Thank you so much Jason . Worked perfectly and was able to setup the SSL connection for the Repository DB from the DMC console .
When i am trying to add new DB connection to monitor using the SSL connection , i am seeing issues . Do i need to perform any additional steps to be taken to monitor the couple of databases using SSL connections from DMC console ?
I need to add close to 50 databases from DMC console using SSL connection . Can you please advise .
------------------------------
Saravanan Santhanam
------------------------------
Original Message:
Sent: Wed July 14, 2021 01:43 AM
From: Jason Sizto
Subject: DMC: Repository database object creation and SSL connection
Hi Saravanan,
The Truststore location
will store the full path to the truststore where you imported the target database exported cert. The Truststore password
is the password for the truststore. If the cert for your Db2 is obtained from a trusted CA, generally, you can omit the step to pass in the Truststore location
and Truststore password
as the cert is from trusted CA. This step is needed if your Db2 cert is generated by Internal CA or it is a self signed cert.
Just in case, the following steps will generate a self-signed cert for your Db2, and how to configure it in Db2 and in DMC.
cd ~/sqllib/security;
export PATH=$PATH:/home/db2inst1/sqllib/gskit/bin;
mkdir ~/sqllib/security/ext12lnxKeystore;
cd ~/sqllib/security/ext12lnxKeystore;
gsk8capicmd_64 -keydb -create -db "ext12lnx.kdb" -pw "passw0rd" -expire 1460 -stash;
gsk8capicmd_64 -cert -create -db "ext12lnx.kdb" -pw "passw0rd" -label "ext12lnxselfsigned" -dn "CN=ext12lnx.centers.testing.com,O=Db2,OU=LUW,L=Poughkeepsie,ST=NY,C=US" -size 2048 -expire 1460 -sigalg SHA256_WITH_RSA;
gsk8capicmd_64 -cert -extract -db "ext12lnx.kdb" -pw "passw0rd" -label "ext12lnxselfsigned" -target "ext12lnx.arm" -format ascii -fips;
db2 update dbm cfg using SSL_SVR_KEYDB;
db2 update dbm cfg using SSL_SVR_STASH;
db2 update dbm cfg using SSL_SVR_LABEL ext12lnxselfsigned;
vi /etc/services
add this line:
db2c_db2inst1_ssl 50001/tcp
db2 update dbm cfg using SSL_SVCENAME 50001;
db2set -i db2inst1 DB2COMM=SSL,TCPIP;
db2 update dbm cfg using ssl_versions TLSv12;
db2stop force;
db2start;
netstat -an |grep 5000 |grep LISTEN
You should see both port 50000, 50001 are listening.
Now, in DMC machine. E.g. you can create a truststore in /opt/truststore.
FTP ext12lnx.arm from Db2 machine to DMC machine.
set PATH to include keystore. e.g.
export PATH=/opt/dmc/ibm-datamgmtconsole/java/jre/bin/:$PATH
mkdir /opt/keystore;
keytool -keystore /opt/keystore/db2truststore -storepass passw0rd -alias ext12lnxLUWAlias -import -file ext12lnx.arm
In Repository connection page, you can set Truststore location
to /opt/keystore/db2truststore
and Truststore password
to passw0rd
After you setup the repository connection with SSL, and if you use Jobs, you need to follow the steps here to setup SSL for ODBC CLI driver: https://www.ibm.com/docs/en/db2-data-mgr-console/3.1.x?topic=support-enabling-ssl-connection-job-repository
------------------------------
Jason Sizto
Original Message:
Sent: Mon July 12, 2021 04:57 PM
From: Saravanan Santhanam
Subject: DMC: Repository database object creation and SSL connection
Hi Jason ,
What do i need to provide for the below values for setting up the REPODB with SSL connection?
Truststore location
and Truststore password ?
Thanks,
Saravanan
------------------------------
Saravanan Santhanam
Original Message:
Sent: Sun June 06, 2021 07:38 PM
From: Jason Sizto
Subject: DMC: Repository database object creation and SSL connection
Hi Colin,
setup.conf is used for silent installed. Aside from pre-fill the accept license, you can also preset the port and https port, dmc admin credential, and repository information in this file. If the main goal is to disable the http port, you can simply just edit the setup.conf file and edit the port=-1 and run the setup.sh in verbose mode. It will still take the input from setup.conf and prompt for your input accept license and setup admin and password.
Using the Console Administration>Settings>Configure repository
approach to setup the repository allows you to have UI in setting up the JDBC connection properties. E.g. checking the Use SSL
option and enter the Truststore location
and Truststore password
for your REPODB. I prefer to use UI to setup these JDBC properties.
Thanks.
------------------------------
Jason Sizto
Original Message:
Sent: Thu June 03, 2021 12:25 PM
From: Colin Chapman
Subject: DMC: Repository database object creation and SSL connection
Hi folks, me again! A couple of questions related to the repo database if I may please.
1. I am creating REPODB ahead of the DMC install and in testing have let the setup.sh script create the DMC objects. I just noticed this comment in setup.conf "This section is applicable only if you apply the IBM Db2 Data Management Console License Activation Kit". Does that mean I would be better leaving REPODB object creation to after setup.sh and using the Console Administration>Settings>Configure repository approach instead? Are there advantages to either approach?
2. If I want all DMC access to REPORB to be via SSL, how do I specify the required parameters in setup.conf or should I use the "Configure repository" setup method anyway where I can specify the SSL truststore and password?
Thanks
------------------------------
Colin Chapman
------------------------------
#Db2