TDGSS Mechanism Property Values for Unity | Teradata Vantage - 17.10 - Coordinating Mechanism Property Values for Unity - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

In a Unity environment, the values of certain mechanism properties must maintain a required relationship between the TdgssUnityConfig.xml on the Unity server and the TdgssUserConfigFile.xml on connected Teradata Vantage systems. Allowable property configurations depend on whether you allow logons through both Unity and directly to connected database systems, and whether you want the same behavior for all logons.

Before configuring a property value, check the configuration requirements for the property.

Except for MechanismEnabled and DefaultMechanism, which apply to all mechanisms, mechanism properties need only be configured for the KRB5 and LDAP external authentication mechanisms, if used.

For information on Unity configuration, see Teradata® Unity™ Installation, Configuration, and Upgrade Guide for Customers, B035-2523.

The following table defines property configuration rules, but does not describe how to determine specific values. Properties appear in the table in the approximate order they appear in containing mechanisms. Properties not shown in the table are not configurable

Property Configuration on Unity and Connected Database
  • AuthorizationSupported
  • MechanismEnabled
The values of these properties can vary by mechanism, but for a specific mechanism the value must be the same on Unity servers and all connected databases.
If clients connecting through Unity use the SPNEGO mechanism, you must copy SPNEGO from the TdgssLibraryConfigFile.xml to the TdgssUnityConfig.xml and set the MechanismEnabled property to yes on the Unity server. See Teradata® Unity™ Installation, Configuration, and Upgrade Guide for Customers, B035-2523.
DefaultMechanism The default mechanism on the Unity servers and connected database systems must match if the same authentication behavior is required for clients connecting directly to the database as for those connecting through Unity.
DelegateCredentials This property is not used for Unity, and is set to ‘no’ in the TdgssLibraryConfigFile.xml by default.
On systems that previously set this property to ‘yes’ in the TdgssUserConfigFile.xml for use with Teradata Query Director (discontinued), you should edit the value to ‘no’.
MutualAuthentication Should be set to the same value on Unity servers and on all connected databases if the same authentication and authorization behavior is required for users logging on through Unity as those logging on directly to the connected database systems.
VerifyDHKey Editable only on the TD2 mechanism. Can be set differently on each database system and Unity server.
TeradataKeyTab Specifies a location for the keytab file generated as part of setup for Kerberos authentication.

The location can vary among database systems and Unity servers.

UseLdapConfig The UseLdapConfig property tells Teradata GSS to look in a separate <LdapConfig> section for certain LDAP property values. The LdapConfig section defines multiple directory services and configures a set of related mechanism properties for each service.
Should be set to the same value on Unity servers and on all connected databases if the same authentication and authorization behavior is required for users logging on through Unity as those logging on directly to the connected database systems.
<LdapConfig> section Among configuration files for Unity servers and connected database systems, each service within the <LdapConfig> section should have the same:
  • Service ID
  • LdapServerName name value
  • TLS properties and canonicalizations
LdapServerName Identifies the authenticating LDAP directory or directories.

The value can be the same on Unity servers and on connected database systems if all authentication is done in the same directory.

In some cases, the value can be different on Unity servers than on connected database systems. For example, if users can log on either through Unity or directly to each connected database system, you can set the value differently for each configuration file to authenticate users in a directory local to the tdpid for the logon.

  • LdapSystemFQDN
  • LdapBaseFQDN
  • LdapGroupBaseFQDN
  • LdapUserBaseFQDN
The LdapSystemFQDN identifies the top level system object in the directory that is the parent of the LDAP authorization structure.

If directory users can only log on through Unity, only the LdapSystemFQDN configured on Unity is in effect.

If directory users can log on either through Unity or directly to one or more of the Teradata Vantage systems managed by Unity:
  • The LdapSystemFQDN must also be configured on each database system, as well as on Unity.
  • For simplicity, the LdapSystemFQDN on all database systems and on Unity is normally configured with the same system object (and authorization structure). This is required if you configure IP restrictions.

If Unity and connected database systems all point to the same system object, then for LdapBaseFQDN, LdapGroupBaseFQDN, and LdapUserBaseFQDN, the property value on Unity and on connected database systems should be the same.

  • LdapServerRealm
  • LdapClientReferrals
  • LdapClientDeref
  • LdapClientRebindAuthorization
  • LdapClientUseTls
The value of each property in this group should be the same on Unity servers and all connected databases that use the same LdapServerName value.

If the LdapServerName value is different among database systems or between a system and a Unity server, the value of these properties can also be different.

LdapClientDebug Can be set differently on Unity servers than on connected database systems.
  • LdapClientTlsRandFile
  • LdapClientRandomDevice
Identifies a system file or device that can generate a random number for use in certain LDAP processes.

The value of each property can be different on Unity servers and connected Vantage systems.

LdapClientMechanism The value of this property must match between Unity servers and connected database systems if the same authentication behavior is required for clients connecting directly to the database as for those connecting through Unity.
  • LdapClientTlsCaCert
  • LdapClientTlsCaCertDir
The location of the certificate can be different among Unity servers and connected database systems.

The contents of the file should be the same wherever the value of LdapServerName is the same.

  • LdapClientTlsCert
  • LdapClientTlsKey
The value of each property can vary among Unity servers and connected database systems.
  • LdapClientTlsReqCert
  • LdapClientTlsCipherSuite
  • LdapClientTlsCRLCheck
The value of each property must match among Unity servers and connected database systems if the same authentication behavior is required for clients connecting directly to the database as for those connecting through Unity.
  • LdapServiceFQDN
  • LdapServicePassword
  • LdapServicePasswordFile
  • LdapServicePasswordProtected
The value can vary between the Unity servers and connected database systems.
  • LdapServiceBindRequired
  • LdapClientSASLSecProps
The value of each property should match between Unity servers and connected database systems if the same authentication behavior is required for clients connecting directly to the database as for those connecting through Unity.
LdapAllowUnsafeServerConnect The property value should be the same on Unity servers and any connected database system that uses the same LdapServerName value.
  • DHKeyP
  • DHKeyG
  • DHkeyP2048
  • DHKeyG2048
The value of each property does not need to be the same on Unity servers and connected database systems

Teradata recommends that you do not edit these values.

MechQOP elements (legacy, default, low, medium, and high) The configuration of each element should match between Unity servers and connected database systems if the same authentication behavior is required for clients connecting directly to the database as for those connecting through Unity.
<LdapConfig>
IdentityMap and IdentitySearch elements
RequiredLibrary element (KRB5 only) The filename does not need to match between Unity servers and connected database systems, but the Kerberos packages contained in the file must be the same version.
PROXY mechanism properties See Teradata® Unity™ Installation, Configuration, and Upgrade Guide for Customers, B035-2523 and Teradata® Unity™ User Guide, B035-2520.
  • ProxySupported
Set to yes on Unity servers and all connected database systems.
  • CertificateFile
  • PrivateKeyFile
File names do not need to match between Unity servers and connected database systems.
  • PrivateKeyPassword
  • PrivateKeyPasswordProtected
  • SigningHashAlgorithm
Only configured on database systems.
  • CACertFile
  • CACertDir
File and directory names do not need to match between Unity servers and connected database systems, however, the file structure from which the values of these properties are taken, does use similar naming.