Configure and Deploy the TimesTenClassic Object

This example shows you how to configure and deploy a TimesTenClassic object for automatic client/server TLS encryption. This example uses a YAML manifest file.

  1. From a directory of your choice, create the YAML manifest file.
    vi sampletls.yaml
    
    apiVersion: timesten.oracle.com/v4
    kind: TimesTenClassic
    metadata:
      name: sampletls
    spec:
      ttspec:
        storageClassName: oci-bv
        clientTLS:
          auto: true
          ciphersuites: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
          eccurve: p256
          encryption: required
          signAlg: ecdsasha384
          validity: 365  
        storageSize: 10Gi
        image: container-registry.oracle.com/timesten/timesten:22.1.1.34.0
        imagePullSecret: sekret
        dbConfigMap:
        - sampletls
    Note the following:
    • .spec.ttspec.clientTLS is specified and .spec.ttspec.clientTLS is set to true. This directs the TimesTen Operator to automatically create self-signed certificates and configure TimesTen to use those certificates for client/server TLS encryption.

    • .spec.ttspec.clientTLS.ciphersuites is specified. The TimesTen Operator adds a ciphersuites entry with a value of SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 to the sys.odbc.ini file.

    • .spec.ttspec.clientTLS.eccurve is specified. The TimesTen Operator adds the -eccurve option to the ttCreateCerts utility and supplies of value of p256 for this option.

    • .spec.ttspec.clientTLS.encryption is specified. The TimesTen Operator adds an encryption entry with a value of required to the sys.odbc.ini file.

    • .spec.ttspec.clientTLS.signAlg is specified. The TimesTen Operator adds the -sign_alg option to the ttCreateCerts utility and supplies of value of ecdsasha384 for this option.

    • .spec.ttspec.clientTLS.validity is specified. The TimesTen Operator adds the -validity option to the ttCreateCerts utility and supplies of value of 365 for this option.

  2. Deploy the TimesTenClassic object.
    kubectl create -f sampletls.yaml
    The output is the following:
    timestenclassic.timesten.oracle.com/sampletls created
  3. Monitor deployment.
    1. Check status.
      kubectl get ttc sampletls

      The output is similar to the following:

      NAME        STATE          ACTIVE   AGE
      sampletls   Initializing   None     2m33s

      The provisioning starts, but is not yet completed.

    2. Wait a few minutes, then check status again.
      kubectl get ttc sampletls

      The output is similar to the following:

      NAME        STATE    ACTIVE        AGE
      sampletls   Normal   sampletls-0   4m37s

      The provisioning process completes. The databases are up and running and operational, as indicated by the Normal state.

  4. Verify the TimesTen Operator created the Kubernetes Secrets that contain the certificates for TimesTen servers and TimesTen clients.
    1. Review the Secrets.
      kubectl get secrets

      The output is similar to the following:

      NAME                                     TYPE                             DATA   AGE
      sampletls-client                         Opaque                           1      21m
      sampletls-server                         Opaque                           1      21m
      ...
    2. Confirm the contents of the sampletls-server Secret.
      kubectl describe secret sampletls-server

      The output is similar to the following:

      Name:         sampletls-server
      Namespace:    mynamespace
      Labels:       <none>
      Annotations:  <none>
      
      Type:  Opaque
      
      Data
      ====
      cwallet.sso:  1525 bytes

      The Secret contains the cwallet.sso wallet. This wallet contains the self-signed certificate for TimesTen servers.

    3. Confirm the contents of the sampletls-client Secret.
      kubectl describe secret sampletls-client

      The output is similar to the following:

      Name:         sampletls-client
      Namespace:    mynamespace
      Labels:       <none>
      Annotations:  <none>
      
      Type:  Opaque
      
      Data
      ====
      cwallet.sso:  1525 bytes

      The Secret contains the cwallet.sso wallet. This wallet contains the self-signed certificate for TimesTen clients.

    The TimesTen Operator ran the TimesTen ttCreateCerts utility to create self-signed certificates for client/server TLS encryption. The TimesTen Operator stored these certificates in Kubernetes Secrets.
  5. Verify the TimesTen Operator automaticlly configured TimesTen to use the certificates for client/server TLS encryption.
    1. Establish a shell in the tt container of the sampletls-0 Pod.
      kubectl exec -it sampletls-0 -c tt -- /bin/bash
    2. Confirm the existence of the server and client wallets.
      [timesten@sampletls-0 /]$ pwd
      /
      [timesten@sampletls-0 /]$ ls -a serverWallet
      .  ..  cwallet.sso
      
      [timesten@sampletls-0 /]$ ls -a clientWallet
      .  ..  cwallet.sso

      The /serverWallet/cwallet.sso wallet contains the self-signed certificate for TimesTen Servers. The /clientWallet/cwallet.sso wallet contains the self-signed certificate for TimesTen clients.

    3. (Optional) Confirm the contents of sys.odbc.ini file.
      [timesten@sampletls-0 ~]$ cat /tt/home/timesten/instances/instance1/conf/sys.odbc.ini

      The output is similar to the following:

      [ODBC Data Sources]
      sampletls=TimesTen 22.1 Driver
      tt=TimesTen 22.1 Driver
      
      [sampletls]
      Datastore=/tt/home/timesten/datastore/sampletls
      PermSize=200
      DatabaseCharacterSet=AL32UTF8
      DDLReplicationLevel=3
      AutoCreate=0
      ForceDisconnectEnabled=1
      Wallet=/serverWallet
      Ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      Encryption=required
      
      [tt]
      Datastore=/tt/home/timesten/datastore/sampletls
      PermSize=200
      DatabaseCharacterSet=AL32UTF8
      DDLReplicationLevel=3
      AutoCreate=0
      ForceDisconnectEnabled=1
      WaitForConnect=0
      Wallet=/serverWallet
      Ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      Encryption=required

      The TimesTen Operator correctly added appropriate Wallet, Ciphersuites, and Encryption entries to the sys.odbc.ini file. The values for these entries were supplied in .spec.ttspec.clientTLS and are correct.

    4. Exit from the shell.
  6. Verify TLS is being used.

    The following steps assume you have successfully copied the client wallet to the application container that is running your TimesTen client instance and that you have configured the appropriate client-side attributes. For more information about TimesTen client-side attributes, see Task 3: Set Client Configuration for TLS in TimesTen Classic in the Oracle TimesTen In-Memory Database Security Guide.

    1. Establish a shell in the application container that contains your TimesTen client instance.
      kubectl exec -it client-0 -c tt -- /bin/bash
    2. Use ttIsqlCS to connect to the sampletls database.
      [timesten@sampletls-0]$ ttisqlcs -connstr "TTC_SERVER1=sampletls-0.sampletls.mynamespace.svc.cluster.local;TTC_SERVER2=sampletls-1.sampletls.mynamespace.svc.cluster.local;TTC_SERVER_DSN=sampletls;UID=adminuser;PWD=adminuserpwd;wallet=/clientWallet;ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;encryption=required";
      The output is similar to the following:
      Copyright (c) 1996, 2025, Oracle and/or its affiliates. All rights reserved.
      Type ? or "help" for help, type "exit" to quit ttIsql.
      
      
      
      connect "TTC_SERVER1=sampletls-0.sampletls.mynamespace.svc.cluster.local;TTC_SERVER2=sampletls-1.sampletls.mynamespace.svc.cluster.local;TTC_SERVER_DSN=sampletls;UID=adminuser;PWD=********;wallet=/clientWallet;ciphersuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;encryption=required";
      Connection successful: DSN=;TTC_SERVER=sampletls-0.sampletls.mynamespace.svc.cluster.local;TTC_SERVER_DSN=sampletls;UID=adminuser;DATASTORE=/tt/home/timesten/datastore/sampletls;DATABASECHARACTERSET=AL32UTF8;CONNECTIONCHARACTERSET=US7ASCII;AUTOCREATE=0;PERMSIZE=200;DDLREPLICATIONLEVEL=3;FORCEDISCONNECTENABLED=1;Encryption=Required;Wallet=/clientWallet;CipherSuites=SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384;
      (Default setting AutoCommit=1)
    3. Use the TimesTen sqlgetconnectattr command in ttIsqlCS to verify TLS is being used. A return value of 1 indicates TLS is being used.
      Command> sqlgetconnectattr tt_tls_session;

      The output is the following:

      
      TT_TLS_SESSION = 1 (SQL_TRUE)
Congratulations! You successfully configured a TimesTenClassic object for automatic client/server TLS encryption. After you deployed the TimesTenClassic object in your namespace, the TimesTen Operator automatically created self-signed certificates and configured TimesTen to use those certificates for client/server TLS encryption.