When users access your IBM Data Management Console (DMC) through a web browser, securing that connection is crucial to protect sensitive data. Installing custom SSL certificates on your Docker container running DMC ensures that all communication between the browser and the console is encrypted and trusted. In this guide, we’ll walk you through the process of installing custom SSL certificates and also show you how to generate a self-signed certificate if you don’t have one already. Let’s get started on securing your DMC console for safe and trusted browser connections!

Prerequisites

Before proceeding, ensure that you have the following SSL certificate files in PEM format:

1. tls.crt : The SSL certificate file (without the passphrase).
2. tls.key : The corresponding private key for the certificate

Important Considerations:

• The tls.crt file should contain the SSL certificate.
• The tls.key file should contain the private key.
• Both files must match in terms of the certificate and key.
• The file names must be exactly tls.crt for the certificate and tls.key for the private key. The file names are case-sensitive.
• If your certificate is in a different format, convert them to PEM format using tools like openssl.

Install Docker

In this step, we’ll prepare our system to install Docker by adding the necessary packages and Docker's official repository. This will ensure that Docker is installed securely and kept up to date. We’ll also verify that Docker is successfully installed and running.

# Install necessary packages for adding Docker repository and installing Docker
sudo apt install apt-transport-https ca-certificates curl software-properties-common

# Download and add Docker's official GPG key for package verification
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add -

# Add Docker's repository to the system's list of software sources
sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu focal stable"

# Update the package index to reflect the addition of the Docker repository
apt-cache policy docker-ce

# Install Docker Community Edition (docker-ce) package
sudo apt install docker-ce

# Check the status of the Docker service to ensure it's running
sudo systemctl status docker

Check for Existing SSL Certificates

If you already have an SSL certificate (tls.crt) and key (tls.key), ensure that the certificate files are in the correct PEM format. If your certificates are in a different format , follow the steps below to convert them to PEM format.

Convert Certificates to PEM Format (if necessary)

If your SSL certificate and private key are in a different format, you will need to convert them to PEM format. After conversion, ensure that the files are named exactly as tls.crt for the certificate and tls.key for the private key. Once you have these files in the correct format and with the proper names, you can proceed with the following steps.

Creating a Self-Signed SSL Certificate (if needed)

If you don't already have a certificate, you can create a self-signed SSL certificate using openssl. Follow these steps to generate a new certificate and key:

Generate a Private Key: This command generates a private key (tls.key) encrypted with AES-256:

openssl genpkey -algorithm RSA -out tls.key -aes256

You will be prompted to enter a passphrase to encrypt the private key. Make sure to remember this passphrase as you'll need it later when using the key.

Remove the Passphrase from the Private Key

openssl rsa -in tls.key -out tls.key

Generate a Self-Signed Certificate: Now that you have the private key, you can generate a self-signed certificate. The following command will create the certificate (tls.crt), using the private key (tls.key) and making it valid for 365 days.

openssl req -new -x509 -key tls.key -out tls.crt -days 365

During this process, you'll be prompted to enter various details like your country, state, and organization. This information will be embedded in the certificate.

Verify the Certificate and Key: You can verify that the certificate and key match by running:

openssl x509 -noout -modulus -in tls.crt | openssl md5
openssl rsa -noout -modulus -in tls.key | openssl md5

Both commands should produce the same output, confirming that the certificate and key match.

Setting Up the Certificate Directory

Once you have the tls.cert and tls.key files, you need to place them in a specific directory for use with Docker.

Create a Directory for SSL Certificates : First, create a directory where your SSL certificates will reside. For example, create a directory called /mycerts:

mkdir -p /mycerts

Move the SSL Certificate Files : After creating the directory, move or copy your tls.crt and tls.key files into this directory:

cp tls.crt /mycerts
cp tls.key /mycerts

Now, you need to set the read permission for the certificates for all Docker users to allow them to fetch it for the Docker container. (If you want to set any specific permissions, do that.)

chmod a+r -R /mycerts/*

Create the DMC storage directory and set the permissions

Before running the container, ensure that the persistent storage directory (referred to as <dmc storage dir>) for console configuration and logs exists. This directory should be created at the specified absolute path if it does not already exist. You can create the directory as follows:

mkdir -p /mydmc

Now, we need to set read and write permissions for this directory for the container user.

chmod 777 /mydmc

Deploy the DMC container with SSL certificates

Configure the environment variables for console credentials by creating a .env_list file with the following format and adding the values below:

Create a file named .env_list.

vi .env_list

Add the following values based on your needs.

LICENSE=accept
ADMIN_NAME=admin
ADMIN_PASSWORD=admin
CONSOLE_HOSTNAME={eg : mydmc.com}

• CONSOLE_HOSTNAME specifies the console access hostname. Default is null.
• ADMIN_NAME specifies the username of the administrator. Default is admin.
• ADMIN_PASSWORD specifies the password of the administrator. Default is auto-generated password (8 characters)

For the SSL certificates to be accessible to your Docker container, you need to mount the /mycerts directory into the container's /opt/ibm/console/certs directory. This is done using a Docker volume mount.

Use the following docker run command to mount the directory containing your certificates and the desired storage for the Docker container. Replace <dmc-storage-dir> with the actual directory where you want to store the container data.

docker run -d --name mydmc \
   -p 11081:8443 \
   --env-file <env list>  \
   -v <dmc storage dir>:/mnt \
   -v <certs dir>:/opt/ibm/console/certs \
   -v /etc/localtime:/etc/localtime:ro \
   icr.io/cpopen/db2console/db2console:latest

eg :

docker run -d --name mydmc \
   -p 11081:8443 \
   --env-file .env_list \
   -v /mydmc:/mnt \
   -v /mycerts:/opt/ibm/console/certs \
   -v /etc/localtime:/etc/localtime:ro \
   icr.io/cpopen/db2console/db2console:latest

If you want to expose HTTP as well, add the HTTP port like this:

-p 11080:11080

Explanation of Parameters:

• -d: Runs the container in detached mode, meaning it runs in the background.
• --name mydmc: Assigns the name mydmc to the container, making it easier to reference or manage the container later.
• -p 11081:8443: Maps port 8443 inside the container (typically used for HTTPS) to port 11081 on your host machine, allowing you to access the container’s web interface through http://<host-ip>:11081.
• --env-file <env list>: Specifies a file containing environment variable definitions (<env list>), which is used to configure the container’s environment variables, such as database credentials or configuration options.
• -v <dmc storage dir>:/mnt: Mounts the directory <dmc storage dir> from the host system (where persistent data like logs and configurations are stored) to /mnt inside the container, allowing the container to access and persist data.
• -v <certs dir>:/opt/ibm/console/certs: Mounts the <certs dir> directory from the host system (which contains your SSL certificates, such as tls.crt and tls.key) to /opt/ibm/console/certs in the container, enabling the container to use custom certificates for secure communications.
• -v /etc/localtime:/etc/localtime:ro: Synchronizes the container’s time zone with the host system’s time zone by mounting /etc/localtime from the host to the container. The ro flag makes this mount read-only, ensuring no changes are made to the host system’s time zone settings.
• icr.io/cpopen/db2console/db2console:latest: Specifies the Docker image (icr.io/cpopen/db2console/db2console:latest) to be used to create the container. This image contains the DB2 console for managing IBM DB2 instances.

Verifying SSL Certificate Deployment

Once you run the docker run command, the SSL certificates are deployed to the container. You can verify this by checking the logs for confirmation.

docker logs -f mydmc

Troubleshooting

Check Docker logs for the DMC status:

docker logs -f mydmc

In the container's log file, you should see messages similar to the following:

2025-01-08 22:42:11 : Starting console...
md5 checksum for /opt/ibm/console/certs/tls.crt 

This log message indicates that the container has successfully recognized and deployed your custom SSL certificates.