Certificate Operations

Use ttGridAdmin commands in this topic to regenerate or list the certificates for Transport Layer Security (TLS) in TimesTen Scaleout.

See Using TLS for Client/Server in TimesTen Scaleout in Oracle TimesTen In-Memory Database Scaleout User's Guide for additional information about certificates for TLS in TimesTen Scaleout.

Regenerate the Certificates (certificateRegen)

The certificateRegen command regenerates the root Certificate Authority for the grid and the client and server certificates.

You can use the certificateRegen command to determine if new databases require encryption for client/server connections and the cipher suites those databases may use for TLS.

ttGridAdmin certificateRegen [-serverEncryption requirement]
                             [-serverCipherSuites suites]

Options

The certificateRegen command has the options:

Options Description

Options	Description
`-serverEncryption requirement`	Determines if new databases require encryption for client/server connections. Specify one of these settings: `accepted`: Enable an encrypted session if required or requested by the client; use an unencrypted session otherwise. This is the default. `rejected`: Demand an unencrypted session. (If the server does not support encryption, TimesTen behaves as if this is the setting on the server.) The connection is rejected if the client requires encryption. `requested`: Request an encrypted session if the client allows it (if the client has any setting other than `rejected`); use an unencrypted session otherwise. `required`: Demand an encrypted session. Reject the connection if the client rejects encryption.
`-serverCipherSuites suites`	Lists the cipher suite or suites that new databases can use for TLS, depending also on the client setting. Specify one or both (separated by comma and in order of preference) of these suites: `SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256` `SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384` There is no default setting. For TLS to be used, the server and client settings must include at least one common suite.

-serverEncryption requirement

Determines if new databases require encryption for client/server connections. Specify one of these settings:

accepted: Enable an encrypted session if required or requested by the client; use an unencrypted session otherwise. This is the default.
rejected: Demand an unencrypted session. (If the server does not support encryption, TimesTen behaves as if this is the setting on the server.) The connection is rejected if the client requires encryption.
requested: Request an encrypted session if the client allows it (if the client has any setting other than rejected); use an unencrypted session otherwise.
required: Demand an encrypted session. Reject the connection if the client rejects encryption.

-serverCipherSuites suites

Lists the cipher suite or suites that new databases can use for TLS, depending also on the client setting. Specify one or both (separated by comma and in order of preference) of these suites:

SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

There is no default setting. For TLS to be used, the server and client settings must include at least one common suite.

Examples

This example regenerates the certificates of the grid and sets new databases to require encryption for client/server connections.

% ttGridAdmin certificateRegen -serverEncryption required -serverCipherSuites SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Certificates generated

Note:

The serverEncryption and serverCipherSuites options update the default values for the Encryption and CipherSuites connection attributes, respectively, for new database definitions and connectables. These options do not affect the current settings for existing database definitions or connectables.

List the Certificates (certificateList)

The certificateList command lists the Oracle Wallets containing the root Certificate Authority (CA) and the client and server certificates with their expiration dates.

ttGridAdmin certificateList

Examples

This example lists the certificates used by the grid for encrypted client/server connections.

% ttGridAdmin certificateList 
NAME          HOLDER           EXPIRATION
clientWallet  CN=client1,C=US  Thu Jul 31 12:59:45 PDT 2031
rootWallet    CN=ecRoot,C=US   Thu Jul 31 12:59:09 PDT 2031
serverWallet  CN=server1,C=US  Thu Jul 31 12:59:28 PDT 2031