Create TLS Certificates for Replication and Client/Server

By default, TimesTen replication transmits data between your TimesTen databases unencrypted. In addition, in a TimesTen Client/Server environment, by default data is transmitted unencrypted between your application and your TimesTen database.

You can choose to enable encryption for replication and for Client/Server through the use of Transport Layer Security (TLS). TimesTen provides the ttCreateCerts utility to generate self-signed certificates for TLS. For more information on TLS certificates and wallets, see About Using Certificates with Client/Server in the Oracle TimesTen In-Memory Database Security Guide.

Note:

Java must be installed on your development host in order for you to use the ttCertsCreate utility. The utility searches for Java according to the JRE_HOME, JAVA_HOME, and PATH settings.

The ttCreateCerts utility is located in the /bin directory of a TimesTen instance. The utility creates three wallets: rootWallet, clientWallet, and serverWallet.

From your Linux development host, perform these steps to create the certificates.

1. Navigate to the bin directory of the installation and run the ttInstanceCreate utility interactively to create an instance. Recall that the installation_dir directory was created when you unpacked the TimesTen distribution.

   You have to create a TimesTen instance as the ttCreateCerts utility is run from a TimesTen instance. For more information on the ttInstanceCreate utility, see ttInstanceCreate in the Oracle TimesTen In-Memory Database Reference.

   Create the instance directory (/scratch/ttuser/instance_dir, in this example), then run the ttInstanceCreate utility, supplying the -name and the -location parameters. This example uses instance1 as the name of the instance and uses /scratch/ttuser/instance_dir as the location of the instance.

   % mkdir /scratch/ttuser/instance_dir
   
   % installation_dir/tt22.1.1.34.0/bin/ttInstanceCreate -name instance1 
   -location /scratch/ttuser/instance_dir
   Creating instance in /scratch/ttuser/instance_dir/instance1 ...
   INFO: Mapping files from the installation to /scratch/ttuser/
   instance_dir/instance1/install
    
   NOTE: The TimesTen daemon startup/shutdown scripts have not been installed.
    
   The startup script is located here :
           '/scratch/ttuser/instance_dir/instance1/startup/tt_instance1'
    
   Run the 'setuproot' script :
           /scratch/ttuser/instance_dir/instance1/bin/setuproot -install
   This will move the TimesTen startup script into its appropriate location.
    
   The 22.1 Release Notes are located here :
     'installation_dir/tt22.1.1.34.0/README.html'
   

2. Set the TIMESTEN_HOME environment variable. This variable must be set before you run the ttCertsCreate utility. From the bin directory of the instance, source the ttenv.csh or the ttenv.sh script.

   This example uses the bash Bourne-type shell. (Not all output is shown.)

   % . /scratch/ttuser/instance_dir/instance1/bin/ttenv.sh
   LD_LIBRARY_PATH set to 
   ...
   PATH set to 
   ...
   CLASSPATH set to 
   TIMESTEN_HOME set to /scratch/ttuser/instance_dir/instance1
   

3. Run the ttCreateCerts utility from the bin directory of the instance. This example uses the -verbose qualifier to show detailed output. See Using TLS for Client/Server in TimesTen Classic in the Oracle TimesTen In-Memory Database Security Guide for more information on the ttCreateCerts utility.

   The default wallet directory is timesten_home/conf, where timesten_home is the TimesTen instance home directory. This example uses this default wallet directory.

   % /scratch/ttuser/instance_dir/instance1/bin/ttCreateCerts -verbose
   Requested Certificates:
   User Certificates:
   Subject:        CN=server1,C=US
   Trusted Certificates:
   Subject:        CN=ecRoot,C=US
   Requested Certificates:
   User Certificates:
   Subject:        CN=client1,C=US
   Trusted Certificates:
   Subject:        CN=ecRoot,C=US
   ttCreateCerts : certificates created in /scratch/ttuser/instance_dir/
   instance1/conf
   

4. Review the wallet locations and the certificates (represented in bold). The cwallet.sso in the serverWallet directory is the file you will supply as the replicationWallet metadata file for replication and for the server in a Client/Server environment. The cwallet.sso in the clientWallet directory is the file you will use for the client in a Client/Server environment. See "About Configuration Metadata Details" for information on the replicationWallet and the clientWallet metadata files. Also see "Configure TLS for Replication" and "Configure TLS for Client/Server" for information on using these metadata files.

   (These cwallet.sso files are also represented in bold).

   % ls $TIMESTEN_HOME/conf
   client1.cert  root.cert   server1.cert  snmp.ini      sys.ttconnect.ini
   clientWallet  rootWallet  serverWallet  sys.odbc.ini  timesten.conf
   
   % ls $TIMESTEN_HOME/conf/*Wallet*
   /scratch/ttuser/instance_dir/instance1/conf/clientWallet:
   cwallet.sso  cwallet.sso.lck
    
   /scratch/ttuser/instance_dir/instance1/conf/rootWallet:
   cwallet.sso  cwallet.sso.lck
    
   /scratch/ttuser/instance_dir/instance1/conf/serverWallet:
   cwallet.sso  cwallet.sso.lck
   

You have successfully created the certificates that can be used for TLS for both replication and TimesTen Client/Server. You are now ready to configure and use TLS for replication, for Client/Server, or for both replication and Client/Server.