Cache Group Users

Required Users for Cache

To use cache, you must create administration and schema users on both the Oracle and TimesTen databases.

To use cache, you must have the following users on the Oracle Database:

Create an Oracle cache administration user who creates, owns, and maintains Oracle Database objects that store information used to manage the cache environment for a TimesTen database and enforce predefined behaviors of particular cache group types.
Identify one or more schema users who own the Oracle Database tables to be cached in a TimesTen database.

To use cache, you must create the following users on the TimesTen database:

A TimesTen cache administration user who performs cache group operations. The TimesTen cache administration user must have the same user name as the Oracle cache administration user created for cache who can access the cached Oracle Database tables. The password of the TimesTen cache administration user can be different from the password of the companion Oracle cache administration user.
One or more cache table users who own the cache tables. You must create a TimesTen cache table user with the same user name as each Oracle Database schema user who owns Oracle Database tables to be cached in the TimesTen database. The password of a cache table user can be different from the password of the Oracle Database schema user with the same name.

The owner and name of a TimesTen cache table is the same as the owner and name of the corresponding cached Oracle Database table.

Providing Both Cache Administration Users and Passwords

If you are running a request that does not require access to the Oracle database, you can proceed without needing to provide credentials for the Oracle database. That is, you can connect with only the user name and password for connecting to the TimesTen database. However, when you want to perform an action that requires connecting to the Oracle database, then you must provide the appropriate credentials to be able to connect to both the TimesTen and Oracle databases.

You first create or change a cache administration user and its password through CREATE USER or ALTER USER SQL statements. See Creating or Identifying a Database User.

Once the cache administration users are created with their respective passwords, these credentials need to be provided with one of the following methods.

Providing the Cache Administration User Names and Passwords in an Oracle Wallet

The most secure method to provide credentials when connecting is to store a user's password in an Oracle Wallet. When connecting, you provide the user name and wallet to supply credentials for the connection. Supplying the user name identifies which user's password to retrieve from within the wallet.

You can store existing credentials for both the cache user and the cache administration user and their associated passwords within an Oracle Wallet using the ttUser utility.

For the cache user, you can add this user's password to a wallet in the same manner as a TimesTen user as described in Providing a User Name and Password in an Oracle Wallet.
To connect as the cache administration users, you must provide the passwords for both the TimesTen cache administration user and the Oracle cache administration user.

See Providing a User Name and Password in an Oracle Wallet for full details on how to store credentials in an Oracle Wallet. This section describes the process to add both cache administration user passwords to an Oracle Wallet.

You can add the cache administration users passwords to a wallet used by other users, such as a wallet that contains all credentials for those connecting to a DSN. Alternatively, you could create a wallet only for the cache administration users.

Use the ttUser -setPwd command to store the password for the TimesTen cache administration user. Use the ttUser -setOraclePwd command to store the password for the Oracle cache administration user.

The following example shows how to use the ttUser utility to add both cache administration users to an Oracle Wallet in the /wallets/cacheadminwallet directory.

If it does not already exist, make a directory for your wallet. This example users /wallets as the directory for the wallet.
```
% mkdir /wallets
```
Run the ttUser -setPwd command to store the TimesTen cache administration user credentials. Provide a subdirectory name that identifies the wallet (since you cannot change the name of an OracleWallet). This example provides cacheadminwallet as the subdirectory name for the wallet. If cacheadminwallet directory does not exist, then the ttUser utility creates the cacheadminwallet subdirectory and then creates the Oracle Wallet in the /wallets/cacheadminwallet directory. The ttUser utility prompts for the password for the TimesTen cache administration user cacheadmin, which is added to the wallet.
```
% ttUser -setPwd -wallet /wallets/cacheadminwallet -uid cacheadmin
Enter password: 
```
Run the ttUser -setOraclePwd command to store the Oracle cache administration user credentials. The ttUser utility prompts for the password for the Oracle cache administration user cacheadmin, which is added to the wallet in /wallets/cacheadminwallet.
```
% ttUser -setOraclePwd -wallet /wallets/cacheadminwallet -uid cacheadmin
Enter password: 
```

See ttUser in the Oracle TimesTen In-Memory Database Reference.

When it's time to authenticate the cache administration users when connecting to a database, provide the name of the cache administration user and the location of the corresponding wallet with the UID and PwdWallet connection attributes. The UID connection attribute specifies which user to authenticate using the PwdWallet provided.

connect “dsn=mydb;uid=cacheadmin;PwdWallet=/wallets/cacheadminwallet”;

Providing Cache Administration User Name and Passwords in Connection Attributes

General connection attributes are set by each connection and exist for the duration of the connection. Each concurrent connection can have different values. You can provide both cache administration user names and passwords with the UID, PWD and OraclePWD general connection attributes.

Once you have created both cache administration users and associated passwords, you can specify them on a connection string with the UID, PWD, and OraclePWD connection attributes when connecting to the database.

TimesTen uses the following order of precedence when locating the user name and password for connection authentication:

An Oracle Wallet with the cache administration user name and passwords. See Providing the Cache Administration User Names and Passwords in an Oracle Wallet.
The UID, PWD and OraclePWD connection attributes provided in the connection string.
The UID, PWD and OraclePWD connection attributes provided in the client DSN.

The UID, PWD and OraclePWD connection attributes are as follows:

UID: In this case, specifies the cache administration user name to be used for the connection to the database.
PWD: In this case, specifies the password for the TimesTen cache administration user.
OraclePWD: Specifies the password for the Oracle cache administration user.

Note:

For more information on the UID, PWD and OraclePWD general connection attributes, see UID and PWD in the Oracle TimesTen In-Memory Database Reference. See Authentication in TimesTen in the Oracle TimesTen In-Memory Database Security Guide.

The following example is a connection request to database1 that provides the cache administration user name as cacheadmin, the TimesTen cache administration user password as ttpwd, and the Oracle cache administration user password as orapwd.

% ttIsql "DSN=database1;UID=cacheadmin;PWD=ttpwd;OraclePWD=orapwd"

Providing Cache Administration User Name and Passwords in a Client DSN

You can provide both cache administration user names and passwords in the client DSN.

On Windows, you specify connection attributes in the Oracle TimesTen Client DSN Setup dialog. In this dialog, you can specify the User ID, and Password connection attributes. However, the OraclePWD connection attribute can only be specified on the connection string. See Creating a Client DSN on Windows in the Oracle TimesTen In-Memory Database Operations Guide.

On Linux and UNIX, you specify connection attributes in the odbc.ini file. In the client DSN in the odbc.ini file, you can specify the UID, PWD and OraclePWD connection attributes.

The following is the syntax for the client DSN in the odbc.ini file:

[ODBC Data Sources]
Client_DSN=TimesTen 22.1 Client Driver

See Creating a DSN on Linux and UNIX for TimesTen Classic in the Oracle TimesTen In-Memory Database Operations Guide.

Registering the Oracle Database Administration User and Password

One of the prerequisites to setting up your cache environment is registering the Oracle cache administration user and password in TimesTen. TimesTen uses these credentials to connect to the Oracle database.

There are cache operations that TimesTen performs for you. In order for TimesTen to connect to the Oracle database successfully to perform these cache operations, TimesTen needs to have the Oracle cache administration user and password credentials registered internally. This is accomplished when you run either the ttCacheUidPwdSet built-in procedure for TimesTen Classic or ttGridAdmin dbCacheCredentialSet in TimesTen Scaleout. By default, the Oracle cache administration user and password are stored in memory. You can specify that the Oracle cache administration user and passwords are saved in a system-managed Oracle Wallet (preferred) by setting the CacheAdminWallet=1 in the DSN as a first connection attribute. Once the Oracle cache administration user and password are registered (either in memory or in a system-managed wallet), TimesTen uses the credentials to connect to the backend Oracle database for cache operations.

See CacheAdminWallet in the Oracle TimesTen In-Memory Database Reference.

This section discusses how to do this in TimesTen ClassicTimesTen Scaleout.

Registering the Oracle Cache Administration User and Password in TimesTen Classic

You can register with TimesTen Classic the Oracle cache administration user name and password.

Ensure that the CacheAdminWallet first connection attribute is set to 1.
Start the ttIsql utility and connect to the cache1 DSN (for example) as the TimesTen cache administration user. Provide the cache administration user name and passwords when connecting using one of the methods detailed in Providing Both Cache Administration Users and Passwords.
```
% ttIsql "DSN=cache1;UID=cacheadmin;PwdWallet=/wallets/cacheadminwallet"
```
Use the ttCacheUidPwdSet built-in procedure (only once) to register the TimesTen database of the Oracle cache administration user name and password in the Oracle database. Since CacheAdminWallet=1, the Oracle cache administration user name and password are stored in a system-managed Oracle Wallet.
The Oracle cache administration user name is cacheadmin and its password is orapwd.
```
Command> call ttCacheUidPwdSet('cacheadmin','orapwd');
```

Note:

You can run the ttCacheUidPwdSet built-in procedure over a client/server connection only when TLS is used. The password is only encrypted when sent over a TLS connection.

See Setting Up the Oracle Database and TimesTen Classic Systems and Setting Up a Caching Infrastructure in Oracle TimesTen In-Memory Database Cache Guide.

See Privileges for Cache Groups.

Note:

Alternatively, you can use ttAdmin to set the Oracle cache administration user ID and password. See Set Cache Policies in Oracle TimesTen In-Memory Database Reference. For example:

% ttAdmin -cacheUidPwdSet -cacheUid cacheadmin -cachePwd orapwd database1

You can use the ttCacheUidPwdSet built-in procedure to later change the Oracle cache administration password at any time, or change the Oracle cache administration user name (and optionally the password as well) as long as there are no existing cache groups.

Registering the Cache Administration User Password in TimesTen Scaleout

In TimesTen Scaleout, use the ttGridAdmin dbCacheCredentialSet command on the active management instance to register the Oracle cache administration user name and password with TimesTen Scaleout.

Ensure that the CacheAdminWallet connection attribute is set to 1. See Create a Database Definition in the Oracle TimesTen In-Memory Database Scaleout User's Guide.
Use the ttGridAdmin dbCacheCredentialSet command (only once) to register the TimesTen database of the Oracle cache administration user name and password in the Oracle database. Since CacheAdminWallet=1, the Oracle cache administration user name and password are stored in a system-managed Oracle Wallet.

The following example specifies database1 as the TimesTen database. The ttGridAdmin dbCacheCredentialSet command prompts for the user name and password. The Oracle cache administration user name is cacheadmin.
```
% ttGridAdmin dbCacheCredentialSet database1
Enter your Oracle user id: cacheadmin 
Enter Oracle password: 
Password accepted 
Configuring cache.....................................................OK 
```

See Set the Cache Administration User Name and Password in the TimesTen Database in Oracle TimesTen In-Memory Database Scaleout User's Guide and Set Credentials (dbCacheCredentialSet) in Oracle TimesTen In-Memory Database Reference.

Note:

You can also use dbCacheCredentialSet to later change the Oracle cache administration password at any time, or change the Oracle cache administration user name (and optionally the password as well) as long as there are no existing cache groups.
When the active management instance of the grid is created, the ttGridAdmin gridCreate -walletDir specifies the path to the directory where the server-managed Oracle Wallets with cryptographic information will be stored. This cryptographic information includes the Oracle cache administration user, client/server, and membership service credentials. The default is timesten_home/info. Wallets for multiple instances can be stored in the same directory, a directory which can be shared between the instances, such as through NFS. This enables a user to pass the cache credentials securely around the grid. See Secure Network Communication in TimesTen.
The ttGridAdmin modelApply command sends new wallets to all new instances.
The ttGridAdmin dbDistribute command sets the Oracle cache administration user ID and password whenever a new instance is added to the distribution map of the database.
If you plan to use ttGridAdmin dbImport with any cache groups being imported into the database, dbCacheCredentialSet must be executed prior to dbImport. You can use the dbImport -dbCacheCredentialCheck option, before you start the import, to confirm this.