DB2 - How to import certificates when there is a connection error for no certificates (4228016)

When monitoring remote DB2 databases in SSL mode, the Foglight Agent Manager (FglAM) must trust the database server's certificate. This requires importing the server certificate into the appropriate keystore used by the DB2 cartridge.

If the DB2 server certificate is missing or not trusted by the FglAM's keystore, the agent will fail to establish a secure SSL connection. This results in connection errors such as SSL handshake failures or inability to validate the certificate path.

DB2 Cartridge in FIPS-Compliant Mode

1. Navigate to the cartridge's lib directory:
   {FGLAM_HOME}/agents/DB_DB2/5.9.7.10-xxxx-xxxx/lib
2. Run the certificate import tool:

Windows:

certificatetool-5.9.7.10.bat --add-certificate alias="C:\path\to\certificate.cer"

Linux:

chmod u+x certificatetool-5.9.7.10.sh
./certificatetool-5.9.7.10.sh --add-certificate alias="/path/to/certificate.cer"
    

DB2 Cartridge in Non-FIPS Mode

1. Navigate to the certificates folder:
   {FGLAM_HOME}/state/default/certificates
2. Run the certificate script from the cartridge's lib directory:
   {FGLAM_HOME}/agents/DB_DB2/--/lib
3. Open DB2Keystore.info and copy the UID value.
4. Navigate to the JRE bin folder:
   {FGLAM_HOME}/jre/bin
5. Use keytool to retrieve the certificate:

   keytool -printcert -sslserver SERVERNAME:50000 -rfc

6. Save the output as db2.cer. If multiple certificates are present, split them into separate files (e.g., db2_a.cer, db2_b.cer, db2_c.cer).
7. Import Certificates:

   keytool -importcert -file db2.cer -keystore /fglam/state/default/certificates/DB2Keystore.keystore -storepass UID -noprompt -alias db2test

• Ensure certificate files are in valid format (.cer or .pem).
• Use unique aliases for each certificate.
• Restart FglAM after importing certificates to apply changes.