Import CA-Signed Certificates for Client/Server TLS Encryption
The TimesTen Operator can create Oracle Wallets, use CA-signed certificates, and automatically configure client/server encryption using Transport Layer Security (TLS).
The configuration process assumes that you have followed the steps to obtain CA-signed certificates. For example, if you have an intermediate CA, you need an intermediate certificate signed by a root CA, a server certificate signed by the intermediate CA, the root CA, and a server private key. Once you have the certificates and server private key, you need to concatenate them into a
pkcs12 file. Next, you perform steps necessary for the TimesTen Operator to import the certificates and configure client/server TLS encryption.
- Concatenate the server certificate, the intermediate certificate, and the root CA, making a full certificate chain.
cat server.pem intermediate.pem root.pem > completeServer.pem - Combine the certificates with the server's private key to create a
PKCS#12file, protected with a password.openssl pkcs12 -export -in completeServer.pem -inkey privkey.pem -out server.p12 -passout pass:welcome1 - Create a Kubernetes Secret.
kubectl create secret generic tt-server-pfx-secret --from-file=server=server.p12 --from-literal=password=welcome1 - Create a TimesTenClassic object using the
customClientTLSsection of the TimesTenClassic CRD.apiVersion: timesten.oracle.com/v5 kind: TimesTenClassic metadata: name: sampletls spec: ttspec: storageClassName: local-storage storageSize: 50Gi image: container-registry.oracle.com/timesten/timesten:26.1.1.36.0 imagePullSecret: sekret customClientTLS: encryption: required gracePeriod: 48 ciphersuites: TLS_RSA_WITH_AES_128_GCM_SHA256 serverCert: tt-server-pfx-secret dbConfigMap: - sampletls - Create the TimesTenClassic object.
kubectl create -f sampletls
The TimesTen Operator performs the steps necessary to configure TLS for client/server encryption.