JWT Manual Key Rotation | Advanced SQL Engine 17.10 | Teradata Vantage - 17.10 - Configuration of Static JSON Web Key - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

To manually configure keys:

  1. Make a backup copy of /opt/teradata/tdat/tdgss/site/TdgssUserConfigFile.xml and save it according to your site standard backup procedures.
  2. Edit TdgssUserConfigFile.xml and uncomment IdentityProvider. Edit it so it is similar to the following with your site information:
    <Mechanism Name="JWT">
       <MechanismProperties
           MechanismEnabled="yes"
           DefaultMechanism="no"
           JWTDecryptionKeyFile=""
           JWTVerificationKeyFile=""
           JWTSkewTime="300"
           JWTKeyDirectory="/opt/teradata/tdat/tdgss/site/JWTKeyDir"
    				
            .../>
                  
                <IdentityProvider
                   Id="Keycloak2"
                   Url="https://Customer_IdP_URL"
                   Type="keycloak"
               />
       </Mechanism>
    
  3. Use the getjwk tool to add the JWK file to the directory specified in JWTKeyDirectory.

    getjwk gets the JWK file from the identity provider and saves it in the specified directory. For example, run:

    /opt/teradata/tdgss/bin/getgwk -d /opt/teradata/tdat/tdgss/site/JWTKeyDir -i Keycloak2 -u http://sdw01827.labs.teradata.com:8080/auth/realms/TGTE

    getjwk options are as follows:

    Option Description
    -h or --help Displays help information for the command.
    -d or --dir Required. Absolute Path of the directory to store the JWK file.

    The path should match the path in the configuration file shown in JWTKeyDirectory.

    -i or --idp-id Id of the Identity Provider configured the IdentityProvider section.
    -u or --idp-url IdentityProvider URL to do the service discovery.
    -m or --max-timeout Maximum time in seconds that the operation is allowed to take.

    Default value is 900.

    -v or --verbose Displays detailed output.
    INFO CA Certs path is fetched from the location specified in the JWTClientTlsCACertDir property.

    If JWTClientTlsCACertDir is not defined, the default location /etc/ssl/certs is used.

    Result: After a successful execution there are two files in the directory specified in the -d option.

  4. Verify the configuration is correct:
    1. Run tdgsstestcfg to verify the new configuration is correct. It launches a test environment in a new shell that contains the updates to the configuration file.
      /opt/teradata/tdgss/bin/tdgsstestcfg
    2. Test the configuration with the tdgssauth tool:
      tdgssauth -m JWT -a token=JWT_from_IdP

      Where JWT_from_IdP is the IdP you configured in TdgssUserConfigFile.xml.

    3. Exit the test shell:
      exit
    4. Continue editing and testing until the configuration is correct.
  5. Run:
    /opt/teradata/tdgss/bin/run_tdgssconfig
  6. If run_tdgssconfig indicates that a TPA reset is required, run tpareset to activate the changes to the TDGSS configuration:
    tpareset -f “use updated TDGSSCONFIG GDO”
  7. Remove the old key from the directory.