About Configuring a TimesTenClassic Object for Automatic Client/Server TLS Encryption

You can customize your TimesTenClassic object to enable automatic client/server TLS encryption by including a .spec.ttspec.clientTLS section in your TimesTenClassic object definition. When you include the .spec.ttspec.clientTLS section in your TimesTenClassic object definition and set .spec.ttspec.clientTLS.auto to true, the TimesTen Operator notices and takes action to create self-signed certificates and configure TimesTen to use those certificates for client/server encryption.

Here is a snippet of a TimesTenClassic object that uses .spec.ttspec.clientTLS.
apiVersion: timesten.oracle.com/v4
kind: TimesTenClassic
metadata:
  name: sampletls
spec:
  ttspec:
    storageClassName: oci-bv
    clientTLS:
      auto: true
      ciphersuites: SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      eccurve: p256
      encryption: required
      signAlg: ecdsasha384
      validity: 365  
    storageSize: 10Gi
    image: container-registry.oracle.com/timesten/timesten:22.1.1.34.0
    imagePullSecret: sekret
    dbConfigMap:
    - sampletls
Let's look at .spec.ttspec.clientTLS in more detail:

  • auto: Determines if automatic client/server encryption is enabled. Set auto to true to enable automatic client/server encryption. The default is false. If set to false, there is no automatic client/server encryption for this TimesTenClassic object.

  • ciphersuites: Defines the cipher suite(s) used for client/server communication. You can specify one or more cipher suites. If there is more than one cipher suite, use a comma-separated list, and list the cipher suites in order of preference. This example specifies SSL_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384.

    The TimesTen Operator first checks to see if there is a ciphersuites entry in the db.ini file.

    • If there is an entry, the TimesTen Operator uses it.

    • If there is no entry, the TimesTen Operator uses the value specified in .spec.ttspec.clientTLS.ciphersuites.

    • If .spec.ttspec.clientTLS.auto is true, and there is no value specified in either the db.ini file or in .spec.ttspec.clientTLS.ciphersuites, the TimesTen Operator sets the value to SSL_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.

    The TimesTen Operator adds the ciphersuites value to the TimesTen Server's sys.odbc.ini file.

  • eccurve: Defines the elliptical curve signing algorithm. This example specifies p256.

    When the TimesTen Operator runs the TimesTen ttCreateCerts utility, it supplies the .spec.ttspec.clientTLS.eccurve value to the -eccurve option of the TimesTen ttCreateCerts utility. If you do not specify a value, the default is p384. For a list of supported values, see TimesTenClassicSpecSpecClientTLS.

  • encryption: Defines the encryption setting for client/server access. This example specifies required.

    The TimesTen Operator first checks to see if there is an encryption entry in the db.ini file for the object.

    • If there is an entry, the TimesTen Operator uses it.

    • If there is no entry, the TimesTen Operator uses the value specified in .spec.ttspec.clientTLS.encryption.

    • If .spec.ttspec.clientTLS.auto is true, and there is no value specified in either the db.ini file or in .spec.ttspec.clientTLS.encryption, the default is accepted. For a list of supported values, see TimesTenClassicSpecSpecClientTLS.

    The TimesTen Operator adds the encryption value to the TimesTen Server's sys.odbc.ini file.

  • signAlg: Defines the elliptical curve signing algorithm. This example specifies ecdsasha384.

    When the TimesTen Operator runs the TimesTen ttCreateCerts utility, it supplies the .spec.ttspec.clientTLS.signAlg value to the -sign_alg option of the TimesTen ttCreateCerts utility. If you do not specify a value, the default is ecdsasha384. For a list of supported values, see TimesTenClassicSpecSpecClientTLS.

  • validity: Defines the number of days the created certificate is valid. This example specifies 365.

    When the TimesTen Operator runs the TimesTen ttCreateCerts utility, it supplies the .spec.ttspec.clientTLS.validity value to the -validity option of the TimesTen ttCreateCerts utility. If you do not specify a value, the default is 3650. For a list of supported values, see TimesTenClassicSpecSpecClientTLS.

For more information, see the following: