Renewing or replacing the TLS certificate in an HADR configuration

You can renew a Transport Layer Security (TLS) certificate that is about to expire, or replace the certificate. The TLS certificate is needed for encrypted communication between primary and standby HADR servers.

Procedure

The steps are slightly different between renewing an existing TLS certificate and replacing a TLS certificate.
Replacing a TLS certificate
  1. On the primary host, stop HADR: 
    db2 stop hadr on db <db>
  2. On the primary host, update HADR_SSL_LABEL: 
    db2 update db cfg for <db> using HADR_SSL_LABEL <primaryNewLabel>
  3. On the standby host, deactivate database: 
    db2 deactivate db <db>
  4. On the standby host, update HADR_SSL_LABEL: 
    db2 update db cfg for <db> using HADR_SSL_LABEL <standbyNewLabel>
  5. On the standby host, activate database: 
    db2 activate db <db>
  6. On the primary host, start HADR: 
    db2 start hadr on db <db> as primary
Renewing a TLS certificate
  1. On the primary host, stop HADR: 
    db2 stop hadr on db <db>
  2. On the standby host, deactivate database: 
    db2 deactivate db <db>
  3. On the standby host, activate database: 
    db2 activate db <db>
  4. On the primary host, start HADR: 
    db2 start hadr on db <db> as primary