Configure and Deploy the TimesTenClassic Object

This example shows you how to configure and deploy a TimesTenClassic object for automatic client/server TLS encryption. This example uses a YAML manifest file.

From a directory of your choice, create the YAML manifest file.
```
vi sampletls.yaml

apiVersion: timesten.oracle.com/v4
kind: TimesTenClassic
metadata:
  name: sampletls
spec:
  ttspec:
    storageClassName: oci-bv
    clientTLS:
      auto: true
      ciphersuites: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      eccurve: p256
      encryption: required
      signAlg: ecdsasha384
      validity: 365  
    storageSize: 10Gi
    image: container-registry.oracle.com/timesten/timesten:22.1.1.34.0
    imagePullSecret: sekret
    dbConfigMap:
    - sampletls
```
Note the following:
- .spec.ttspec.clientTLS is specified and .spec.ttspec.clientTLS is set to true. This directs the TimesTen Operator to automatically create self-signed certificates and configure TimesTen to use those certificates for client/server TLS encryption.
- .spec.ttspec.clientTLS.ciphersuites is specified. The TimesTen Operator adds a ciphersuites entry with a value of SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 to the sys.odbc.ini file.
- .spec.ttspec.clientTLS.eccurve is specified. The TimesTen Operator adds the -eccurve option to the ttCreateCerts utility and supplies of value of p256 for this option.
- .spec.ttspec.clientTLS.encryption is specified. The TimesTen Operator adds an encryption entry with a value of required to the sys.odbc.ini file.
- .spec.ttspec.clientTLS.signAlg is specified. The TimesTen Operator adds the -sign_alg option to the ttCreateCerts utility and supplies of value of ecdsasha384 for this option.
- .spec.ttspec.clientTLS.validity is specified. The TimesTen Operator adds the -validity option to the ttCreateCerts utility and supplies of value of 365 for this option.

Deploy the TimesTenClassic object.

kubectl create -f sampletls.yaml

The output is the following:

timestenclassic.timesten.oracle.com/sampletls created

Monitor deployment.
1. Check status.
```
kubectl get ttc sampletls
```
  The output is similar to the following:
```
NAME        STATE          ACTIVE   AGE
sampletls   Initializing   None     2m33s
```
  The provisioning starts, but is not yet completed.
2. Wait a few minutes, then check status again.
```
kubectl get ttc sampletls
```
  The output is similar to the following:
```
NAME        STATE    ACTIVE        AGE
sampletls   Normal   sampletls-0   4m37s
```
  The provisioning process completes. The databases are up and running and operational, as indicated by the Normal state.
Verify the TimesTen Operator created the Kubernetes Secrets that contain the certificates for TimesTen servers and TimesTen clients.
1. Review the Secrets.
```
kubectl get secrets
```
  The output is similar to the following:
```
NAME                                     TYPE                             DATA   AGE
sampletls-client                         Opaque                           1      21m
sampletls-server                         Opaque                           1      21m
...
```
2. Confirm the contents of the sampletls-server Secret.
```
kubectl describe secret sampletls-server
```
  The output is similar to the following:
```
Name:         sampletls-server
Namespace:    mynamespace
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
cwallet.sso:  1525 bytes
```
  The Secret contains the cwallet.sso wallet. This wallet contains the self-signed certificate for TimesTen servers.
3. Confirm the contents of the sampletls-client Secret.
```
kubectl describe secret sampletls-client
```
  The output is similar to the following:
```
Name:         sampletls-client
Namespace:    mynamespace
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
cwallet.sso:  1525 bytes
```
  The Secret contains the cwallet.sso wallet. This wallet contains the self-signed certificate for TimesTen clients.
The TimesTen Operator ran the TimesTen ttCreateCerts utility to create self-signed certificates for client/server TLS encryption. The TimesTen Operator stored these certificates in Kubernetes Secrets.

Verify the TimesTen Operator automaticlly configured TimesTen to use the certificates for client/server TLS encryption.

Establish a shell in the tt container of the sampletls-0 Pod.
```
kubectl exec -it sampletls-0 -c tt -- /bin/bash
```
Confirm the existence of the server and client wallets.
```
[timesten@sampletls-0 /]$ pwd
/
```
```
[timesten@sampletls-0 /]$ ls -a serverWallet
.  ..  cwallet.sso
```
```
[timesten@sampletls-0 /]$ ls -a clientWallet
.  ..  cwallet.sso
```
The /serverWallet/cwallet.sso wallet contains the self-signed certificate for TimesTen Servers. The /clientWallet/cwallet.sso wallet contains the self-signed certificate for TimesTen clients.

(Optional) Confirm the contents of sys.odbc.ini file.

[timesten@sampletls-0 ~]$ cat /tt/home/timesten/instances/instance1/conf/sys.odbc.ini

The output is similar to the following:

[ODBC Data Sources]
sampletls=TimesTen 22.1 Driver
tt=TimesTen 22.1 Driver

[sampletls]
Datastore=/tt/home/timesten/datastore/sampletls
PermSize=200
DatabaseCharacterSet=AL32UTF8
DDLReplicationLevel=3
AutoCreate=0
ForceDisconnectEnabled=1
Wallet=/serverWallet
Ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Encryption=required

[tt]
Datastore=/tt/home/timesten/datastore/sampletls
PermSize=200
DatabaseCharacterSet=AL32UTF8
DDLReplicationLevel=3
AutoCreate=0
ForceDisconnectEnabled=1
WaitForConnect=0
Wallet=/serverWallet
Ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Encryption=required

The TimesTen Operator correctly added appropriate Wallet, Ciphersuites, and Encryption entries to the sys.odbc.ini file. The values for these entries were supplied in .spec.ttspec.clientTLS and are correct.

Exit from the shell.

Verify TLS is being used.

The following steps assume you have successfully copied the client wallet to the application container that is running your TimesTen client instance and that you have configured the appropriate client-side attributes. For more information about TimesTen client-side attributes, see Task 3: Set Client Configuration for TLS in TimesTen Classic in the Oracle TimesTen In-Memory Database Security Guide.

Establish a shell in the application container that contains your TimesTen client instance.
```
kubectl exec -it client-0 -c tt -- /bin/bash
```

Use ttIsqlCS to connect to the sampletls database.

[timesten@sampletls-0]$ ttisqlcs -connstr "TTC_SERVER1=sampletls-0.sampletls.mynamespace.svc.cluster.local;TTC_SERVER2=sampletls-1.sampletls.mynamespace.svc.cluster.local;TTC_SERVER_DSN=sampletls;UID=adminuser;PWD=adminuserpwd;wallet=/clientWallet;ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;encryption=required";

The output is similar to the following:

Copyright (c) 1996, 2025, Oracle and/or its affiliates. All rights reserved.
Type ? or "help" for help, type "exit" to quit ttIsql.



connect "TTC_SERVER1=sampletls-0.sampletls.mynamespace.svc.cluster.local;TTC_SERVER2=sampletls-1.sampletls.mynamespace.svc.cluster.local;TTC_SERVER_DSN=sampletls;UID=adminuser;PWD=********;wallet=/clientWallet;ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;encryption=required";
Connection successful: DSN=;TTC_SERVER=sampletls-0.sampletls.mynamespace.svc.cluster.local;TTC_SERVER_DSN=sampletls;UID=adminuser;DATASTORE=/tt/home/timesten/datastore/sampletls;DATABASECHARACTERSET=AL32UTF8;CONNECTIONCHARACTERSET=US7ASCII;AUTOCREATE=0;PERMSIZE=200;DDLREPLICATIONLEVEL=3;FORCEDISCONNECTENABLED=1;Encryption=Required;Wallet=/clientWallet;CipherSuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
(Default setting AutoCommit=1)

Use the TimesTen sqlgetconnectattr command in ttIsqlCS to verify TLS is being used. A return value of 1 indicates TLS is being used.
```
Command> sqlgetconnectattr tt_tls_session;
```
The output is the following:
```
TT_TLS_SESSION = 1 (SQL_TRUE)
```

Congratulations! You successfully configured a TimesTenClassic object for automatic client/server TLS encryption. After you deployed the TimesTenClassic object in your namespace, the TimesTen Operator automatically created self-signed certificates and configured TimesTen to use those certificates for client/server TLS encryption.