Search code examples
jdbcdb2liquibaseliquibase-hibernatedb2-woc

How to use liquibase cmd with db2 ssl connection?

I'm trying to run liquibase update command using 

liquibase --driver="com.ibm.db2.jcc.DB2Driver" --changeLogFile="masterchangelog.xml " --url="jdbc:db2://localhost:60001/SMDINTDB:retrieveMessageFromServerOnGetMessage=true;sslConnection=true;"  --username="" --password="" --classpath=/home/db2inst1/sqllib/java/db2jcc4.jar validate

But I'm getting following error. Can anyone help me how to resolve this issue? How I can specify the location of certs ?

Unexpected error running Liquibase: com.ibm.db2.jcc.am.DisconnectNonTransientConnectionException: [jcc][t4][2030][11211][4.26.14] A communication error occurred during operations on the connection's underlying socket, socket input stream,
or socket output stream.  Error location: Reply.fill() - socketInputStream.read (-1).  Message: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target. ERRORCODE=-4499, SQLSTATE=08001
Solution

  • Several pre-requisites exist for on-premises Db2-LUW SSL connectivity with jdbc. liquibase works correctly with SSL connections to on-premises Db2-LUW, if all the prerequisite configuration completed successfully. Here are some tips.

    • the target Db2-LUW instance has to be already configured for SSL as per IBM Db2 documentation here. If you are using a cloud based Db2 service from IBM then this is already done for you, although you may need to use the IBM supplied root cert on the client side.

    • your client side JRE needs to be configured per IBM's Db2-LUW documentation here. I use the IBM JRE (as supplied with the Db2-LUW server) for liquibase.

    • for on-premises Db2-LUW your client side needs the java keystore created, and the server's certificate imported into it (keytool -importcert -file /your/path/to/server_certificate ... ).

    • for your specific error, for on-premises Db2-LUW you might try additional options in the connection string to tell the JRE how to access the client side keystore into which you already imported the server certificate. Specifically sslTrustStoreLocation=/path/to/.keystore;sslTrustStorePassword=whatever; . Note that I did not need these options if using Db2-on-cloud (liquibase worked correctly with SSL to Db2-on-cloud once I added DigiCertGlobalRootCA.crt to my keystore (although even that may be unnecessary) , but I did not try Db2-warehouse-on-cloud as I don't use that service.