target database pod are restarted.
These restarts cause the outages.
Procedure
- To renew a certificate manually, check the display on the Data Gate user interface (instance dashboard) to see if
the Data Gate certificate or the target database
certificate is scheduled for renewal.
- Follow the appropriate sequence of steps for the identified certificate type.
- If the Data Gate certificate is
scheduled for renewal:
- Use the following command to identify the currently active
certificate:
oc get secret -n ${PROJECT_CPD_INST_OPERANDS} | grep dg-internal
See
the output in the following example. It was obtained for a Data Gate service that is installed in an OpenShift® project called
cpd-service:
dg-internal-tls-pkcs8 kubernetes.io/tls 3 1d0h
- Delete the currently active certificate. The following command uses the certificate name from
the example in step 2.a:
oc delete secret -n ${PROJECT_CPD_INST_OPERANDS} dg-internal-tls-pkcs8
The
deletion forces a restart of the Data Gate
pod.
Important:
During the restart of the pod, Data Gate and
your target database will be out of service for 10 to 20 minutes. Therefore, plan this outage ahead
of time.
- If the Db2 or Db2 Warehouse certificate is scheduled for
renewal, and the Db2 instance was deployed by
the default method, generate a Kubernetes secret without using a vault:
- Use the following command to identify the currently active
certificate:
oc get secret -n ${PROJECT_CPD_INST_OPERANDS} | grep <db2_type>-internal-tls
Replace
PROJECT_CPD_INST_OPERANDS with the actual project name of your Data Gate installation. Replace
<db2_type> with the proper Db2 type, which is db2oltp for
Db2, or db2wh for Db2 Warehouse. Then run the
command.
See the output in the following example. It shows a Db2 secret that contains
certificates:
db2oltp-internal-tls kubernetes.io/tls 3 4d6h
- Delete the currently active certificate. See the following example command, which uses the
certificate name and the project name from the example in step 2.a:
oc delete secret -n ${PROJECT_CPD_INST_OPERANDS} db2oltp-internal-tls
The
deletion forces a restart of the Data Gate and
the Db2 or Db2 Warehouse pods.
- Install the new certificate by following the instructions on this page: Updating the Db2 SSL certificate after the Cloud Pak for Data self-signed certificate is updated
- If the Db2 or Db2 Warehouse certificate is scheduled for
renewal, and the deployed Db2 instance uses
secrets that are stored in a vault:
- Use the following command to identify the currently active
certificate:
oc get secret -n ${PROJECT_CPD_INST_OPERANDS} | grep <db2_type>-<db2_instance_id>-db2-tls
Replace
PROJECT_CPD_INST_OPERANDS with the actual project name of your Data Gate installation. Replace
<db2_type> with the proper Db2 type, which is db2oltp for
Db2, or db2wh for Db2 Warehouse. Replace
<db2_instance_number> with the Db2 instance number, for example
1686647240738580. Then run the command.
See the output in the following
example. It shows a Db2 secret that is stored
in a vault:
db2oltp-1686647240738580-db2-tls kubernetes.io/tls 3 35m
- Edit the secret containing your new Db2
certificates. The secret is base64-encrypted. Therefore, run the following commands to generate a
base64-encrypted string for each certificate:
cat ca.crt|base64 -w0cat tls.crt|base64 -w0cat tls.key|base64 -w0
- Run the following command to update the Db2 SSL
certificates:
oc exec -it c-<db2_type>-<db2_instance_id>-db2u-0 -- bash -l /db2u/scripts/db2_rotate_ssl_certs.sh
For more information, see Updating the Db2 SSL certificate after the Cloud Pak for Data self-signed certificate is updated.
- Delete the Data Gate pods manually. Wait
until Data Gate restarts and generates new pods
that pick up the updated Db2 SSL
certificate.
- If the Db2 or Db2 Warehouse certificate is scheduled for
renewal, and the deployed Db2 instance uses a
certificate in a secret with a custom name:
- Stop replication in the instance.
- Update the secret to contain the newest certificate.
- Patch the Data Gate instance
CustomResource to reference the custom certificate secret
name::
DG_INSTANCE_ID=''
CUSTOM_CERT_SECRET_NAME=''
oc patch dginstance "dg${DG_INSTANCE_ID}" --type=merge -p \
'{
"spec": {
"metadata": {
"target_database_tls_secret_name": "'"${CUSTOM_CERT_SECRET_NAME}"'"
}
}
}'
If the database instance was already configured to use a custom certificate secret
before the Data Gate instance was provisioned,
the Data Gate operator will have detected the
secret during instance installation and you can skip this step. You can also skip it if you have
done this patch before and the secret name has not changed..
- Delete the Data Gate pods manually. If you
just ran the patch from the previous step, the pods will be recreated automatically. Wait until
Data Gate restarts and generates new pods that
pick up the updated Db2 SSL certificate.
- Restart replication in the instance.
- To update rotating secrets and restart Data Gate:
- Remote target Db2 database's TLS certificate secret
(
${TARGET_DB2_CERT_SECRET_NAME}): See step 1 where the secret was
created.
- Remote target Db2 database's credentials secret
(
dg-${DG_INSTANCE_ID}-target-db2-username-password): See step dg-connect-remote-db2.html#dg-connect-remote-db2__db2-step-5 where the secret was
created.