Db2 (On Premises and Cloud)

Expand all | Collapse all

DMC: Repository database object creation and SSL connection

  • 1.  DMC: Repository database object creation and SSL connection

    Posted Thu June 03, 2021 12:26 PM
    Hi folks, me again! A couple of questions related to the repo database if I may please.

    1. I am creating REPODB ahead of the DMC install and in testing have let the setup.sh script create the DMC objects. I just noticed this comment in setup.conf "This section is applicable only if you apply the IBM Db2 Data Management Console License Activation Kit". Does that mean I would be better leaving REPODB object creation to after setup.sh and using the Console Administration>Settings>Configure repository approach instead? Are there advantages to either approach?

    2. If I want all DMC access to REPORB to be via SSL, how do I specify the required parameters in setup.conf or should I use the "Configure repository" setup method anyway where I can specify the SSL truststore and password?

    Thanks

    ------------------------------
    Colin Chapman
    ------------------------------


  • 2.  RE: DMC: Repository database object creation and SSL connection

    Posted Sun June 06, 2021 07:38 PM

    Hi Colin,

    setup.conf is used for silent installed.  Aside from pre-fill the accept license, you can also preset the port and https port, dmc admin credential, and repository information in this file.  If the main goal is to disable the http port, you can simply just edit the setup.conf file and edit the port=-1 and run the setup.sh in verbose mode.  It will still take the input from setup.conf and prompt for your input accept license and setup admin and password.  

    Using the Console Administration>Settings>Configure repository approach to setup the repository allows you to have UI in setting up the JDBC connection properties.  E.g. checking the Use SSL option and enter the Truststore location and Truststore password for your REPODB.  I prefer to use UI to setup these JDBC properties.

    Thanks.



    ------------------------------
    Jason Sizto
    ------------------------------



  • 3.  RE: DMC: Repository database object creation and SSL connection

    Posted Mon June 07, 2021 05:30 AM
    Thanks Jason, I''ll take the same approach in future!

    ------------------------------
    Colin Chapman
    ------------------------------



  • 4.  RE: DMC: Repository database object creation and SSL connection

    Posted Tue July 13, 2021 08:20 AM
    Hi Jason / Colin , 

    Could you please let me know the values that need to set for Truststore location and Truststore password 



    ------------------------------
    Saravanan Santhanam
    ------------------------------



  • 5.  RE: DMC: Repository database object creation and SSL connection

    Posted Tue July 13, 2021 08:21 AM
    Hi Jason , 

    What do i need to provide for the below values for setting up the REPODB with SSL connection?

    Truststore location and Truststore password ?

    Thanks,
    Saravanan

    ------------------------------
    Saravanan Santhanam
    ------------------------------



  • 6.  RE: DMC: Repository database object creation and SSL connection

    Posted Wed July 14, 2021 01:43 AM
    Hi Saravanan,

    The Truststore location will store the full path to the truststore where you imported the target database exported cert.  The Truststore password is the password for the truststore.  If the cert for your Db2 is obtained from a trusted CA, generally, you can omit the step to pass in the Truststore location and Truststore password as the cert is from trusted CA.  This step is needed if your Db2 cert is generated by Internal CA or it is a self signed cert.

    Just in case, the following steps will generate a self-signed cert for your Db2, and how to configure it in Db2 and in DMC.
    cd ~/sqllib/security;
    export PATH=$PATH:/home/db2inst1/sqllib/gskit/bin;
    mkdir ~/sqllib/security/ext12lnxKeystore;
    cd ~/sqllib/security/ext12lnxKeystore;
    gsk8capicmd_64 -keydb -create -db "ext12lnx.kdb" -pw "passw0rd" -expire 1460 -stash;
    gsk8capicmd_64 -cert -create -db "ext12lnx.kdb" -pw "passw0rd" -label "ext12lnxselfsigned" -dn "CN=ext12lnx.centers.testing.com,O=Db2,OU=LUW,L=Poughkeepsie,ST=NY,C=US" -size 2048 -expire 1460 -sigalg SHA256_WITH_RSA;
    gsk8capicmd_64 -cert -extract -db "ext12lnx.kdb" -pw "passw0rd" -label "ext12lnxselfsigned" -target "ext12lnx.arm" -format ascii -fips;
    db2 update dbm cfg using SSL_SVR_KEYDB;
    db2 update dbm cfg using SSL_SVR_STASH;
    db2 update dbm cfg using SSL_SVR_LABEL ext12lnxselfsigned;
    vi /etc/services
    add this line:
    db2c_db2inst1_ssl 50001/tcp
    db2 update dbm cfg using SSL_SVCENAME 50001;
    db2set -i db2inst1 DB2COMM=SSL,TCPIP;
    db2 update dbm cfg using ssl_versions TLSv12;
    db2stop force;
    db2start;
    netstat -an |grep 5000 |grep LISTEN
    You should see both port 50000, 50001 are listening.

    Now, in DMC machine.  E.g. you can create a truststore in /opt/truststore.
    FTP ext12lnx.arm from Db2 machine to DMC machine.
    set PATH to include keystore.  e.g.
    export PATH=/opt/dmc/ibm-datamgmtconsole/java/jre/bin/:$PATH
    mkdir /opt/keystore;
    keytool -keystore /opt/keystore/db2truststore -storepass passw0rd -alias ext12lnxLUWAlias -import -file ext12lnx.arm

    In Repository connection page, you can set Truststore location to /opt/keystore/db2truststore and Truststore password to passw0rd

    After you setup the repository connection with SSL, and if you use Jobs, you need to follow the steps here to setup SSL for ODBC CLI driver: https://www.ibm.com/docs/en/db2-data-mgr-console/3.1.x?topic=support-enabling-ssl-connection-job-repository



    ------------------------------
    Jason Sizto
    ------------------------------



  • 7.  RE: DMC: Repository database object creation and SSL connection

    Posted Thu July 15, 2021 12:29 PM
    Thank you so much Jason . Worked perfectly and was able to setup the SSL connection for the Repository DB from the DMC console .

    When i am trying to add new DB connection to monitor using the SSL connection , i am seeing issues . Do i need to perform any additional steps to be taken to monitor the couple of databases using SSL connections from DMC console ?

    I need to add close to 50 databases from DMC console using SSL connection . Can you please advise .

    ------------------------------
    Saravanan Santhanam
    ------------------------------



  • 8.  RE: DMC: Repository database object creation and SSL connection

    Posted Sat July 17, 2021 11:55 AM
    Hi Saravanan,

    The steps to create a monitor connection to the target database using SSL is the same as creating the Repository connection.  What is the error you are facing when creating the monitor connection to target database?

    Thanks.

    ------------------------------
    Jason Sizto
    ------------------------------