Configuring the Directory Services | Teradata Vantage - 17.10 - Configuring the Directory Services - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

You can refer to the example configuration in Use Case for Configuring Global and Local Security Policies as an aid in understanding configuration steps.

To ensure uninterrupted operation, configure duplicate security policies in a backup directory and configure the LdapServerName property to automatically switch to the alternate directory in the event of failure. See LdapServerName.
  1. Make a backup copy of the TdgssUserConfigFile.xml file.
  2. Add the <LdapConfig> section to TdgssUserConfigFile.xml on Teradata Vantage nodes, and to the TdgssUnityConfig.xml on the Unity server, if used. See Adding Multiple Directory Services to the TDGSS Configuration. Use this procedure for configuring security policies even if you have only one directory service to configure.
    If you have already configured multiple directory services in an <LdapConfig> section for LDAP authentication (as shown in Configuring LDAP to Use Multiple Directory Services), the existing configuration contains many of the elements necessary for policy configuration. You only need to add the required policy-related elements to the configuration.
    1. Open the TdgssUserConfigFile.xml for editing.
    2. Disable the existing LDAP mechanism, saving property settings for use in the <LdapConfig> section.
    3. Create the <LdapConfig> section.
    4. Add the optional <Tls> section, if required at your site. See Using TLS with a Directory Server.
  3. Configure an entry for each directory service using the standard LDAP properties needed for security policies. See Standard LDAP Properties Used for All Policy Configurations.
  4. Optionally configure a service element for a global security policy. See Configuring Policy-Related Properties for a Global Security Policy.
  5. Add the necessary policy-specific properties to each local service. See Configuring Policy-Related Properties for a Local Security Policy.
  6. Verify the configuration is correct:
    1. Run tdgsstestcfg to test the configuration. It launches a test environment in a new shell that contains the updates to the configuration file.
      /opt/teradata/tdgss/bin/tdgsstestcfg
    2. Test the policy configuration using the tdspolicy tool. See Investigating Security Policy Assignments.
    3. Exit the test shell:
      exit
  7. After you complete the required edits to the TdgssUserConfigFile.xml, run the run_tdgssconfig utility to update the TDGSSCONFIG GDO.
    /opt/teradata/tdgss/bin/run_tdgssconfig
  8. If run_tdgssconfig indicates that a TPA reset is required, run tpareset.
    tpareset -f “use updated TDGSSCONFIG GDO”