1. Reference
  2. Utilities
  3. ttCreateCerts

ttCreateCerts

Use ttCreateCerts manually for client/server when you have multiple databases and want different certificates for each one or when you want certificates for both client/server and replication.

TimesTen uses ttCreateCerts when it generates certificates for client/server or replication during creation of a TimesTen instance (for TimesTen Classic), or when it generates certificates for client/server during creation of a grid (for TimesTen Scaleout); however, as explained before, there are also situations where it is appropriate to run ttCreateCerts manually.

This utility is located in the bin directory of a TimesTen instance. To avoid having to specify the full path, set TIMESTEN_HOME before you run ttCreateCerts. You can accomplish this by sourcing the ttenv.sh or ttenv.csh script from the instance bin directory.

The utility creates three Oracle Wallets: rootWallet (which you can ignore), clientWallet, and serverWallet.

Note:

You must have Java JDK or JRE version 1.8 or higher on your system to use ttCreateCerts. The utility searches for it according to the JRE_HOME, JAVA_HOME, and PATH settings.

Required Privilege

This utility requires no privileges; however, depending on the specified options, it may write files in directories that need the instance administrator privilege.

Usage in TimesTen Scaleout and TimesTen Classic

This utility is supported in both TimesTen Classic and TimesTen Scaleout.

Syntax

% ttCreateCerts -h
usage: ttCreateCerts [-dir WALLETDIR] [options...]
       ttCreateCerts [-h | -help]
       ttCreateCerts [-V | -version]
options:
  -f | -force
  -verbose
  -validity DAYS | -valid_from mm/dd/yyyy -valid_until mm/dd/yyyy
  -dryrun
  -sign_alg ALGORITHM (ecdsasha256 ecdsasha384 ecdsasha512)
  -eccurve TYPE  (p256 p384 p521)

Options

ttCreateCerts has the following input and options:

Option Description

-dir

Specifies a directory where the wallets are placed, as an absolute path.

The specified directory must already exist and cannot already contain wallets produced by ttCreateCerts, unless you use the -force option. The default is timesten_home/conf.

-h

-help

Shows help (showing the above syntax).

-V

-version

Displays the TimesTen release number.

-f

-force

Overwrites any previous wallets in the specified directory.

-verbose

Shows additional output from execution of the utility.

-validity

One of two ways to specify the lifetime of the wallets that are created, expressed as a number of days from creation.

The default is 3650 days, which can be overridden by setting either -validity or -valid_from and -valid_until.

-valid_from

-valid_until

The other way to specify the lifetime of the wallets that are created, expressed as a start and an end date in mm/dd/yyyy format.

-dryrun

Echoes all the commands to be executed by ttCreateCerts to create the certificates as you specified, but without executing them.

For options you do not set, you can use this to confirm what the default values are.

-sign_alg

Specifies the elliptical curve signing algorithm.

Supported algorithms are ecdsasha256, ecdsasha384 (default), and ecdsasha512.

-eccurve

Specifies the size of the elliptical curve.

Supported values are p256, p384 (default), and p521.

The ttCreateCerts utility also has a -run option that allows you to run commands of the Oracle orapki utility to manage Public Key Infrastructure (PKI) elements. Place the orapki command in quotes, such as in this example: 

% ttCreateCerts -run "wallet create -wallet serverWallet -auto_login_only"

For more information on the discussion of using certificates signed by a certificate authority, see Create the Server Wallet and Create the Client Wallet in Oracle TimesTen In-Memory Database Security Guide.

For information about orapki, see Managing Public Key Infrastructure (PKI) Elements in Oracle Database Security Guide.

Examples

This section provides ttCreateCerts examples that place the wallets in a wallets subdirectory under timesten_home/conf, where timesten_home is the full path to the TimesTen instance home directory.

The following example includes verbose output. (Without the -verbose option, only the last line is shown.) 

% ttCreateCerts -verbose -dir timesten_home/conf/wallets
Requested Certificates:
User Certificates:
Subject:        CN=server1,C=US
Trusted Certificates:
Subject:        CN=ecRoot,C=US
Requested Certificates:
User Certificates:
Subject:        CN=client1,C=US
Trusted Certificates:
Subject:        CN=ecRoot,C=US
ttCreateCerts : certificates created in timesten_home/conf/wallets

Here are the results. You can ignore all but clientWallet and serverWallet. 

% ls timesten_home/conf/wallets
client1.cert  clientWallet  root.cert  rootWallet  server1.cert  serverWallet
% ls timesten_home/conf/wallets/clientWallet
cwallet.sso
% ls timesten_home/conf/wallets/serverWallet
cwallet.sso

The next example is a dry run. No certificates are created (despite the last line). This shows only a snippet of the output:

% ttCreateCerts -dir timesten_home/conf/wallets -dryrun
...
+ /bin/java -Djava.security.egd=file:///dev/./urandom -Xms64m -Xmx512m -cp 
/scratch/classic221110/instances/tt221/install/lib/cryptoj_5_0.jar:
/scratch/classic221110/instances/tt221/install/lib/oraclepki.jar:
/scratch/classic221110/instances/tt221/install/lib/osdt_cert.jar:
/scratch/classic221110/instances/tt221/install/lib/osdt_core.jar 
oracle.security.pki.textui.OraclePKITextUI wallet add -wallet rootWallet -dn 
CN=ecRoot,C=US -sign_alg ecdsasha384 -self_signed -asym_alg ECC -eccurve p384 
-jsafe -validity 3650 -auto_login_only -nologo
...
ttCreateCerts : certificates created in timesten_home/conf/wallets

From this, you can see that the default settings are -sign_alg ecdsasha384, -eccurve p384, and -validity 3650 (days).

Here is another example that sets signing algorithm and size of the elliptical curve:

% ttCreateCerts -dir timesten_home/conf/wallets -sign_alg ecdsasha256 
-eccurve p256
ttCreateCerts : certificates created in timesten_home/conf/wallets

This example specifies that the certificates will expire one year from when they were created:

% ttCreateCerts -dir timesten_home/conf/wallets -validity 365
ttCreateCerts : certificates created in timesten_home/conf/wallets

Or, equivalently:

% ttCreateCerts -dir timesten_home/conf/wallets -valid_from 10/28/2022 
-valid_until 10/28/2023
ttCreateCerts : certificates created in timesten_home/conf/wallets

The next example tries to create wallets in a location where wallets already exist:

% ttCreateCerts -dir timesten_home/conf/wallets
ttCreateCerts: rootWallet is not empty, use -force to overwrite

This example tries again, using the -force option: 

% ttCreateCerts -dir timesten_home/conf/wallets -f
ttCreateCerts : certificates created in timesten_home/conf/wallets

Recall the resulting wallets:

% ls -F timesten_home/conf/wallets
client1.cert   root.cert    server1.cert
clientWallet/  rootWallet/  serverWallet/
% ls timesten_home/conf/wallets/clientWallet
cwallet.sso
% ls timesten_home/conf/wallets/serverWallet
cwallet.sso

Copy the clientWallet directory, which includes the root certificate, to the desired location. This is preferably the same location on each client instance. 

% mkdir timesten_home/conf/wallets
[...Copy clientWallet from the server...]
% cd timesten_home/conf/wallets
% ls
clientWallet
% ls clientWallet
cwallet.sso

Note:

Note and preserve the file and directory permissions of the wallet.