SSO Security Hardening | Teradata Vantage - 17.10 - SSO Security Hardening - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

A JWT received from a client is validated using the JWK (JSON Web Key) from the JWK URI using REST API calls. For performance reasons JWK is cached, so that future validations are fast and avoid any further REST API calls. Some mechanism properties are added to JWT mechanism for security hardening.

JWTRestAPIMaxTimeAllowed

The JWTRestAPIMaxTimeAllowed property specifies the maximum (in seconds) REST API call timeout.

The default setting is 20 seconds.

JWTRestAPITimeLimit

The JWTRestAPITimeLimit property specifies time (in seconds) between REST API calls. Too many REST API calls causes denial of service.

The default setting is 10 seconds.

JWTKeyCacheRefreshTime

The JWTKeyCacheRefreshTime property specifies the interval (in minutes) at which the key cache is purged, so the new key cache is refreshed.

The default setting is 1440 minutes (24 hours).

JWTClientTlsCACertDir

The JWTClientTlsCACertDir property specifies the location of the CA certificates. It specifies the full path to the site/ssl/cacerts directory.

There is no default, but it is typically here: /opt/teradata/tdat/tdgss/site/ssl/cacerts/.

JWTClientUseTls

The JWTClientUseTls property enforces TLS 1.2 or higher for REST API calls. This makes sure that the REST API always uses https and that peer and host verification is done.

The default setting is "Yes". The value "No" should not be used in production.

JWTSkewTime

The JWTSkewTime property specifies the maximum skew time (in seconds) allowed during JWT validation.

The default setting is 300 seconds (5 minutes).