17.10 - Troubleshooting TLS - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

TLS Logging

Use the gtwcontrol trace option to turn on tracing for TLS:

gtwcontrol --TLS require,trace=all

The debug traces are logged to /var/opt/teradata/tdtemp/gtw/*.log .

Test the Signed Certificates and Private Keys on all Nodes

tlsutil –t

Test the Signed Certificates and Private Keys on all Nodes and Show Which Are Expiring within 30 Days

tlsutil -t -e 30

Check the Log File for Warnings About Expiring Certificates

Check /var/log/messages. For example, the following sample shows the TLS certificate is expiring in 11 days.

INFO: Teradata: 6210 #Event number 34-06210-00 (severity 0, category 10), occurred on Thu Nov  5 13:44:25 2020 at 00
way, version PDE:17.10c.00.28,TDBMS:17.10c.00.28,PDEGPL:17.10c.00.28,TGTW:17.10c.00.47cert,TDGSS:17.10c.00.28
gtwTLSContext.cpp @290 (83900744): Thu Nov  5 13:44:25 2020
        The TLS certificate will expire after 11 days.

Test the Signed Certificates and Private Keys on a Single Database

tlsutil -t –l

Display Detailed Information to Help Diagnose Issues

tlsutil -c -v mydb.example.com

Display Detailed Information to Help Diagnose Issues

tlsutil -c -v mydb.example.com

Use the Data Dictionary Views to Troubleshoot Issues

The data dictionary stores information about TLS connections.

For example: Query the client confidentiality type in DBC.SessionInfoV:

select clientconftype from dbc.sessioninfov;

The type is determined by the client and represents the connection between client and the gateway or Unity:

Type SSLMODE Gateway Require Confidentiality Client Data Encryption Description
T ALLOW or higher ON or OFF ON or OFF TLS used for encryption.
E DISABLE or ALLOW ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption)

TLS was not attempted because SSLMode was DISABLE or ALLOW. Connection was made to a legacy port. TDGSS used for encryption, and the application does not have the option to change this during the session.

U DISABLE or ALLOW OFF OFF TLS was not attempted. Unencrypted, and the application does not have the option to change this during the session.
O DISABLE or ALLOW OFF ON or OFF TLS was not attempted because SSLMode was DISABLE or ALLOW. May be encrypted using TDGSS or unencrypted, and the application has the option of changing this at any time. This situation primarily refers to BTEQ, which lets the user turn encryption on and off during the session. Other drivers don’t permit this.
F ALLOW or PREFER ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption) TLS was attempted, but the TLS handshake failed because of TLS version mismatch, cipher mismatch, or certificate problem. Connection was made to a legacy port. This is a fallback to using TDGSS for encryption.
R PREFER ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption) SSLMODE was set to PREFER, but a legacy port socket connection was made. TDGSS is used for encryption. This situation occurs because the client was unable to connect to port 443 for reasons such as blocked by the firewall.
S PREFER OFF OFF SSLMODE was set to PREFER, but a legacy port socket connection was made. Unencrypted. This situation occurs because the client was unable to connect to port 443 for reasons such as blocked by the firewall.

See LogOnOffV, QryLogClientAttrV, and SessionInfoV in Teradata Vantage™ - Data Dictionary.