TLS Logging
Use the gtwcontrol trace option to turn on tracing for TLS:
gtwcontrol --TLS require,trace=all
The debug traces are logged to /var/opt/teradata/tdtemp/gtw/*.log .
Test the Signed Certificates and Private Keys on All Nodes
tlsutil –t
Test the Signed Certificates and Private Keys on All Nodes and Show Which Are Expiring within 30 Days
tlsutil -t -e 30
Check the Log File for Warnings about Expiring Certificates
Check /var/log/messages. For example, the following sample shows the TLS certificate is expiring in 11 days.
INFO: Teradata: 6210 #Event number 34-06210-00 (severity 0, category 10), occurred on Thu Nov 5 13:44:25 2020 at 00 way, version PDE:17.10c.00.28,TDBMS:17.10c.00.28,PDEGPL:17.10c.00.28,TGTW:17.10c.00.47cert,TDGSS:17.10c.00.28 gtwTLSContext.cpp @290 (83900744): Thu Nov 5 13:44:25 2020 The TLS certificate will expire after 11 days.
Test the Signed Certificates and Private Keys on a Single Database
tlsutil -t –l
Display Detailed Information to Help Diagnose Issues
tlsutil -c -v mydb.example.com
Display Detailed Information to Help Diagnose Issues
tlsutil -c -v mydb.example.com
Use the Data Dictionary Views to Troubleshoot Issues
The data dictionary stores information about TLS connections.
For example: Query the client confidentiality type in DBC.SessionInfoV:
select clientconftype from dbc.sessioninfov;
The type is determined by the client and represents the connection between client and the gateway or Unity:
Type | SSLMODE | Gateway Require Confidentiality | Client Data Encryption | Description |
---|---|---|---|---|
T | ALLOW or higher | ON or OFF | ON or OFF | TLS used for encryption. |
E | DISABLE or ALLOW | ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption) | TLS was not attempted because SSLMode was DISABLE or ALLOW. Connection was made to a legacy port. TDGSS used for encryption, and the application does not have the option to change this during the session. |
|
U | DISABLE or ALLOW | OFF | OFF | TLS was not attempted. Unencrypted, and the application does not have the option to change this during the session. |
O | DISABLE or ALLOW | OFF | ON or OFF | TLS was not attempted because SSLMode was DISABLE or ALLOW. May be encrypted using TDGSS or unencrypted, and the application has the option of changing this at any time. This situation primarily refers to BTEQ, which lets the user turn encryption on and off during the session. Other drivers don’t permit this. |
F | ALLOW or PREFER | ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption) | TLS was attempted, but the TLS handshake failed because of TLS version mismatch, cipher mismatch, or certificate problem. Connection was made to a legacy port. This is a fallback to using TDGSS for encryption. | |
R | PREFER | ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption) | SSLMODE was set to PREFER, but a legacy port socket connection was made. TDGSS is used for encryption. This situation occurs because the client was unable to connect to port 443 for reasons such as blocked by the firewall. | |
S | PREFER | OFF | OFF | SSLMODE was set to PREFER, but a legacy port socket connection was made. Unencrypted. This situation occurs because the client was unable to connect to port 443 for reasons such as blocked by the firewall. |
See LogOnOffV, QryLogClientAttrV, and SessionInfoV in Teradata Vantage™ - Data Dictionary.