17.10 - Initial Installation of Kerberos Keys for the First KDC - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

This procedure copies the Kerberos keys for the first KDC from the temporary location used in Moving the Kerberos Keys to a Teradata Vantage System or Unity Server to the permanent location (/etc/teradata.keytab) on a Teradata Vantage system or on a Unity server.

On a single node Vantage system or a Unity server:

  1. Log on to the database node or Unity server:
    • From the database node console command prompt log on as teradata or another user with permission to run utilities.
    • From the Unity server log on as root.
  2. Copy the temporary keytab file from the temporary location shown in Moving the Kerberos Keys to a Teradata Vantage System or Unity Server to the permanent location chosen in Determining the Kerberos Key Installation Directory, for example, the default permanent location:
    • cp /opt/teradata/tdat/tdgss/site/domain_name.sys_name.keytab /etc/teradata.keytab

      domain_name.sys_name is defined in Generating the Key for the First Node or for a Unity Server.

      If you use a custom location, be sure to specify the custom location as the TeradataKeyTab property value for the KRB5 mechanism.
  3. Display a list of Kerberos keys to verify that all keys installed correctly:
    klist -ke /etc/teradata.keytab
  4. After verifying that all keys are installed correctly to the permanent location, delete the key file from the temporary location.

For multi-node Teradata Vantage systems:

  1. From a database node console command prompt, log on to the Vantage node that has the temporary keytab file; log on as the user "teradata" or another user with permission to run utilities.
  2. Copy the generated keytab file from the temporary location to /etc.
  3. Distribute the keytab file to all nodes, using the pcl command. For example, send the file from the temporary location to /etc on the other nodes:
    pcl -send <temporary_location>/teradata.keytab /etc/teradata.keytab
    If you put the keytab file in a location other than /etc, be sure to specify the custom location as the TeradataKeyTab property value for the KRB5 mechanism.
  4. Display a list of Kerberos keys to verify that all keys installed correctly:
    pcl -s klist -ke /etc/teradata.keytab
  5. After verifying that all keys are installed correctly to the permanent location, delete the key file from the temporary location.