Refreshing the secret of a remote Db2 target database

Using a script to refresh the secret of a remote Db2 target database.

About this task

For connecting to a remote Db2 target database instance, Data Gate requires user credentials that are stored in OpenShift® secrets. Use the following procedure if the user credentials should be modified, for example to rotate passwords.

Procedure

Ensure that you are logged into the OpenShift cluster and have set the PROJECT_CPD_INST_OPERANDS environment variable.
Set up variables that identify the Data Gate instance whose remote Db2 credentials should be rotated.
1. Identify the Data Gate instance identifier, and assign the value to the variable DG_INSTANCE_ID by issuing the oc get dginstance command. For example:
```
oc get dginstance -n ${PROJECT_CPD_INST_OPERANDS}
NAME                 VERSION   BUILD      STATUS      RECONCILED   AGE
dg1699914520773847   5.0.0     5.0.0.82   Completed   5.0.0        6h58m
```
  In this example, the instance ID is dg1699914520773847. Set the variable DG_INSTANCE_ID to this instance ID.
2. Identify the Data Gate instance pod, and assign the value to the variable DG_POD by issuing the following oc get pod command:
```
DG_POD=$(oc get pod -n ${PROJECT_CPD_INST_OPERANDS} -l icpdsupport/app=dg-instance-server,\
icpdsupport/serviceInstanceId=`echo ${DG_INSTANCE_ID} | sed 's/^dg//'` -o jsonpath='{.items[0].metadata.name}')
```
3. Identify the Data Gate instance configuration secret, and assign the value to the variable SECRET_NAME by issuing the following command:
```
SECRET_NAME="dg-$(echo "${DG_INSTANCE_ID}" | sed 's/^dg//')-configuration-secret"
```

Rotate the secret for accessing the remote target database instance by providing the updated values for the NEW_USERNAME and NEW_PASSWORD variables:

NEW_USERNAME="<enter new username>"
NEW_PASSWORD="<enter new password>"

oc patch secret "${SECRET_NAME}" \
  -n "${PROJECT_CPD_INST_OPERANDS}" \
  --type=merge \
  -p "{
    \"data\": {
      \"username\": \"$(printf '%s' "${NEW_USERNAME}" | base64 | tr -d '\n')\",
      \"password\": \"$(printf '%s' "${NEW_PASSWORD}" | base64 | tr -d '\n')\"
    }
  }"

Stop the Data Gate synchronization function.

Run the following command to access the data-gate-apply container:

oc exec -it -n ${PROJECT_CPD_INST_OPERANDS} ${DG_POD} -c data-gate-apply bash

Stop the synchronization function by running the following command:

/head/tools/datagate-apply/stop_apply.sh

If the command runs successfully, the screen output looks like this:

Datagate-Apply-Stop: Stopping the datagate-apply instance:[XY1A]. It usually takes up to 1 minute.
Datagate-Apply-Stop: Suspend the datagate-apply instance:[XY1A].
SUCCESS - Instance XY1A is now SUSPENDED.
Datagate-Apply-Stop: Suspend the datagate-apply instance:[XY1A] successfully.
SUCCESS - Instance XY1A is now stopped.
Datagate-Apply-Stop: Stop the datagate-apply instance:[XY1A] successfully.

Refresh the remote Db2 credentials in the Data Gate configuration file and restart the Data Gate server service.

Access the data-gate-server container by running the following command:

oc exec -it -n ${PROJECT_CPD_INST_OPERANDS} ${DG_POD} -c data-gate-server bash

Run the following command to make the Data Gate server pick up the changed target database secret:

/head/tools/datagate-server/refresh_db2luw_password.sh

A successful command execution generates the following screen output:

2023-06-13 13:41:32 - Refresh-Password: Start to refresh password
2023-06-13 13:41:32 - Refresh-Password: Enforce /head/dwa/etc/dwa.server.password-salt
permission to 400
Accelerator-Stop: Found the process of Datgate Server and start to shutdown it.
Accelerator-Stop: Datgate Server has been stopped successfully
2023-06-13 13:41:33,250 - INFO - The generation of the dwa password for the
platform user was successful 2023-06-13 13:41:33.
.
.
.
Accelerator-Start: Please checkout the detailed server log from
/head/dwa/var/log/ffdc/dwa-server.stdout.2023-06-13-13-41-34-UTC
2023-06-13 13:41:34 - Refresh-Password: Refresh password successfully