About Configuring the TimesTen Exporter and Prometheus with Client Certificate Authentication

To use the TimesTen exporter and Prometheus with client certificate authentication, you must configure the Exporter and Prometheus to require client certificate authentication.

To configure the Exporter, you must:

  • Create a self-signed certificate. The Exporter uses the server certificate to authenticate itself to clients and to authenticate client certificates. You use the ttExporter utility to create the self-signed certificate. The self-signed certificate must be created on the same host that the Exporter runs on. The self-signed certificate is stored in an Oracle Wallet in the directory of your choice. If you do not specify a directory, the Oracle Wallet is stored in the user's home ($HOME) directory. TimesTen recommends that you do not store the certificate information in the user's $HOME directory.

  • Export the server certificate. You use the ttExporter utility to export the server certificate in PEM format to a file. This file is used by Prometheus for client certificate authentication.

  • Create and export both a client certificate and a client private key. You use the ttExporter utility to create and export a client certificate to one file and to create and export a client private key to a second file. You must create and export a client certificate and a client private key for each Prometheus instance that scrapes metrics from the Exporter. The client certificate file and the client private key file are used by Prometheus for client certificate authentication.

See ttExporter in the Oracle TimesTen In-Memory Database Reference for details on the ttExporter utility.

After you create and export the server certificate, the client certificate, and the client private key, you must configure Prometheus to require client certificate authentication for the Exporter.

Prometheus provides a sample configuration in a file called prometheus.yml. This file is available when you download Prometheus. There are two sections (blocks) that you need to modify. The tls_config block is used for configuring client certificate authentication. The scrape_configs block is used to set the remaining parameters necessary for Prometheus to securely scrape metrics from the Exporter.

Specifically, you must modify these settings in the tls_config block:

  • ca_file: This is the server certificate file that is required by Prometheus for client certificate authentication. Recall that after using the TimesTen ttExporter utility to create the server certificate, you then use the ttExporter utility again to export this server certificate to a file. It is this file that you supply for the Prometheus ca_file parameter.

  • cert_file: This is the client certificate file that is required by Prometheus for client certificate authentication. Recall that you use the TimesTen ttExporter utility to create and export the client certificate to a file. It is this file that you supply for the Prometheus cert_file parameter.

  • key_file: This is the client private key file that is required by Prometheus for client certificate authentication. Recall that you use the TimesTen ttExporter utility to create and export the client private key to a file. It is this file that you supply for the Prometheus key_file parameter..

In addition, you must modify these general settings in the scrape_configs block:
  • job_name: This is the job name that you assign to scrape the metrics from the Exporter. You can specify any name for job_name.

  • metrics_path: This is the HTTPS resource path from which Prometheus fetches the TimesTen metrics from the Exporter. The Exporter uses the /metrics HTTPS resource path. This is also the Prometheus default HTTPS resource path. Therefore, you do not have to set the metrics_path parameter. If not set, Prometheus uses the default /metrics for the HTTPS resource path.

  • scheme: This is the protocol scheme used for requests. The HTTPS protocol is used when you configure the Exporter and Prometheus to require client certificate authentication. You must set the scheme parameter to https.

  • static_configs block: This block contains the targets parameter. For the targets parameter, you specify the host that the Exporter runs on and the port number that the Exporter listens on. The naming convention is host:portnumber. For example, if the Exporter runs on the myhost host and listens on the 12345 port number, then you set the targets parameter to myhost:12345.

After you modify the Prometheus configuration file, the next step is to start the Exporter. You use the TimesTen ttExporter utility with the -port p option to start the Exporter (where p is the port number that the Exporter listens on). This port number must match the port number you specify in the Prometheus configuration file. (Specifically, in the Prometheus configuration file, the port number is the port number you supply to the targets parameter of the static_configs block.)

Once you start the Exporter, the Exporter continues to run until you stop it with a signal such as SIGINTR or SIGTERM. You can also have ttExporter write its process ID into a file when you start the Exporter. You use the ttExporter utility with the -pid-file pidfilename option to accomplish this. You can then stop the Exporter by terminating the ttExporter process ID that was stored in the pidfilename file.

See Configuring the TimesTen Exporter and Prometheus with Client Certificate Authentication for a complete example illustrating how to configure the Exporter and Prometheus to have Prometheus securely scrape TimesTen metrics from the Exporter.

See ttExporter in the Oracle TimesTen In-Memory Database Reference for details on the ttExporter utility.

See https://prometheus.io/docs/prometheus/latest/configuration/configuration/ and https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config for more information on the Prometheus configuration file.