Configure TLS for Client/Server
You can configure TLS for Client/Server to ensure secure network communication between TimesTen clients and servers. See Transport Layer Security for TimesTen Client/Server in the Oracle TimesTen In-Memory Database Security Guide for detailed information.
There are both server-side and client-side configuration requirements for using TLS for Client/Server. These requirements are detailed in these sections:
Configuration Requirements for the Server
These sections discuss the configuration requirements for the server. The sections also include an example of how to configure TLS for the server in your Kubernetes cluster.
Overview of Metadata Files and Kubernetes Facilities
The /ttconfig/csWallet
metadata file is required for TLS support for Client/Server. (The /ttconfig
directory is located in the containers of your TimesTen databases.) This file must contain the cwallet.sso
file (the Oracle wallet) that was generated when you created the TLS certificates. This file is the Oracle wallet required for the server. Recall that this file was located in the /scratch/ttuser/instance_dir/instance1/conf/serverWallet
directory. See Create TLS Certificates for Replication and Client/Server for information on creating these certificates. This wallet contains the credentials that are used for configuring TLS encryption between your TimesTen database and your Client/Server applications.
There are also server-side connection attributes that must be set. You can define these attributes in the db.ini
metadata file. After the db.ini
file is placed in the /ttconfig
directory of the TimesTen containers, the Operator copies the contents of the db.ini
file to the timesten_home
/conf/sys.odbc.ini
file located in the TimesTen containers. (Note that timesten_home
is the TimesTen instance directory. This instance directory is /tt/home/timesten/instances/instance1
in your TimesTen containers.)
These required server-side attributes are: Wallet
, CipherSuites
, and Encryption
. See Create a ConfigMap for the Server-Side Attributes for information on these attributes. Also see Server Attributes for TLS in the Oracle TimesTen In-Memory Database Security
Guide.
In addition to the csWallet
and the db.ini
metadata files, you may use other supported metadata files. See About Configuration Metadata Details for information on these supported metadata files.
You can include these metadata files in one or more Kubernetes facilities (for example, in a Kubernetes Secret, in a ConfigMap, or in an init container). This ensures the metadata files are populated in the /ttconfig
directory of the TimesTen containers. Note that there is no requirement as to how to get the metadata files into this /ttconfig
directory. See Populate the /ttconfig Directory.
The following example includes the csWallet
metadata file in a Kubernetes Secret. It also creates the db.ini
, the adminUser
, and the schema.sql
metadata files and includes these metadata files in a ConfigMap.
Create a Kubernetes Secret for the csWallet Metadata File
This section creates the cs-tls
Kubernetes Secret. The cs-tls
Secret will contain the csWallet
metadata file.
On your Linux development host:
You have successfully created and deployed the cs-tls
Kubernetes Secret. The csWallet/cwallet.sso
file will later be available in the /ttconfig
directory of the TimesTen containers. In addition, the file will be available in the /tt/home/timesten/csWallet
directory of the TimesTen containers.
Create a ConfigMap for the Server-Side Attributes
This section creates the cs-tls
ConfigMap. This ConfigMap contains the db.ini
, the adminUser
, and the schema.sql
metadata files.
On your Linux development host:
You have successfully created and deployed the cs-tls
ConfigMap.
Create a TimesTenClassic Object
This section creates the TimesTenClassic object. See Define and Create a TimesTenClassic Object and About the TimesTenClassic Object Type for detailed information on the TimesTenClassic object.
Perform these steps:
You have successfully created the TimesTenClassic object in the Kubernetes cluster. The process of deploying your TimesTen databases begins, but is not yet complete.
Configuration Requirements for the Client
These sections cover the client requirements for TLS.
Copy a Client Wallet
When you used the ttCreateCerts
utility to create TLS certificates, the cwallet.sso
wallet file located in the /scratch/ttuser/instance_dir/instance1/conf/ clientWallet
directory was generated. This file must be copied to the application container that is running your TimesTen client instance. See "Create TLS Certificates for Replication and Client/Server" for information on creating the TLS certificates.
This example uses the kubectl
cp
command to copy the /scratch/ttuser
/
instance_dir/instance1/conf/clientWallet/cwallet.sso
file from your Linux development host to the application container running your TimesTen client instance.
You have successfully copied the cwallet.sso
client wallet file to the application container that is running your TimesTen client instance.
Configure Client-Side Attributes
You must set client-side attributes for TLS for Client/Server. The attributes can be set in the client DSN definition in timesten_home
/conf/sys.odbc.ini
or in an appropriate Client/Server connection string. See About Using Client/Server Drivers for additional information.
These are the required client-side attributes for TLS for Client/Server:
-
wallet
: This is the directory that contains thecwallet.sso
client wallet file. This directory is located in your application container that is running the TimesTen client instance. There is no default directory. In this example, recall that theclientWallet
directory was created to denote this directory. (See Copy a Client Wallet for information.) For purposes of this example, the full path to theclientWallet
directory is/tt/home/timesten/clientWallet
. Therefore, in this example,/tt/home/timesten/clientWallet
is used to denote this directory. -
ciphersuites
: This is the cipher suite setting. Valid values areSSL_ECDHE_ECDSA_WITH_AES_128_GCM_256
orSSL_ECDHE_ECDSA_WITH_AES_256_GCM_384
, or both, comma separated and in order of preference. There is no default setting. For TLS to be used, the server and the client settings must include at least one common suite. This example specifiesSSL_ECDHE_ECDSA_WITH_AES_128_GCM_256
. See Configuration for TLS for Client/Server in the Oracle TimesTen In-Memory Database Security Guide for information on the cipher suite settings. -
encryption
: This is the encryption setting for the client. This example specifies therequired
setting. See Configuration for TLS for Client/Server in the Oracle TimesTen In-Memory Database Security Guide for information on the valid encryption settings.
This example uses a connection string to connect to the cstsl
database as the sampleuser
user. The sampleuser
user was created by the Operator and already exists in the cstsl
database. The example then uses the sqlgetconnectattr
command from ttIsqlCS
on the client to verify TLS is configured correctly on the Server and on the Client and TLS is being used.
You have successfully connected to the database and verified that TLS for Client/Server is being used.