About TLS | SQL Engine 17.10 | Teradata Vantage - 17.10 - Using TLS with Client to Database Connections - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

The TLSv1.2 protocol provides confidentiality and data integrity for network traffic transmitted between clients and the SQL Engine Gateway.

  • HTTPS port 443 is the default port for TLS connections.
  • Port 1025 is the default port for legacy non-TLS connections.
  • TTU 17.10 client drivers and interfaces connect to SQL Engine 17.00, 16.20, 16.10 and 15.10 without using TLS.
  • TTU Release 17.00 and older client drivers and interfaces connect to SQL Engine 17.10 without using TLS.
  • If the Gateway is configured to require TLS, TTU Release 17.00 and older client drivers and interfaces cannot connect to SQLE 17.10.
  • TLS is supported by network-connected TTU drivers and interface products, including: JDBC, ODBC, .NET, and CLIv2.
  • Certificates must be in .PEM format.

TLS can be configured to require clients to use only TLS, but the default configuration allows clients without TLS to connect to the database.

Prerequisites for TLSv1.2 Configuration

  • SQL Engine 17.10 or later.
  • TTU 17.10 or later.
  • Port 443 must be open on the firewall.
  • Certificate management is essential for TLSv1.2 enablement. How the certificates are managed is the responsibility of the customer according to their security policies and security requirements.

TLSv1.2 Considerations

  • TLS not available for the mainframe channel.
  • Performance varies by TLS cipher choice and workload.

Client Configuration

The default data transfer encryption setting for CLIv2 is SSLMODE=ALLOW which means prefer legacy port (and TDGSS) but optionally use TLS.

The default data transfer encryption setting for the drivers (JDBC, ODBC, and .NET) is SSLMODE=PREFER which means prefer TLS port but optionally use legacy port.

For detailed information about client TLS configuration, see the appropriate manual for your client.