8 Using Encryption for Data Transmission

TimesTen replication and TimesTen Client/Server support the use of Transport Layer Security (TLS) for communication between TimesTen instances.

This chapter details the process for configuring and using TLS in your Kubernetes environment. This enables encrypted data transmission between your replicated TimesTen databases and, if in a Client/Server environment, between your TimesTen client applications and your TimesTen Server (your TimesTen database).

Topics include:

Creating TLS certificates for replication and Client/Server
Configuring TLS for replication
Configuring TLS for Client/Server

Creating TLS certificates for replication and Client/Server

By default, TimesTen replication transmits data between your TimesTen databases unencrypted. In addition, in a TimesTen Client/Server environment, by default data is transmitted unencrypted between your application and your TimesTen database.

You can choose to enable encryption for replication and for Client/Server through the use of Transport Layer Security (TLS). TimesTen provides the ttCreateCerts utility to generate self-signed certificates for TLS. For more information on TLS certificates and wallets, see "About using certificates with TimesTen" in the Oracle TimesTen In-Memory Database Security Guide.

Note:

Java must be installed on your Linux development host in order for you to use the ttCertsCreate utility. The utility searches for Java according to the JRE_HOME, JAVA_HOME, and PATH settings.

The ttCreateCerts utility is located in the /bin directory of a TimesTen instance. The utility creates three wallets: rootWallet, clientWallet, and serverWallet.

From your Linux development host, perform these steps to create the certificates.

Navigate to the bin directory of the installation and run the ttInstanceCreate utility interactively to create an instance. Recall that the installation_dir directory was created when you unpacked the TimesTen distribution. See "Downloading TimesTen and the TimesTen Operator" for information on unpacking the TimesTen distribution.

You have to create a TimesTen instance as the ttCreateCerts utility is run from a TimesTen instance. For more information on the ttInstanceCreate utility, see "ttInstanceCreate" in the Oracle TimesTen In-Memory Database Reference.

Create the instance directory (/scratch/ttuser/instance_dir, in this example), then run the ttInstanceCreate utility, supplying the -name and the -location parameters. This example uses instance1 as the name of the instance and uses /scratch/ttuser/instance_dir as the location of the instance.
```
% mkdir /scratch/ttuser/instance_dir

% installation_dir/tt18.1.4.11.0/bin/ttInstanceCreate -name instance1 
-location /scratch/ttuser/instance_dir
Creating instance in /scratch/ttuser/instance_dir/instance1 ...
INFO: Mapping files from the installation to /scratch/ttuser/
instance_dir/instance1/install
 
NOTE: The TimesTen daemon startup/shutdown scripts have not been installed.
 
The startup script is located here :
        '/scratch/ttuser/instance_dir/instance1/startup/tt_instance1'
 
Run the 'setuproot' script :
        /scratch/ttuser/instance_dir/instance1/bin/setuproot -install
This will move the TimesTen startup script into its appropriate location.
 
The 18.1 Release Notes are located here :
  'installation_dir/tt18.1.4.11.0/README.html'
```
Set the TIMESTEN_HOME environment variable. This variable must be set before you run the ttCertsCreate utility. From the bin directory of the instance, source the ttenv.csh or the ttenv.sh script.

This example uses the bash Bourne-type shell. (Not all output is shown.)
```
% . /scratch/ttuser/instance_dir/instance1/bin/ttenv.sh
LD_LIBRARY_PATH set to 
...
PATH set to 
...
CLASSPATH set to 
TIMESTEN_HOME set to /scratch/ttuser/instance_dir/instance1
```
Run the ttCreateCerts utility from the bin directory of the instance. This example uses the -verbose qualifier to show detailed output. See "Generation of certificates for TimesTen" in the Oracle TimesTen In-Memory Database Security Guide for more information on the ttCreateCerts utility.

The default wallet directory is timesten_home/conf, where timesten_home is the TimesTen instance home directory. This example uses this default wallet directory.
```
% /scratch/ttuser/instance_dir/instance1/bin/ttCreateCerts -verbose
Requested Certificates:
User Certificates:
Subject:        CN=server1,C=US
Trusted Certificates:
Subject:        CN=ecRoot,C=US
Requested Certificates:
User Certificates:
Subject:        CN=client1,C=US
Trusted Certificates:
Subject:        CN=ecRoot,C=US
ttCreateCerts : certificates created in /scratch/ttuser/instance_dir/
instance1/conf
```
Review the wallet locations and the certificates (represented in bold). The cwallet.sso in the serverWallet directory is the file you will supply as the replicationWallet metadata file for replication and for the server in a Client/Server environment. The cwallet.sso in the clientWallet directory is the file you will use for the client in a Client/Server environment. See "The supported metadata files" for information on the replicationWallet and the clientWallet metadata files. Also see "Configuring TLS for replication" and "Configuring TLS for Client/Server" for information on using these metadata files.

(These cwallet.sso files are also represented in bold).
```
% ls $TIMESTEN_HOME/conf
client1.cert  root.cert   server1.cert  snmp.ini      sys.ttconnect.ini
clientWallet  rootWallet  serverWallet  sys.odbc.ini  timesten.conf

% ls $TIMESTEN_HOME/conf/*Wallet*
/scratch/ttuser/instance_dir/instance1/conf/clientWallet:
cwallet.sso  cwallet.sso.lck
 
/scratch/ttuser/instance_dir/instance1/conf/rootWallet:
cwallet.sso  cwallet.sso.lck
 
/scratch/ttuser/instance_dir/instance1/conf/serverWallet:
cwallet.sso  cwallet.sso.lck
```

You have successfully created the certificates that can be used for TLS for both replication and TimesTen Client/Server. You are now ready to configure and use TLS for replication, for Client/Server, or for both replication and Client/Server.

Configuring TLS for replication

You can configure TLS for replication to ensure secure network communication between your replicated TimesTen databases. See "Transport Layer Security for TimesTen replication" in the Oracle TimesTen In-Memory Database Security Guide for detailed information.

These sections describe how to configure and use TLS for replication:

Create the metadata files and the Kubernetes facilities
Create the TimesTenClassic object
Monitor the deployment of the TimesTenClassic object
Verify that TLS is being used for replication

Create the metadata files and the Kubernetes facilities

The /ttconfig/replicationWallet metadata file is required for TLS support for replication. (The /ttconfig directory is located in the containers of your TimesTen databases.) This file must contain the cwallet.sso file (the Oracle wallet) that was generated when you created the TLS certificates. Recall that this file was located in the /scratch/ttuser/instance_dir/instance1/conf/serverWallet directory. See "Creating TLS certificates for replication and Client/Server" for information on creating these certificates. This wallet contains the credentials that are used by TimesTen replication for configuring TLS encryption between your active standby pair of TimesTen databases.

In addition to the /ttconfig/replicationWallet metadata file, you may use the other supported metadata files. See "The supported metadata files" for information on these supported metadata files.

You can include these metadata files in one or more Kubernetes facilities (for example, in a Kubernetes Secret, in a ConfigMap, or in an init container). This ensures the metadata files are populated in the /ttconfig directory of the TimesTen containers. Note that there is no requirement as to how to get the metadata files into this /ttconfig directory. See "Populating the /ttconfig directory" for more information.

The example in the following sections illustrates how to include the replicationWallet metadata file in a Kubernetes Secret. It also creates the db.ini, the adminUser, and the schema.sql metadata files and includes these metadata files in a ConfigMap:

Create the Kubernetes Secret
Create the ConfigMap

Create the Kubernetes Secret

This section creates the repl-tls Kubernetes Secret. The repl-tls Secret will contain the replicationWallet metadata file.

On your Linux development host:

From the directory of your choice, create an empty subdirectory. This example creates the serverWallet subdirectory. (The serverWallet directory is used in the remainder of this example to denote this directory.)
```
% mkdir -p serverWallet
```
Copy the /scratch/ttuser/instance_dir/instance1/conf/serverWallet/cwallet.sso file into the serverWallet directory that you just created. Recall that this file was generated when you used the ttCreateCerts utility to create the TLS certificates. See "Creating TLS certificates for replication and Client/Server" for information.
```
% cp /scratch/ttuser/instance_dir/instance1/conf/serverWallet/cwallet.sso 
serverWallet/cwallet.sso
```
Create the Kubernetes Secret.

In this example:
- The name of the Secret is repl-tls. Replace repl-tls with a name of your choosing. (repl-tls is represented in bold.)
- The name of the metadata file required for TLS replication is replicationWallet (represented in bold).
- The location of the wallet directory is serverWallet (in this example, represented in bold). If you use a different directory, replace serverWallet with the name of your directory.
- The name of the Oracle wallet is cwallet.sso (represented in bold).
Use the kubectl create command to create the Secret:
```
% kubectl create secret generic repl-tls 
--from-file=replicationWallet=serverWallet/cwallet.sso
secret/repl-tls created
```

You have successfully created and deployed the repl-tls Kubernetes Secret. The replicationWallet/cwallet.sso file will later be available in the /ttconfig directory of the TimesTen containers. In addition, the file will be available in the /tt/home/oracle/replicationWallet directory of the TimesTen containers.

Create the ConfigMap

This section creates the repl-tls ConfigMap. This ConfigMap contains the db.ini, the adminUser, and the schema.sql metadata files.

These metadata files are not required for TLS, but are included as additional attributes for your TimesTen databases. See "Understanding the configuration metadata and the Kubernetes facilities" for information on the metadata files and the ConfigMap facility.

On your Linux development host:

From the directory of your choice, create an empty subdirectory for the metadata files. This example creates the cm_replTLS subdirectory. (The cm_replTLS directory is used in the remainder of this example to denote this directory.)
```
% mkdir -p cm_replTLS
```
Navigate to the ConfigMap directory.
```
% cd cm_replTLS
```
Create the db.ini file in this ConfigMap directory (cm_replTLS, in this example). In this db.ini file, define the PermSize and DatabaseCharacterSet connection attributes.
```
vi db.ini
```
```
PermSize=200
DatabaseCharacterSet=AL32UTF8
```
Create the adminUser file in this ConfigMap directory (cm_replTLS, in this example). In this adminUser file, create the scott user with the tiger password.
```
vi adminUser
```
```
scott/tiger
```
Create the schema.sql file in this ConfigMap directory (cm_replTLS, in this example). In this schema.sql file, define the s sequence and the emp table for the scott user. The Operator will automatically initialize your database with these object definitions.
```
vi schema.sql
```
```
create sequence scott.s;
create table scott.emp (
  id number not null primary key,
  name char(32)
);
```
Create the ConfigMap. The files in the cm_replTLS directory are included in the ConfigMap and, later, will be available in the TimesTen containers.

In this example:
- The name of the ConfigMap is repl-tls. Replace repl-tls with a name of your choosing. (repl-tls is represented in bold in this example.)
- This example uses cm_replTLS as the directory where the files that will be copied into the ConfigMap reside. If you use a different directory, replace cm_replTLS with the name of your directory. (cm_replTLS is represented in bold in this example.)
Use the kubectl create command to create the ConfigMap:
```
% kubectl create configmap repl-tls --from-file=cm_replTLS
configmap/repl-tls created
```

Use the kubectl describe command to verify the contents of the ConfigMap. (repl-tls, in this example.)

% kubectl describe configmap repl-tls
Name:         repl-tls
Namespace:    mynamespace
Labels:       <none>
Annotations:  <none>
 
Data
====
adminUser:
----
scott/tiger
 
db.ini:
----
PermSize=200
DatabaseCharacterSet=AL32UTF8
 
schema.sql:
----
create sequence scott.s;
create table scott.emp (id number not null primary key, name char (32));
 
Events:  <none>

You have successfully created and deployed the repl-tls ConfigMap.

Create the TimesTenClassic object

This section creates the TimesTenClassic object. See "Defining and creating the TimesTenClassic object" and "The TimesTenClassic object type" for detailed information on the TimesTenClassic object.

Perform these steps:

Create an empty YAML file. You can choose any name, but you may want to use the same name you used for the name of the TimesTenClassic object. (In this example, repltls.) The YAML file contains the definitions for the TimesTenClassic object. See "TimesTenClassicSpecSpec" for information on the fields that you must specify in this YAML file as well as the fields that are optional.

In this example, the fields of particular interest for TLS replication are:
- dbSecret: This example uses one Kubernetes Secret (called repl-tls) for the replicationWallet metadata file.
- replicationCipherSuite: This field is required for TLS for replication. In this example, the value is SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256. See "Configuration for TLS for replication" in the Oracle TimesTen In-Memory Database Security Guide and see the replicationCipherSuite entry in the Table 11-3, "TimesTenClassicSpecSpec" in this book for more information.
- replicationSSLMandatory: This field is optional. In this example, set replicationSSLMandatory equal to 1. See "Configuration for TLS for replication" in the Oracle TimesTen In-Memory Database Security Guide and see the replicationSSLMandatory entry in the Table 11-3, "TimesTenClassicSpecSpec" in this book for more information.
In addition, this example includes:
- name: Replace repltls with the name of your TimesTenClassic object.
- storageClassName: Replace oci with the name of the storage class used to allocate PersistentVolumes to hold TimesTen.
- storageSize: Replace 250G with the amount of storage that should be requested for each Pod to hold TimesTen. Note: This example assumes a production environment and uses a value of 250G for storageSize. For demonstration purposes, a value of 50G is adequate. See the storageSize and the logStorageSize entries in the Table 11-3, "TimesTenClassicSpecSpec" for information.
- image: Replace phx.ocir.io/youraccount/tt1814110:3 with the location of the image registry (phx.ocir.io/youraccount) and the image containing TimesTen (tt1814110:3).
- imagePullSecret: Replace sekret with the image pull secret that Kubernetes should use to fetch the TimesTen image.
- dbConfigMap: This example uses one ConfigMap (called repl-tls) for the db.ini, the adminUser, and the schema.sql metadata files.
```
% vi repltls.yaml

apiVersion: timesten.oracle.com/v1
kind: TimesTenClassic
metadata:
  name: repltls
spec:
  ttspec:
    storageClassName: oci
    storageSize: 250G
    image: phx.ocir.io/youraccount/tt1814110:3
    imagePullSecret: sekret
    imagePullPolicy: Always
    dbConfigMap:
    - repl-tls
    dbSecret:
    - repl-tls
    replicationCipherSuite: SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    replicationSSLMandatory: 1
```
Use the kubectl create command to create the TimesTenClassic object from the contents of the YAML file (in this example, repltls.yaml). Doing so begins the process of deploying your active standby pair of TimesTen databases in the Kubernetes cluster.
```
% kubectl create -f repltls.yaml
timestenclassic.timesten.oracle.com/repltls created
```

You have successfully created the TimesTenClassic object in the Kubernetes cluster. The process of deploying your TimesTen databases begins, but is not yet complete.

Monitor the deployment of the TimesTenClassic object

Use the kubectl get and the kubectl describe commands to monitor the progress of the active standby pair as it is provisioned.

Use the kubectl get command and review the STATE field. Observe the value is Initializing. The active standby pair provisioning has begun, but is not yet complete.
```
% kubectl get ttc repltls
NAME      STATE          ACTIVE   AGE
repltls   Initializing   None     50s
```
Use the kubectl get command again to see if value of the STATE field has changed. In this example, the value is Normal, indicating the active standby pair of databases are now provisioned and the process is complete.
```
% kubectl get ttc repltls
NAME      STATE    ACTIVE      AGE
repltls   Normal   repltls-0   3m45s
```

Use the kubectl describe command to view the active standby pair provisioning in detail.

Note the following have been correctly set in the repltls TimesTenClassic object definition:

The repl-tls Secret has been correctly referenced in the dbSecret field (represented in bold).
The repl-tls Configmap has been correctly referenced in the dbConfigMap field (represented in bold).
The replicationCipherSuite field has been correctly set to SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (represented in bold).
The replicationSSLMandatory field has been correctly set to 1 (represented in bold).

Note: Not all of the output is shown in this example.

% kubectl describe ttc repltls
Name:         repltls
Namespace:    mynamespace
Labels:       <none>
Annotations:  <none>
API Version:  timesten.oracle.com/v1
Kind:         TimesTenClassic
Metadata:
  Creation Timestamp:  2020-10-16T18:51:43Z
  Generation:          1
  Resource Version:    75029797
  Self Link: 
/apis/timesten.oracle.com/v1/namespaces/mynamespace/timestenclassics/repltls
  UID:                 a2915ef3-0fe0-11eb-8b9a-aaa0151611fe
Spec:
  Ttspec:
    Db Config Map:
      repl-tls
    Db Secret:
      repl-tls
    Image:                      phx.ocir.io/youraccount/tt1814110:3
    Image Pull Policy:          Always
    Image Pull Secret:          sekret
    Replication Cipher Suite:   SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    Replication SSL Mandatory:  1
    Storage Class Name:         oci
    Storage Size:               250G
...
Events:
  Type  Reason       Age    From       Message
  ----  ------       ----   ----       -------
  -     Create       4m17s  ttclassic  Secret 
 tta2915ef3-0fe0-11eb-8b9a-aaa0151611fe created
  -     Create       4m17s  ttclassic  Service repltls created
  -     Create       4m17s  ttclassic  StatefulSet repltls created
  -     StateChange  3m10s  ttclassic  Pod repltls-1 Agent Up
  -     StateChange  3m10s  ttclassic  Pod repltls-1 Release 18.1.4.11.0
  -     StateChange  3m10s  ttclassic  Pod repltls-1 Daemon Up
  -     StateChange  2m3s   ttclassic  Pod repltls-0 Agent Up
  -     StateChange  2m3s   ttclassic  Pod repltls-0 Release 18.1.4.11.0
  -     StateChange  2m1s   ttclassic  Pod repltls-0 Daemon Up
  -     StateChange  68s    ttclassic  Pod repltls-0 Database Loaded
  -     StateChange  68s    ttclassic  Pod repltls-0 Database Updatable
  -     StateChange  68s    ttclassic  Pod repltls-0 CacheAgent Not Running
  -     StateChange  68s    ttclassic  Pod repltls-0 RepAgent Not Running
  -     StateChange  67s    ttclassic  Pod repltls-0 RepState IDLE
  -     StateChange  67s    ttclassic  Pod repltls-0 RepScheme None
  -     StateChange  66s    ttclassic  Pod repltls-0 RepAgent Running
  -     StateChange  66s    ttclassic  Pod repltls-0 RepScheme Exists
  -     StateChange  66s    ttclassic  Pod repltls-0 RepState ACTIVE
  -     StateChange  47s    ttclassic  Pod repltls-1 Database Loaded
  -     StateChange  47s    ttclassic  Pod repltls-1 Database Not Updatable
  -     StateChange  47s    ttclassic  Pod repltls-1 CacheAgent Not Running
  -     StateChange  47s    ttclassic  Pod repltls-1 RepAgent Not Running
  -     StateChange  47s    ttclassic  Pod repltls-1 RepScheme Exists
  -     StateChange  47s    ttclassic  Pod repltls-1 RepState IDLE
  -     StateChange  41s    ttclassic  Pod repltls-1 RepAgent Running
  -     StateChange  36s    ttclassic  Pod repltls-1 RepState STANDBY
  -     StateChange  36s    ttclassic  TimesTenClassic was Initializing, 
now Normal

Your active standby pair of TimesTen databases are successfully deployed (as indicated by Normal.) You are now ready to verify that TLS is being used for replication.

Verify that TLS is being used for replication

To verify TLS is being used for replication, perform the following steps:

Review the active (repltls-0, in this example) pod and the standby pod (repltls-1, in this example).

% kubectl get pods
NAME                                       READY   STATUS    RESTARTS   AGE
repltls-0                                  2/2     Running   0          6m35s
repltls-1                                  2/2     Running   0          6m34s
timestenclassic-operator-f84766548-tch7s   1/1     Running   0          28d

Optional: Use the kubectl exec -it command to invoke the shell in the active Pod (repltls-0, in this example).
```
% kubectl exec -it repltls-0 -c tt -- /usr/bin/su - oracle
```
Optional: From the shell in the active pod, verify the cwallet.sso file is located in the /tt/home/oracle/replicationWallet directory.
```
% ls /tt/home/oracle/replicationWallet
cwallet.sso
 
```
Optional: From the shell in the active pod, verify that the TLS replication-specific values are correct in the timesten.conf configuration file. (This file is located in the /tt/home/oracle/instances/instance1/conf directory.)

In particular, note that:
- replication_wallet is correctly set to /tt/home/oracle/replicationWallet (represented in bold).
- replication_cipher_suite is correctly set to SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (represented in bold).
- replication_ssl_mandatory is correctly set to 1 (represented in bold).
See "Configuration for TLS for replication" in the Oracle TimesTen In-Memory Database Security Guide for more information on these timesten.conf attributes.
```
% cat /tt/home/oracle/instances/instance1/conf/timesten.conf
admin_uid=333
admin_user=oracle
daemon_port=6624
group_name=oracle
hostname=repltls-0
instance_guid=48AC5964-56A1-4C66-AB89-5646A2431EA3
instance_name=instance1
replication_cipher_suite=SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
replication_ssl_mandatory=1
replication_wallet=/tt/home/oracle/replicationWallet
server_port=6625
show_date=1
timesten_release=18.1.4
tns_admin=/ttconfig
verbose=1
```

From the shell in the active pod, run the ttRepAdmin utility with the -showstatus -detail options to verify the replication agent transmitters and receivers are using TLS (as indicated by SSL, represented in bold). See "ttRepAdmin" in the Oracle TimesTen In-Memory Database Reference for information on this utility.

Note: Not all output is shown in this example.

% ttRepAdmin -showstatus -detail repltls
 
Replication Agent Status as of: 2020-10-16 19:01:55
 
DSN                         : repltls
...
TRANSMITTER thread(s) (TRANSMITTER(M):139870727366400):
 For                     : REPLTLS (track 0) (SSL)
   Start/Restart count   : 1
   Current state         : STATE_META_PEER_INFO
 
RECEIVER thread(s) (RECEIVER:139870719887104):
 For                     : REPLTLS (track 0) (SSL)
   Start/Restart count   : 1
   Current state         : STATE_RCVR_READ_NETWORK_LOOP
...

You have successfully verified that TLS for replication is being used.

Configuring TLS for Client/Server

You can configure TLS for Client/Server to ensure secure network communication between TimesTen clients and servers. See "Transport Layer Security for TimesTen Client/Server" in the Oracle TimesTen In-Memory Database Security Guide for detailed information.

There are both server-side and client-side configuration requirements for using TLS for Client/Server. These requirements are detailed in these sections:

Configuration on the server
Configuration on the client

Configuration on the server

These sections discuss the configuration requirements for the server. The sections also include an example of how to configure TLS for the server in your Kubernetes cluster.

Overview of the metadata files and the Kubernetes facilities
Create the Kubernetes Secret for the csWallet metadata file
Create the ConfigMap for the server-side attributes
Create the TimesTenClassic object
Monitor the deployment of the TimesTenClassic object

Overview of the metadata files and the Kubernetes facilities

The /ttconfig/csWallet metadata file is required for TLS support for Client/Server. (The /ttconfig directory is located in the containers of your TimesTen databases.) This file must contain the cwallet.sso file (the Oracle wallet) that was generated when you created the TLS certificates. This file is the Oracle wallet required for the server. Recall that this file was located in the /scratch/ttuser/instance_dir/instance1/conf/serverWallet directory. See "Creating TLS certificates for replication and Client/Server" for information on creating these certificates. This wallet contains the credentials that are used for configuring TLS encryption between your TimesTen database and your Client/Server applications.

There are also server-side connection attributes that must be set. You can define these attributes in the db.ini metadata file. After the db.ini file is placed in the /ttconfig directory of the TimesTen containers, the Operator copies the contents of the db.ini file to the timesten_home/conf/sys.odbc.ini file located in the TimesTen containers. (Note that timesten_home is the TimesTen instance directory. This instance directory is /tt/home/oracle/instances/instance1 in your TimesTen containers.)

These required server-side attributes are: Wallet, CipherSuites, and Encryption. See Create the ConfigMap for the server-side attributes for information on these attributes. Also see "Configuration on the server" in the Oracle TimesTen In-Memory Database Security Guide.

In addition to the csWallet and the db.ini metadata files, you may use other supported metadata files. See "The supported metadata files" for information on these supported metadata files.

The following example includes the csWallet metadata file in a Kubernetes Secret. It also creates the db.ini, the adminUser, and the schema.sql metadata files and includes these metadata files in a ConfigMap.

Create the Kubernetes Secret for the csWallet metadata file

This section creates the cs-tls Kubernetes Secret. The cs-tls Secret will contain the csWallet metadata file.

On your Linux development host:

From the directory of your choice, create an empty subdirectory. This example creates the serverWallet subdirectory. (The serverWallet directory is used in the remainder of this example to denote this directory.)
```
% mkdir -p serverWallet
```
Copy the cwallet.sso file into the serverWallet directory that you just created. Recall that the cwallet.sso file was generated when you used the ttCreateCerts utility to create the TLS certificates. Also recall that this file was located in the /scratch/ttuser/instance_dir/instance1/conf/serverWallet directory. See "Creating TLS certificates for replication and Client/Server" for information.
```
% cp /scratch/ttuser/instance_dir/instance1/conf/serverWallet/cwallet.sso 
serverWallet/cwallet.sso
```
Create the Kubernetes Secret.

In this example:
- The name of the Secret is cs-tls. Replace cs-tls with a name of your choosing. (cs-tls is represented in bold.)
- The name of the metadata file required for TLS for Client/Server is csWallet (represented in bold).
- The location of the wallet directory is serverWallet (in this example, represented in bold). If you use a different directory, replace serverWallet with the name of your directory.
- The name of the Oracle wallet: cwallet.sso (represented in bold).
Use the kubectl create command to create the Secret:
```
% kubectl create secret generic cs-tls 
--from-file=csWallet=serverWallet/cwallet.sso
secret/cs-tls created
```

You have successfully created and deployed the cs-tls Kubernetes Secret. The csWallet/cwallet.sso file will later be available in the /ttconfig directory of the TimesTen containers. In addition, the file will be available in the /tt/home/oracle/csWallet directory of the TimesTen containers.

Create the ConfigMap for the server-side attributes

This section creates the cs-tls ConfigMap. This ConfigMap contains the db.ini, the adminUser, and the schema.sql metadata files.

On your Linux development host:

From the directory of your choice, create an empty subdirectory for the metadata files. This example creates the cm_csTLS subdirectory. (The cm_csTLS directory is used in the remainder of this example to denote this directory.)
```
% mkdir -p cm_csTLS
```
Navigate to the ConfigMap directory.
```
% cd cm_csTLS
```
Create the db.ini file in this ConfigMap directory (cm_csTLS, in this example). In this db.ini file, define the server-side attributes for TLS for Client/Server. These server-side attributes will later be included in the sys.odbc.ini file located in the timesten_home/conf directory in your TimesTen containers. (Note that timesten_home is the TimesTen instance directory. This instance directory is tt/home/oracle/instances/instance1 in your TimesTen containers.)

These are the required server-side attributes for TLS for Client/Server:
- wallet: This is the directory in your TimesTen containers that contains the server wallet. Specify /tt/home/oracle/csWallet.
- ciphersuites: This is the cipher suite setting. Valid values are SSL_ECDHE_ECDSA_WITH_AES_128_GCM_256 or SSL_ECDHE_ECDSA_WITH_AES_256_GCM_384, or both, comma separated and in order of preference. There is no default setting. For TLS to be used, the server and the client settings must include at least one common suite. This example specifies SSL_ECDHE_ECDSA_WITH_AES_128_GCM_256. See "Configuration on the server" in the Oracle TimesTen In-Memory Database Security Guide for information on the cipher suite settings.
- encryption: This is the encryption setting for the server. This example specifies the required setting. See "Configuration on the server" in the Oracle TimesTen In-Memory Database Security Guide for information on the valid encryption settings.
This example also specifies the PermSize and the DatabaseCharacterSet connection attributes.
```
vi db.ini
```
```
PermSize=200
DatabaseCharacterSet=AL32UTF8
wallet=/tt/home/oracle/csWallet
ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
encryption=required
```
Create the adminUser file in this ConfigMap directory (cm_csTLS, in this example). In this adminUser file, create the scott user with the tiger password.
```
vi adminUser
```
```
scott/tiger
```
Create the schema.sql file in this ConfigMap directory (cm_csTLS, in this example). In this schema.sql file, define the s sequence and the emp table for the scott user. The Operator will automatically initialize your database with these object definitions.
```
vi schema.sql
```
```
create sequence scott.s;
create table scott.emp (
  id number not null primary key,
  name char(32)
);
```
Create the ConfigMap. The files in the cm_csTLS directory are included in the ConfigMap and, later, will be available in the TimesTen containers.

In this example:
- The name of the ConfigMap is cs-tls. Replace cs-tls with a name of your choosing. (cs-tls is represented in bold in this example.)
- This example uses cm_csTLS as the directory where the files that will be copied into the ConfigMap reside. If you use a different directory, replace cm_csTLS with the name of your directory. (cm_csTLS is represented in bold in this example.)
Use the kubectl create command to create the ConfigMap:
```
% kubectl create configmap cs-tls --from-file=cm_csTLS
configmap/cs-tls created
```

Use the kubectl describe command to verify the contents of the ConfigMap. (cs-tls, in this example.)

% kubectl describe configmap cs-tls
Name:         cs-tls
Namespace:    mynamespace
Labels:       <none>
Annotations:  <none>
 
Data
====
db.ini:
----
PermSize=200
DatabaseCharacterSet=AL32UTF8
wallet=/tt/home/oracle/csWallet
ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
encryption=required
 
 
schema.sql:
----
create sequence scott.s;
create table scott.emp (id number not null primary key, name char (32));
 
adminUser:
----
scott/tiger
 
Events:  <none>

You have successfully created and deployed the cs-tls ConfigMap.

Create the TimesTenClassic object

This section creates the TimesTenClassic object. See "Defining and creating the TimesTenClassic object" and "The TimesTenClassic object type" for detailed information on the TimesTenClassic object.

Perform these steps:

Create an empty YAML file. You can choose any name, but you may want to use the same name you used for the name of the TimesTenClassic object. (In this example, cstls.) The YAML file contains the definitions for the TimesTenClassic object. See "TimesTenClassicSpecSpec" for information on the fields that you must specify in this YAML file as well as the fields that are optional.

In this example, the fields of particular interest for TLS Client/Server are:
- dbSecret: This example uses one Kubernetes Secret (called cs-tls) for the csWallet metadata file.
- dbConfigMap: This example uses one ConfigMap (called cs-tls). The db.ini file is contained in the cs-tls ConfigMap. Recall that the db.ini file contains the server-side attributes for TLS for Client/Server.
In addition, this example includes:
- name: Replace cstls with the name of your TimesTenClassic object.
- storageClassName: Replace oci with the name of the storage class used to allocate PersistentVolumes to hold TimesTen.
- storageSize: Replace 250G with the amount of storage that should be requested for each Pod to hold TimesTen. Note: This example assumes a production environment and uses a value of 250G for storageSize. For demonstration purposes, a value of 50G is adequate. See the storageSize and the logStorageSize entries in the Table 11-3, "TimesTenClassicSpecSpec" for information.
- image: Replace phx.ocir.io/youraccount/tt1814110:3 with the location of the image registry (phx.ocir.io/youraccount) and the image containing TimesTen (tt1814110:3).
- imagePullSecret: Replace sekret with the image pull secret that Kubernetes should use to fetch the TimesTen image.
```
% vi cstls.yaml

apiVersion: timesten.oracle.com/v1
kind: TimesTenClassic
metadata:
  name: cstls
spec:
  ttspec:
    storageClassName: oci
    storageSize: 250G
    image: phx.ocir.io/youraccount/tt1814110:3
    imagePullSecret: sekret
    imagePullPolicy: Always
    dbConfigMap:
    - cs-tls
    dbSecret:
    - cs-tls
```
Use the kubectl create command to create the TimesTenClassic object from the contents of the YAML file (in this example, cstls.yaml). Doing so begins the process of deploying your active standby pair of TimesTen databases in the Kubernetes cluster.
```
% kubectl create -f cstls.yaml
timestenclassic.timesten.oracle.com/cstls created
```

You have successfully created the TimesTenClassic object in the Kubernetes cluster. The process of deploying your TimesTen databases begins, but is not yet complete.

Monitor the deployment of the TimesTenClassic object

Use the kubectl get and the kubectl describe commands to monitor the progress of the active standby pair as it is provisioned.

Use the kubectl get command and review the STATE field. Observe the value is Initializing. The active standby pair provisioning has begun, but is not yet complete.
```
% kubectl get ttc cstls
NAME    STATE          ACTIVE   AGE
cstls   Initializing   None     15s
```
Use the kubectl get command again to see if value of the STATE field has changed. In this example, the value is Normal, indicating the active standby pair of databases are now provisioned and the process is complete.
```
% kubectl get ttc cstls
NAME    STATE    ACTIVE    AGE
cstls   Normal   cstls-0   3m30s
```

Use the kubectl describe command to view the active standby pair provisioning in detail.

Note the following have been correctly set in the cstls TimesTenClassic object definition:

The cs-tls Secret has been correctly referenced in the dbSecret field (represented in bold).
The cs-tls Configmap has been correctly referenced in the dbConfigMap field (represented in bold).

Note: Note all of the output is shown in this example.

% kubectl describe ttc cstls
Name:         cstls
Namespace:    mynamespace
Labels:       <none>
Annotations:  <none>
API Version:  timesten.oracle.com/v1
Kind:         TimesTenClassic
Metadata:
  Creation Timestamp:  2020-10-17T19:08:03Z
  Generation:          1
  Resource Version:    75491472
  Self Link: 
/apis/timesten.oracle.com/v1/namespaces/mynamespace/timestenclassics/cstls
  UID:                 150128b3-10ac-11eb-b019-d681454a288b
Spec:
  Ttspec:
    Db Config Map:
      cs-tls
    Db Secret:
      cs-tls
    Image:               phx.ocir.io/youraccount/tt1814110:3
    Image Pull Policy:   Always
    Image Pull Secret:   sekret
    Storage Class Name:  oci
    Storage Size:        250G
...
Events:
  Type  Reason       Age    From       Message
  ----  ------       ----   ----       -------
  -     Create       4m21s  ttclassic  Service cstls created
  -     Create       4m21s  ttclassic  StatefulSet cstls created
  -     Create       4m21s  ttclassic  Secret 
tt150128b3-10ac-11eb-b019-d681454a288b created
  -     StateChange  3m5s   ttclassic  Pod cstls-1 Daemon Up
  -     StateChange  3m5s   ttclassic  Pod cstls-0 Agent Up
  -     StateChange  3m5s   ttclassic  Pod cstls-0 Release 18.1.4.11.0
  -     StateChange  3m5s   ttclassic  Pod cstls-1 Agent Up
  -     StateChange  3m5s   ttclassic  Pod cstls-1 Release 18.1.4.11.0
  -     StateChange  3m5s   ttclassic  Pod cstls-0 Daemon Up
  -     StateChange  116s   ttclassic  Pod cstls-0 Database Loaded
  -     StateChange  116s   ttclassic  Pod cstls-0 Database Updatable
  -     StateChange  116s   ttclassic  Pod cstls-0 CacheAgent Not Running
  -     StateChange  116s   ttclassic  Pod cstls-0 RepAgent Not Running
  -     StateChange  116s   ttclassic  Pod cstls-0 RepState IDLE
  -     StateChange  116s   ttclassic  Pod cstls-0 RepScheme None
  -     StateChange  115s   ttclassic  Pod cstls-0 RepAgent Running
  -     StateChange  115s   ttclassic  Pod cstls-0 RepScheme Exists
  -     StateChange  115s   ttclassic  Pod cstls-0 RepState ACTIVE
  -     StateChange  96s    ttclassic  Pod cstls-1 Database Loaded
  -     StateChange  96s    ttclassic  Pod cstls-1 Database Not Updatable
  -     StateChange  96s    ttclassic  Pod cstls-1 CacheAgent Not Running
  -     StateChange  96s    ttclassic  Pod cstls-1 RepAgent Not Running
  -     StateChange  96s    ttclassic  Pod cstls-1 RepScheme Exists
  -     StateChange  96s    ttclassic  Pod cstls-1 RepState IDLE
  -     StateChange  90s    ttclassic  Pod cstls-1 RepAgent Running
  -     StateChange  84s    ttclassic  Pod cstls-1 RepState STANDBY
  -     StateChange  84s    ttclassic  TimesTenClassic was Initializing, now 
Normal

Your active standby pair of TimesTen databases are successfully deployed (as indicated by Normal.)

Configuration on the client

These sections cover the client requirements for TLS.

Copy the client wallet
Configure the client-side attributes

Copy the client wallet

When you used the ttCreateCerts utility to create TLS certificates, the cwallet.sso wallet file located in the /scratch/ttuser/instance_dir/instance1/conf/ clientWallet directory was generated. This file must be copied to the application container that is running your TimesTen client instance. See "Creating TLS certificates for replication and Client/Server" for information on creating the TLS certificates.

This example uses the kubectl cp command to copy the /scratch/ttuser/instance_dir/instance1/conf/clientWallet/cwallet.sso file from your Linux development host to the application container running your TimesTen client instance.

Use the kubectl exec -it command to invoke the shell in the application container that contains your TimesTen client instance. (cstls-0, in this example).
```
% kubectl exec -it cstls-0 -c tt -- /usr/bin/su - oracle
```
From the shell just invoked, and from the directory of your choice, create an empty subdirectory. This example creates the clientWallet subdirectory.
```
% mkdir -p clientWallet
```
From your Linux development host, use the kubectl cp command to copy the cwallet.sso file from the /scratch/ttuser/instance_dir/instance1/conf/clientWallet directory on your Linux development host to the clientWallet directory that you just created. (This directory is located in the application container that is running your TimesTen client instance.) Recall that the cwallet.sso file was generated when you used the ttCreateCerts utility to create the TLS certificates. See "Creating TLS certificates for replication and Client/Server" for information.
```
% kubectl cp /scratch/ttuser/instance_dir/instance1/conf/clientWallet/
cwallet.sso cstls-0:clientWallet/cwallet.sso -c tt
```
From your shell, verify the cwallet.sso file is located in the clientWallet directory.
```
% ls clientWallet
cwallet.sso
 
```

You have successfully copied the cwallet.sso client wallet file to the application container that is running your TimesTen client instance.

Configure the client-side attributes

You must set client-side attributes for TLS for Client/Server. The attributes can be set in the client DSN definition in timesten_home/conf/sys.odbc.ini or in an appropriate Client/Server connection string. See "Using Client/Server drivers" for additional information.

These are the required client-side attributes for TLS for Client/Server:

wallet: This is the directory that contains the cwallet.sso client wallet file. This directory is located in your application container that is running the TimesTen client instance. There is no default directory. In this example, recall that the clientWallet directory was created to denote this directory. (See "Copy the client wallet" for information.) For purposes of this example, the full path to the clientWallet directory is /tt/home/oracle/clientWallet. Therefore, in this example, /tt/home/oracle/clientWallet is used to denote this directory.
ciphersuites: This is the cipher suite setting. Valid values are SSL_ECDHE_ECDSA_WITH_AES_128_GCM_256 or SSL_ECDHE_ECDSA_WITH_AES_256_GCM_384, or both, comma separated and in order of preference. There is no default setting. For TLS to be used, the server and the client settings must include at least one common suite. This example specifies SSL_ECDHE_ECDSA_WITH_AES_128_GCM_256. See "Configuration on the server" in the Oracle TimesTen In-Memory Database Security Guide for information on the cipher suite settings.
encryption: This is the encryption setting for the client. This example specifies the required setting. See "Configuration on the server" in the Oracle TimesTen In-Memory Database Security Guide for information on the valid encryption settings.

This example uses a connection string to connect to the cstsl database as the scott user. The scott user was created by the Operator and already exists in the cstsl database. The example then uses the sqlgetconnectattr command from ttIsqlCS on the client to verify TLS is configured correctly on the Server and on the Client and TLS is being used.

Connect to the database.

% ttIsqlcs -connstr "TTC_SERVER1=cstls-0.cstls.mynamespace.svc.cluster.local;
TTC_SERVER2=cstls-1.cstls.mynamespace.svc.cluster.local;
TTC_SERVER_DSN=cstls;UID=scott;PWD=tiger;
WALLET=tt/home/oracle/clientWallet;
CIPHERSUITES=SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
ENCRYPTION=required";
 
Copyright (c) 1996, 2020, Oracle and/or its affiliates. All rights reserved.
Type ? or "help" for help, type "exit" to quit ttIsql.
 
 
 
connect "TTC_SERVER1=cstls-0.cstls.mynamespace.svc.cluster.local;
TTC_SERVER2=cstls-1.cstls.mynamespace.svc.cluster.local;
TTC_SERVER_DSN=cstls;UID=scott;PWD=********;
WALLET=tt/home/oracle/clientWallet;
CipherSuites=SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
ENCRYPTION=REQUIRED;";
Connection successful: 
DSN=;TTC_SERVER=cstls-0.cstls.mynamespace.svc.cluster.local;
TTC_SERVER_DSN=cstls;UID=scott;
DATASTORE=/tt/home/oracle/datastore/cstls;DATABASECHARACTERSET=AL32UTF8;
CONNECTIONCHARACTERSET=US7ASCII;AUTOCREATE=0;PERMSIZE=200;
DDLREPLICATIONLEVEL=3;FORCEDISCONNECTENABLED=1;(SERVER)ENCRYPTION=Required;
(SERVER)WALLET=file:/tt/home/oracle/csWallet;(client)Encryption=Required;
(client)Wallet=/tt/home/oracle/clientWallet;
(client)CipherSuites=SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256;
(Default setting AutoCommit=1)

Use the sqlgetconnectattr command in ttIsqlCS to verify TLS is being used. A return value of 1 indicates TLS is being used.
```
Command> sqlgetconnectattr tt_tls_session;
TT_TLS_SESSION = 1 (SQL_TRUE)
```

You have successfully connected to the database and verified that TLS for Client/Server is being used.