Configure and Deploy the TimesTenClassic Object
This example shows you how to configure and deploy a TimesTenClassic object for automatic client/server TLS encryption. This example uses a YAML manifest file.
- From a directory of your choice, create the YAML manifest file.
vi sampletls.yaml apiVersion: timesten.oracle.com/v4 kind: TimesTenClassic metadata: name: sampletls spec: ttspec: storageClassName: oci-bv clientTLS: auto: true ciphersuites: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 eccurve: p256 encryption: required signAlg: ecdsasha384 validity: 365 storageSize: 10Gi image: container-registry.oracle.com/timesten/timesten:22.1.1.34.0 imagePullSecret: sekret dbConfigMap: - sampletls
Note the following:-
.spec.ttspec.clientTLS
is specified and.spec.ttspec.clientTLS
is set totrue
. This directs the TimesTen Operator to automatically create self-signed certificates and configure TimesTen to use those certificates for client/server TLS encryption. -
.spec.ttspec.clientTLS.ciphersuites
is specified. The TimesTen Operator adds aciphersuites
entry with a value ofSSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
to thesys.odbc.ini
file. -
.spec.ttspec.clientTLS.eccurve
is specified. The TimesTen Operator adds the-eccurve
option to thettCreateCerts
utility and supplies of value ofp256
for this option. -
.spec.ttspec.clientTLS.encryption
is specified. The TimesTen Operator adds anencryption
entry with a value ofrequired
to thesys.odbc.ini
file. -
.spec.ttspec.clientTLS.signAlg
is specified. The TimesTen Operator adds the-sign_alg
option to thettCreateCerts
utility and supplies of value ofecdsasha384
for this option. -
.spec.ttspec.clientTLS.validity
is specified. The TimesTen Operator adds the-validity
option to thettCreateCerts
utility and supplies of value of365
for this option.
-
- Deploy the TimesTenClassic object.
kubectl create -f sampletls.yaml
The output is the following:timestenclassic.timesten.oracle.com/sampletls created
- Monitor deployment.
- Check status.
kubectl get ttc sampletls
The output is similar to the following:
NAME STATE ACTIVE AGE sampletls Initializing None 2m33s
The provisioning starts, but is not yet completed.
- Wait a few minutes, then check status again.
kubectl get ttc sampletls
The output is similar to the following:
NAME STATE ACTIVE AGE sampletls Normal sampletls-0 4m37s
The provisioning process completes. The databases are up and running and operational, as indicated by the
Normal
state.
- Check status.
- Verify the TimesTen Operator created the Kubernetes Secrets that contain the certificates for TimesTen servers and TimesTen clients.
- Review the Secrets.
kubectl get secrets
The output is similar to the following:
NAME TYPE DATA AGE sampletls-client Opaque 1 21m sampletls-server Opaque 1 21m ...
- Confirm the contents of the
sampletls-server
Secret.kubectl describe secret sampletls-server
The output is similar to the following:
Name: sampletls-server Namespace: mynamespace Labels: <none> Annotations: <none> Type: Opaque Data ====
cwallet.sso
: 1525 bytesThe Secret contains the
cwallet.sso
wallet. This wallet contains the self-signed certificate for TimesTen servers. - Confirm the contents of the
sampletls-client
Secret.kubectl describe secret sampletls-client
The output is similar to the following:
Name: sampletls-client Namespace: mynamespace Labels: <none> Annotations: <none> Type: Opaque Data ====
cwallet.sso
: 1525 bytesThe Secret contains the
cwallet.sso
wallet. This wallet contains the self-signed certificate for TimesTen clients.
The TimesTen Operator ran the TimesTenttCreateCerts
utility to create self-signed certificates for client/server TLS encryption. The TimesTen Operator stored these certificates in Kubernetes Secrets. - Review the Secrets.
- Verify the TimesTen Operator automaticlly configured TimesTen to use the certificates for client/server TLS encryption.
- Establish a shell in the
tt
container of thesampletls-0
Pod.kubectl exec -it sampletls-0 -c tt -- /bin/bash
- Confirm the existence of the server and client wallets.
[timesten@sampletls-0 /]$ pwd /
[timesten@sampletls-0 /]$ ls -a serverWallet . .. cwallet.sso
[timesten@sampletls-0 /]$ ls -a clientWallet . .. cwallet.sso
The
/serverWallet/cwallet.sso
wallet contains the self-signed certificate for TimesTen Servers. The/clientWallet/cwallet.sso
wallet contains the self-signed certificate for TimesTen clients. - (Optional) Confirm the contents of
sys.odbc.ini
file.[timesten@sampletls-0 ~]$ cat /tt/home/timesten/instances/instance1/conf/sys.odbc.ini
The output is similar to the following:
[ODBC Data Sources] sampletls=TimesTen 22.1 Driver tt=TimesTen 22.1 Driver [sampletls] Datastore=/tt/home/timesten/datastore/sampletls PermSize=200 DatabaseCharacterSet=AL32UTF8 DDLReplicationLevel=3 AutoCreate=0 ForceDisconnectEnabled=1 Wallet=/serverWallet Ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Encryption=required [tt] Datastore=/tt/home/timesten/datastore/sampletls PermSize=200 DatabaseCharacterSet=AL32UTF8 DDLReplicationLevel=3 AutoCreate=0 ForceDisconnectEnabled=1 WaitForConnect=0 Wallet=/serverWallet Ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Encryption=required
The TimesTen Operator correctly added appropriate
Wallet
,Ciphersuites
, andEncryption
entries to thesys.odbc.ini
file. The values for these entries were supplied in.spec.ttspec.clientTLS
and are correct. - Exit from the shell.
- Establish a shell in the
- Verify TLS is being used.
The following steps assume you have successfully copied the client wallet to the application container that is running your TimesTen client instance and that you have configured the appropriate client-side attributes. For more information about TimesTen client-side attributes, see Task 3: Set Client Configuration for TLS in TimesTen Classic in the Oracle TimesTen In-Memory Database Security Guide.
- Establish a shell in the application container that contains your TimesTen client instance.
kubectl exec -it client-0 -c tt -- /bin/bash
- Use
ttIsqlCS
to connect to thesampletls
database.[timesten@sampletls-0]$ ttisqlcs -connstr "TTC_SERVER1=sampletls-0.sampletls.mynamespace.svc.cluster.local;TTC_SERVER2=sampletls-1.sampletls.mynamespace.svc.cluster.local;TTC_SERVER_DSN=sampletls;UID=adminuser;PWD=adminuserpwd;wallet=/clientWallet;ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;encryption=required";
The output is similar to the following:Copyright (c) 1996, 2025, Oracle and/or its affiliates. All rights reserved. Type ? or "help" for help, type "exit" to quit ttIsql. connect "TTC_SERVER1=sampletls-0.sampletls.mynamespace.svc.cluster.local;TTC_SERVER2=sampletls-1.sampletls.mynamespace.svc.cluster.local;TTC_SERVER_DSN=sampletls;UID=adminuser;PWD=********;wallet=/clientWallet;ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;encryption=required"; Connection successful: DSN=;TTC_SERVER=sampletls-0.sampletls.mynamespace.svc.cluster.local;TTC_SERVER_DSN=sampletls;UID=adminuser;DATASTORE=/tt/home/timesten/datastore/sampletls;DATABASECHARACTERSET=AL32UTF8;CONNECTIONCHARACTERSET=US7ASCII;AUTOCREATE=0;PERMSIZE=200;DDLREPLICATIONLEVEL=3;FORCEDISCONNECTENABLED=1;Encryption=Required;Wallet=/clientWallet;CipherSuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384; (Default setting AutoCommit=1)
- Use the TimesTen
sqlgetconnectattr
command inttIsqlCS
to verify TLS is being used. A return value of1
indicates TLS is being used.Command> sqlgetconnectattr tt_tls_session;
The output is the following:
TT_TLS_SESSION = 1 (SQL_TRUE)
- Establish a shell in the application container that contains your TimesTen client instance.