Preserving old certificate files during upgrade
If you are upgrading IAS from versions older than 1.0.23.2 to 1.0.23.2 or newer, or Db2 Warehouse from versions older than 11.5.4.0-CN2 to 11.5.4.0-CN2 or newer, you must specify the old certificates by using the SSL environment variables to retain a self-generated certificate.
Procedure
-
Before you can start the upgrade procedure, you must extract the SSL certs from
/mnt/blumeta0/db2/ssl_keystore/. Run the following commands inside the container:
-
gsk8capicmd_64 -cert -export -db /mnt/blumeta0/db2/ssl_keystore/bludb_ssl.kdb -stashed -label 'CA-signed' -target /mnt/blumeta0/db2/ssl_keystore/db2_ssl.p12
When you are prompted to input a password to use for encryption, use one that has at least 4 characters. The password does not have any other restrictions.
-
openssl pkcs12 -in /mnt/blumeta0/db2/ssl_keystore/db2_ssl.p12 -info -nocerts -nodes > /mnt/blumeta0/db2/ssl_keystore/db2_ssl.key
-
openssl pkcs12 -in /mnt/blumeta0/db2/ssl_keystore/db2_ssl.p12 -info -nokeys > /mnt/blumeta0/db2/ssl_keystore/db2_ssl.pem
-
- Take a backup of the certificates that were generated in step 1 and save it to some
persistent location.
- For
IAS:Example:
cp /mnt/blumeta0/db2/ssl_keystore/rootCA.pem /scratch
cp /mnt/blumeta0/db2/ssl_keystore/db2_ssl.pem /mnt/blumeta0/db2/ssl_keystore/db2_ssl.key /scratch
- For Db2
Warehouse:
cp /mnt/blumeta0/db2/ssl_keystore/rootCA.pem /mnt/bludata0/scratch/
cp /mnt/blumeta0/db2/ssl_keystore/db2_ssl.pem /mnt/blumeta0/db2/ssl_keystore/db2_ssl.key /mnt/bludata0/scratch/
- For
IAS:
- Edit the
dashdb.env
file and set the SSL environment variables to the location of the certificate files (the files that you preserved in step 2).Note: If you are on Db2 Warehouse, skip this step and go to step 4.The location of thedashdb.env
file is /opt/ibm/appliance/storage/head/dashdb.env.SSL_CERT_KEY_FILE=/scratch/db2_ssl.key
SSL_CERT_FILE=/scratch/db2_ssl.pem
SSL_CERT_CA_FILE=/scratch/rootCA.pem
- For Db2 Warehouse:While you are upgrading the container or containers, you must specify the SSL environment variables in the docker run or podman run command that is described in step 8 in Updating an IBM Db2 Warehouse MPP deployment on Linux.
docker run -d -it --privileged=true --net=host --name=dashDB -e SSL_CERT_CA_FILE=/mnt/bludata0/scratch/rootCA.pem -e SSL_CERT_FILE=/mnt/bludata0/scratch/db2_ssl.pem -e SSL_CERT_KEY_FILE=/mnt/bludata0/scratch/db2_ssl.key -v /mnt/clusterfs:/mnt/bludata0 -v /mnt/clusterfs:/mnt/blumeta0 icr.io/obs/hdm/db2wh_ee:v11.5.5.0-db2wh-linux
podman run -d -it --privileged=true --net=host --name=dashDB -e SSL_CERT_CA_FILE=/mnt/bludata0/scratch/rootCA.pem -e SSL_CERT_FILE=/mnt/bludata0/scratch/db2_ssl.pem -e SSL_CERT_KEY_FILE=/mnt/bludata0/scratch/db2_ssl.key -v /mnt/clusterfs:/mnt/bludata0 -v /mnt/clusterfs:/mnt/blumeta0 icr.io/obs/hdm/db2wh_ee:v11.5.5.0-db2wh-linux
- For Db2 Warehouse: