ttCreateCerts
Use ttCreateCerts
manually for client/server when you have multiple databases and want different certificates for each one or when you want certificates for both client/server and replication.
TimesTen uses ttCreateCerts
when it generates certificates for client/server or replication during creation of a TimesTen instance (for TimesTen Classic), or when it generates certificates for client/server during creation of a grid (for TimesTen Scaleout); however, as explained before, there are also situations where it is appropriate to run ttCreateCerts
manually.
This utility is located in the bin
directory of a TimesTen instance. To avoid having to specify the full path, set TIMESTEN_HOME
before you run ttCreateCerts
. You can accomplish this by sourcing the ttenv.sh
or ttenv.csh
script from the instance bin
directory.
The utility creates three Oracle Wallets: rootWallet
(which you can ignore), clientWallet
, and serverWallet
.
Note:
You must have Java JDK or JRE version 1.8 or higher on your system to use ttCreateCerts
. The utility searches for it according to the JRE_HOME
, JAVA_HOME
, and PATH
settings.
Required Privilege
This utility requires no privileges; however, depending on the specified options, it may write files in directories that need the instance administrator privilege.
Usage in TimesTen Scaleout and TimesTen Classic
This utility is supported in both TimesTen Classic and TimesTen Scaleout.
Syntax
% ttCreateCerts -h usage: ttCreateCerts [-dir WALLETDIR] [options...] ttCreateCerts [-h | -help] ttCreateCerts [-V | -version] options: -f | -force -verbose -validity DAYS | -valid_from mm/dd/yyyy -valid_until mm/dd/yyyy -dryrun -sign_alg ALGORITHM (ecdsasha256 ecdsasha384 ecdsasha512) -eccurve TYPE (p256 p384 p521)
Options
ttCreateCerts
has the following input and options:
Option | Description |
---|---|
|
Specifies a directory where the wallets are placed, as an absolute path. The specified directory must already exist and cannot already contain wallets produced by |
|
Shows help (showing the above syntax). |
|
Displays the TimesTen release number. |
|
Overwrites any previous wallets in the specified directory. |
|
Shows additional output from execution of the utility. |
|
One of two ways to specify the lifetime of the wallets that are created, expressed as a number of days from creation. The default is 3650 days, which can be overridden by setting either |
|
The other way to specify the lifetime of the wallets that are created, expressed as a start and an end date in mm/dd/yyyy format. |
|
Echoes all the commands to be executed by For options you do not set, you can use this to confirm what the default values are. |
|
Specifies the elliptical curve signing algorithm. Supported algorithms are |
|
Specifies the size of the elliptical curve. Supported values are |
The ttCreateCerts
utility also has a -run
option that allows you to run commands of the Oracle orapki
utility to manage Public Key Infrastructure (PKI) elements. Place the orapki
command in quotes, such as in this example:
% ttCreateCerts -run "wallet create -wallet serverWallet -auto_login_only"
For more information on the discussion of using certificates signed by a certificate authority, see Create the Server Wallet and Create the Client Wallet in Oracle TimesTen In-Memory Database Security Guide.
For information about orapki
, see Oracle Database Security
Guide.
Examples
This section provides ttCreateCerts
examples that place the wallets in a wallets
subdirectory under timesten_home
/conf
, where timesten_home
is the full path to the TimesTen instance home directory.
The following example includes verbose output. (Without the -verbose
option, only the last line is shown.)
% ttCreateCerts -verbose -dir timesten_home/conf/wallets
Requested Certificates:
User Certificates:
Subject: CN=server1,C=US
Trusted Certificates:
Subject: CN=ecRoot,C=US
Requested Certificates:
User Certificates:
Subject: CN=client1,C=US
Trusted Certificates:
Subject: CN=ecRoot,C=US
ttCreateCerts : certificates created in timesten_home
/conf/wallets
Here are the results. You can ignore all but clientWallet
and serverWallet
.
% ls timesten_home/conf/wallets client1.cert clientWallet root.cert rootWallet server1.cert serverWallet % ls timesten_home/conf/wallets/clientWallet cwallet.sso % ls timesten_home/conf/wallets/serverWallet cwallet.sso
The next example is a dry run. No certificates are created (despite the last line). This shows only a snippet of the output:
% ttCreateCerts -dir timesten_home/conf/wallets -dryrun ... + /bin/java -Djava.security.egd=file:///dev/./urandom -Xms64m -Xmx512m -cp /scratch/classic221110/instances/tt221/install/lib/cryptoj_5_0.jar: /scratch/classic221110/instances/tt221/install/lib/oraclepki.jar: /scratch/classic221110/instances/tt221/install/lib/osdt_cert.jar: /scratch/classic221110/instances/tt221/install/lib/osdt_core.jar oracle.security.pki.textui.OraclePKITextUI wallet add -wallet rootWallet -dn CN=ecRoot,C=US -sign_alg ecdsasha384 -self_signed -asym_alg ECC -eccurve p384 -jsafe -validity 3650 -auto_login_only -nologo ... ttCreateCerts : certificates created in timesten_home/conf/wallets
From this, you can see that the default settings are -sign_alg ecdsasha384
, -eccurve p384
, and -validity 3650
(days).
Here is another example that sets signing algorithm and size of the elliptical curve:
% ttCreateCerts -dir timesten_home/conf/wallets -sign_alg ecdsasha256 -eccurve p256 ttCreateCerts : certificates created in timesten_home/conf/wallets
This example specifies that the certificates will expire one year from when they were created:
% ttCreateCerts -dir timesten_home/conf/wallets -validity 365 ttCreateCerts : certificates created in timesten_home/conf/wallets
Or, equivalently:
% ttCreateCerts -dir timesten_home/conf/wallets -valid_from 10/28/2022 -valid_until 10/28/2023 ttCreateCerts : certificates created in timesten_home/conf/wallets
The next example tries to create wallets in a location where wallets already exist:
% ttCreateCerts -dir timesten_home/conf/wallets
ttCreateCerts: rootWallet is not empty, use -force to overwrite
This example tries again, using the -force
option:
% ttCreateCerts -dir timesten_home/conf/wallets -f ttCreateCerts : certificates created in timesten_home/conf/wallets
Recall the resulting wallets:
% ls -F timesten_home/conf/wallets client1.cert root.cert server1.cert clientWallet/ rootWallet/ serverWallet/ % ls timesten_home/conf/wallets/clientWallet cwallet.sso % ls timesten_home/conf/wallets/serverWallet cwallet.sso
Copy the clientWallet
directory, which includes the root certificate, to the desired location. This is preferably the same location on each client instance.
% mkdir timesten_home/conf/wallets [...Copy clientWallet from the server...] % cd timesten_home/conf/wallets % ls clientWallet % ls clientWallet cwallet.sso
Note:
Note and preserve the file and directory permissions of the wallet.