Cloud Database

Pre-Requisites

• DB2 on Cloud Enterprise Edition

Connecting to DB2 on Cloud from inside firewall

For on-prem installations of ADDI and RA servers, if there is a firewall blocking access to DB2 on Cloud then a network security ticket will need to be opened. Ideally, the network security team will open up the firewall directly to the DB2 on Cloud host. In which case, you can proceed as normal.

In some cases, the network security team will create a "plug proxy" instead of opening the firewall directly. They will then give you a proxy host and IP address to use that will then create a tunnel to connect to the DB2 host on the otherside of the firewall. This complicates the configuration.

Another important detail to keep in mind is that the DB2 host given by IBM Cloud is a load balancer. There are other actual IP addresses behind that load balancer IP. You will need all hosts and IP addresses from DB2 on Cloud to configure connection through a plug proxy.

For example, the nslookup command below shows all hosts and IP addresses for a DB2 on Cloud load balancer host/ip combination.

➜  ~ nslookup bb54fad1-34c8-4d62-b5ea-3a11d91f3f3f.c3n41cmd0nqnrk39u98g.databases.appdomain.cloud
Server:         172.26.32.1
Address:        172.26.32.1#53

Non-authoritative answer:
bb54fad1-34c8-4d62-b5ea-3a11d91f3f3f.c3n41cmd0nqnrk39u98g.databases.appdomain.cloud     canonical name = db2-icd-prod-us-s-590130-4f0f9a5666e20005abfaee753b7e644d-0000.us-south.containers.appdomain.cloud.
db2-icd-prod-us-s-590130-4f0f9a5666e20005abfaee753b7e644d-0000.us-south.containers.appdomain.cloud      canonical name = db2-icd-prod-us-s-590130-4f0f9a5666e20005abfaee753b7e644d-0000.c3n41cmd0nqnrk39u98g.akadns.net.
Name:   db2-icd-prod-us-s-590130-4f0f9a5666e20005abfaee753b7e644d-0000.c3n41cmd0nqnrk39u98g.akadns.net
Address: 52.117.249.178
Name:   db2-icd-prod-us-s-590130-4f0f9a5666e20005abfaee753b7e644d-0000.c3n41cmd0nqnrk39u98g.akadns.net
Address: 169.48.136.34
Name:   db2-icd-prod-us-s-590130-4f0f9a5666e20005abfaee753b7e644d-0000.c3n41cmd0nqnrk39u98g.akadns.net
Address: 52.116.221.102

You will need to note not only the load balancer hostname but the actual hostname.

Load balancer: bb54fad1-34c8-4d62-b5ea-3a11d91f3f3f.c3n41cmd0nqnrk39u98g.databases.appdomain.cloud

Actual: db2-icd-prod-us-s-590130-4f0f9a5666e20005abfaee753b7e644d-0000.c3n41cmd0nqnrk39u98g.akadns.net

Let's now assume the plug proxy given is plugproxy-xyz.customer.lab and the IP is 10.1.70.150 and the DB2 hostnames above are to be used. The Windows hosts file needs to be configured as follows.

10.1.70.150 plugproxy-xyz.customer.lab
10.1.70.150 bb54fad1-34c8-4d62-b5ea-3a11d91f3f3f.c3n41cmd0nqnrk39u98g.databases.appdomain.cloud
10.1.70.150 db2-icd-prod-us-s-590130-4f0f9a5666e20005abfaee753b7e644d-0000.c3n41cmd0nqnrk39u98g.akadns.net

After configuring the hosts file (Found under C:\Windows\System32\drivers\etc), you will then proceed to configure the connection to DB2 using plugproxy-xyz.customer.lab as the hostname.

Creating the service credentials

In the IBM Cloud dashboard, select databases from the resource list and open it up

Select the Service Credentials

Create the name as db2_sa with the Manager role and click Add

The service UserID will be generated as well as a password. Take note of these values from the JSON.

{
  "apikey": "<API KEY>",
  "connection": {
    "cli": {
      "arguments": [
        [
          "-u",
          "<Username>",
          "-p",
          "<Password>",
          "--ssl",
          "--sslCAFile",
          "<ssl CA file>",
          "--authenticationDatabase",
          "admin",
          "--host",
          "<HOST>:<PORT:31106>"
        ]
      ],
      "bin": "db2",
      "certificate": {
        "certificate_base64": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFakNDQWZxZ0F3SUJBZ0lKQVA1S0R3ZTNCTkxiTUEwR0NTcUdTSWIzRFFFQkN3VUFNQjR4SERBYUJnTlYKQkFNTUUwbENUU0JEYkc5MVpDQkVZWFJoWW1GelpYTXdIaGNOTWpBd01qSTVNRFF5TVRBeVdoY05NekF3TWpJMgpNRFF5TVRBeVdqQWVNUnd3R2dZRFZRUUREQk5KUWswZ1EyeHZkV1FnUkdGMFlXSmhjMlZ6TUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdXUvbitpWW9xdkdGNU8xSGpEalpsK25iYjE4UkR4ZGwKTzRUL3FoUGMxMTREY1FUK0plRXdhdG13aGljTGxaQnF2QWFMb1hrbmhqSVFOMG01L0x5YzdBY291VXNmSGR0QwpDVGcrSUsxbjBrdDMrTHM3d1dTakxqVE96N3M3MlZUSU5yYmx3cnRIRUlvM1JWTkV6SkNHYW5LSXdZMWZVSUtrCldNMlR0SDl5cnFsSGN0Z2pIUlFmRkVTRmlYaHJiODhSQmd0amIva0xtVGpCaTFBeEVadWNobWZ2QVRmNENOY3EKY21QcHNqdDBPTnI0YnhJMVRyUWxEemNiN1hMSFBrWW91SUprdnVzMUZvaTEySmRNM1MrK3labFZPMUZmZkU3bwpKMjhUdGJoZ3JGOGtIU0NMSkJvTTFSZ3FPZG9OVm5QOC9EOWZhamNNN0lWd2V4a0lSOTNKR1FJREFRQUJvMU13ClVUQWRCZ05WSFE0RUZnUVVlQ3JZanFJQzc1VUpxVmZEMDh1ZWdqeDZiUmN3SHdZRFZSMGpCQmd3Rm9BVWVDclkKanFJQzc1VUpxVmZEMDh1ZWdqeDZiUmN3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQUkyRTBUOUt3MlN3RjJ2MXBqaHV4M0lkWWV2SGFVSkRMb0tPd0hSRnFSOHgxZ2dRcGVEcFBnMk5SCkx3R08yek85SWZUMmhLaWd1d2orWnJ5SGxxcHlxQ0pLOHJEU28xZUVPekIyWmE2S1YrQTVscEttMWdjV3VHYzMKK1UrVTFzTDdlUjd3ZFFuVjU0TVU4aERvNi9sVHRMRVB2Mnc3VlNPSlFDK013ejgrTFJMdjVHSW5BNlJySWNhKwozM0wxNnB4ZEttd1pLYThWcnBnMXJ3QzRnY3dlYUhYMUNEWE42K0JIbzhvWG5YWkh6UG91cldYS1BoaGdXZ2J5CkNDcUdIK0NWNnQ1eFg3b05NS3VNSUNqRVZndnNLWnRqeTQ5VW5iNVZZbHQ0b1J3dTFlbGdzRDNjekltbjlLREQKNHB1REFvYTZyMktZZE4xVkxuN3F3VG1TbDlTU05RPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
        "name": "f64c7886-a9cf-45d4-8c62-2a5d468cb8d2"
      },
      "composed": [
        "db2 -u 856d915d -p 7bpRpEYGALwWt4fr --ssl --sslCAFile f64c7886-a9cf-45d4-8c62-2a5d468cb8d2 --authenticationDatabase admin --host dbd5d8b8-61c3-49dc-9213-79a4104c27f6.c8l9ggsd0kmvoig3l8kg.databases.appdomain.cloud:31106"
      ],
      "environment": {},
      "type": "cli"
    },
    "db2": {
      "authentication": {
        "method": "direct",
        "password": "7bpRpEYGALwWt4fr",
        "username": "856d915d"
      },
      "certificate": {
        "certificate_base64": "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURFakNDQWZxZ0F3SUJBZ0lKQVA1S0R3ZTNCTkxiTUEwR0NTcUdTSWIzRFFFQkN3VUFNQjR4SERBYUJnTlYKQkFNTUUwbENUU0JEYkc5MVpDQkVZWFJoWW1GelpYTXdIaGNOTWpBd01qSTVNRFF5TVRBeVdoY05NekF3TWpJMgpNRFF5TVRBeVdqQWVNUnd3R2dZRFZRUUREQk5KUWswZ1EyeHZkV1FnUkdGMFlXSmhjMlZ6TUlJQklqQU5CZ2txCmhraUc5dzBCQVFFRkFBT0NBUThBTUlJQkNnS0NBUUVBdXUvbitpWW9xdkdGNU8xSGpEalpsK25iYjE4UkR4ZGwKTzRUL3FoUGMxMTREY1FUK0plRXdhdG13aGljTGxaQnF2QWFMb1hrbmhqSVFOMG01L0x5YzdBY291VXNmSGR0QwpDVGcrSUsxbjBrdDMrTHM3d1dTakxqVE96N3M3MlZUSU5yYmx3cnRIRUlvM1JWTkV6SkNHYW5LSXdZMWZVSUtrCldNMlR0SDl5cnFsSGN0Z2pIUlFmRkVTRmlYaHJiODhSQmd0amIva0xtVGpCaTFBeEVadWNobWZ2QVRmNENOY3EKY21QcHNqdDBPTnI0YnhJMVRyUWxEemNiN1hMSFBrWW91SUprdnVzMUZvaTEySmRNM1MrK3labFZPMUZmZkU3bwpKMjhUdGJoZ3JGOGtIU0NMSkJvTTFSZ3FPZG9OVm5QOC9EOWZhamNNN0lWd2V4a0lSOTNKR1FJREFRQUJvMU13ClVUQWRCZ05WSFE0RUZnUVVlQ3JZanFJQzc1VUpxVmZEMDh1ZWdqeDZiUmN3SHdZRFZSMGpCQmd3Rm9BVWVDclkKanFJQzc1VUpxVmZEMDh1ZWdqeDZiUmN3RHdZRFZSMFRBUUgvQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRgpBQU9DQVFFQUkyRTBUOUt3MlN3RjJ2MXBqaHV4M0lkWWV2SGFVSkRMb0tPd0hSRnFSOHgxZ2dRcGVEcFBnMk5SCkx3R08yek85SWZUMmhLaWd1d2orWnJ5SGxxcHlxQ0pLOHJEU28xZUVPekIyWmE2S1YrQTVscEttMWdjV3VHYzMKK1UrVTFzTDdlUjd3ZFFuVjU0TVU4aERvNi9sVHRMRVB2Mnc3VlNPSlFDK013ejgrTFJMdjVHSW5BNlJySWNhKwozM0wxNnB4ZEttd1pLYThWcnBnMXJ3QzRnY3dlYUhYMUNEWE42K0JIbzhvWG5YWkh6UG91cldYS1BoaGdXZ2J5CkNDcUdIK0NWNnQ1eFg3b05NS3VNSUNqRVZndnNLWnRqeTQ5VW5iNVZZbHQ0b1J3dTFlbGdzRDNjekltbjlLREQKNHB1REFvYTZyMktZZE4xVkxuN3F3VG1TbDlTU05RPT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=",
        "name": "f64c7886-a9cf-45d4-8c62-2a5d468cb8d2"
      },
      "composed": [
        "db2://856d915d:7bpRpEYGALwWt4fr@dbd5d8b8-61c3-49dc-9213-79a4104c27f6.c8l9ggsd0kmvoig3l8kg.databases.appdomain.cloud:31106/bludb?authSource=admin&replicaSet=replset"
      ],
      "database": "bludb",
      "host_ros": [
        "dbd5d8b8-61c3-49dc-9213-79a4104c27f6.c8l9ggsd0kmvoig3l8kg.databases.appdomain.cloud:31858"
      ],
      "hosts": [
        {
          "hostname": "dbd5d8b8-61c3-49dc-9213-79a4104c27f6.c8l9ggsd0kmvoig3l8kg.databases.appdomain.cloud",
          "port": 31106
        }
      ],
      "jdbc_url": [
        "jdbc:db2://dbd5d8b8-61c3-49dc-9213-79a4104c27f6.c8l9ggsd0kmvoig3l8kg.databases.appdomain.cloud:31106/bludb:user=<userid>;password=<your_password>;sslConnection=true;"
      ],
      "path": "/bludb",
      "query_options": {
        "authSource": "admin",
        "replicaSet": "replset"
      },
      "replica_set": "replset",
      "scheme": "db2",
      "type": "uri"
    }
  },
  "iam_apikey_description": "Auto-generated for key crn:v1:bluemix:public:dashdb-for-transactions:us-south:a/fb7864c969b640e29a59ee1365731e3b:dbd5d8b8-61c3-49dc-9213-79a4104c27f6:resource-key:856d915d-d65a-4381-afe1-c92d03288fce",
  "iam_apikey_id": "ApiKey-f9751182-792f-451b-b963-34de564f6059",
  "iam_apikey_name": "db2_sa",
  "iam_role_crn": "crn:v1:bluemix:public:iam::::serviceRole:Manager",
  "iam_serviceid_crn": "crn:v1:bluemix:public:iam-identity::a/fb7864c969b640e29a59ee1365731e3b::serviceid:ServiceId-719a6cfa-ec45-4ff1-8970-e2208ad69d0d",
  "instance_administration_api": {
    "deployment_id": "crn:v1:bluemix:public:dashdb-for-transactions:us-south:a/fb7864c969b640e29a59ee1365731e3b:dbd5d8b8-61c3-49dc-9213-79a4104c27f6::",
    "instance_id": "crn:v1:bluemix:public:dashdb-for-transactions:us-south:a/fb7864c969b640e29a59ee1365731e3b:dbd5d8b8-61c3-49dc-9213-79a4104c27f6::",
    "root": "https://api.db2.cloud.ibm.com/v5/ibm"
  }
}

From the above output we can extract the following values for this service account:

• Service Account Username: 856d915d
• Service Account Password: 7bpRpEYGALwWt4fr
• FQDN + Port: dbd5d8b8-61c3-49dc-9213-79a4104c27f6.c8l9ggsd0kmvoig3l8kg.databases.appdomain.cloud:31106

Installing/Configuring DB2 Client

You will need the following:

• DB2 FQDN
• DB2 port
• DB2 user
• DB2 Password

As of this writing you will need to open the webui for the DB2 cloud instance.

Open the webui and follow the below images

1. Download Windows driver package Download Windows driver package from driver list File name: ibm_data_server_driver_package_win64_v11.5.exe (104 MB)
2. Install the drivers by running the ibm_data_server_driver_package_win64_v11.5.exe file as an administrator.
3. In The Connection configuration resources section, select whether or not you want to secure your connections by using SSL. If your application uses its own driver and you want to connect with SSL, download the SSL certificate (DigiCertGlobalRootCA.crt). For Java apps, use the JDBC string as the database URL in your call to the JDBC getConnection method. For ODBC apps, add new entries to the db2dsdriver.cfg driver configuration file by running the following commands:

Determine the FQDN of your DB2 on Cloud instance:

From the above image our example FQDN for DB2 is dbd5d8b8-61c3-49dc-9213-79a4104c27f6.c8l9ggsd0kmvoig3l8kg.databases.appdomain.cloud and our port is 31106.

Once you have the instance up and you have the FQDN, run the following db2 local config commands in Powershell on the ADDI Host as illustrated from the db2 webui:

db2cli writecfg add -database bludb -host dbd5d8b8-61c3-49dc-9213-79a4104c27f6.c8l9ggsd0kmvoig3l8kg.databases.appdomain.cloud -port 31106
db2cli writecfg add -dsn dashdb -database bludb -host dbd5d8b8-61c3-49dc-9213-79a4104c27f6.c8l9ggsd0kmvoig3l8kg.databases.appdomain.cloud -port 31106
db2cli writecfg add -database bludb -host dbd5d8b8-61c3-49dc-9213-79a4104c27f6.c8l9ggsd0kmvoig3l8kg.databases.appdomain.cloud -port 31106 -parameter "SecurityTransportMode=SSL"

Configure WCA4Z instance for DB2

In the IBM Cloud Dashboard under resources select the WCA4Z instance

Launce the watsonx Code Assistant ui

We are going to perform the tasks highlighted by the red arrows.

Create service Id

We'll call it wca4z_service_id

Create API Key

Once the service ID is created, select API Keys from left hand side. Click Create and call the API key wca-api-key

Copy or download the API key somewhere safe. This is needed for next step.

Create the Deployment Space

We are going with wca-deployment for our deployment space name.

Add Service ID to Deployment Space

Select under the Add collaborators button add service ids

Check off the service ID we created earlier and set the role to Admin

Add DB2 Connection to workspace

Under Import asserts, select Data access and then Connection

Select IBM under the provider and DB2 on Cloud

Populate the values with the service account user/pass/fqdn/port we extracted from our returned JSON. For the connection name we're going with db2-wca4z-connection.

Finally test the connection and then click Create

Configure ADDI for DB2

db2configuration.bat

Download the above script and run it with your DB2 FQDN. You will need the following:

• FQDN (retrieved above)
• Service Account Username (retrieved above): 856d915d
• Service Account Password (retrieved above): 7bpRpEYGALwWt4fr
• Port: 31106

PS D:\> .\db2configuration.bat dbName=BLUDB db2Host=3b84375f-36fb-42b0-8241-ac0e7840e5dc.bpe60pbd01oinge4psd0.databases.appdomain.cloud db2Port=31838 db2User=856d915d db2Password=7bpRpEYGALwWt4fr useTLS=true
Adding new DB2 database instance into ADDI
Success.

This will add the appropriate entries into ADDI.

IP Restrictions for DB2 on Cloud

For security, it might be required to restrict IP addresses that can access the sensitive meta-data contained there. This can be done directly in DB2 on Cloud through the adminstration console by updating the "Allowlist IPs".

Prerequisite: The list of IP addresses or subnets for the environment where ADDI deployed are required. If ADDI is deployed to an on-prem environment you will need to work with the network team to get those values.

1. Logon to https://cloud.ibm.com/

2. Navigate to Resource List → Databases

3. Select the DB2 on Cloud instance you want to modify

4. Click on Go To UI under Manage

5. Click on Adminstration

6. Click on Access restriction

7. Scroll down to Allowlist IPs

8. Click on "Add IP +" button

9. The list below includes the production IP subnets for the WCA4Z service. Add each of the following as an Allowlisted IP address. This allows the WCA4Z service to access the DB2 instance.

   note

   (April 2024) These IP subnets are not currently published and are accurate as of the time of this documentation.

   169.60.39.176/28 
   169.60.36.32/27 
   169.61.221.64/26 
   169.61.134.0/27 
   169.61.138.0/26 
   169.61.14.48/28 
   169.62.147.0/27 
   52.117.255.0/26 
   10.38.218.0/25 
   10.93.43.64/26 
   10.74.40.0/26 
   10.241.100.128/25 
   10.73.71.0/26

10. You will also need to add IP addresses or subnets that include the ADDI server environment so that ADDI can access the DB2 instance to write the meta-data. Add those IP addresses or subnet in the same manner as you did above.

Clearing out the Database

As of May 2024, the cloud database can only contain one project for transformation. If you want to transform a new project, then the cloud database will need to be cleared out and reset.

1. Log in to the DB2 on Cloud management UI and select Run SQL.

2. Run the following SQL commands in sequence. It is recommended to run one at a time and let each one run to completion before running the next. In theory, they can be run as one unit but in practice some commands might fail and will need to be run again.

   CALL SYSPROC.ADMIN_DROP_SCHEMA('EZSCH', NULL, 'ERRORSCHEMA', 'ERRORTABLE');
   drop schema ERRORSCHEMA RESTRICT;
   drop tablespace TS_DATA;
   drop tablespace TS_IDX;
   ALTER TABLESPACE TS_TMP SWITCH ONLINE;
   drop tablespace TS_TMP;
   drop bufferpool BPTEMP32K;
   drop bufferpool BPDATA32K;
   drop bufferpool BPIDX32K;

3. Ensure that the EZSCH schema no longer exists.

The next time that a new project is defined using the ADDI build client that targets the DB2 on Cloud server , the database schema will be rebuilt. This takes about 15 minutes.