17.10 - Corrective Action - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)
  1. Obtain the certificate from the directory with the openssl command:
    openssl s_client -connect server_name:port
    server_name
    The directory server DNS name.
    port
    The port where SSL listens.
  2. In the output from this command, find the line that begins with subject. This string should contain a CN attribute. The CN attribute value, a name, must resolve in DNS to the IP address of the directory server. The error message occurs because the name is either unresolved, or resolves to the wrong IP address. The error is related to either a DNS problem or a problem with the name in the server certificate.
  3. Check the following items to determine the problem and then fix it.
    1. If the LdapServerName property names the directory server explicitly, make sure the name in the property value matches the name in the subject for the directory server certificate. For example, if the subject CN attribute contains:
      dlopldap.td.teradata.com

      then make sure the LdapServerName property contains either the TLS specification:

      ldap://dlopldap.td.teradata.com/

      or the SSL specification:

      ldaps://dlopldap.td.teradata.com/
    2. Make sure that the name in the CN attribute is resolvable and returns the correct IP address. Fix any errors and try again.
    3. If the name in the CN attribute cannot be resolved or resolves to the wrong IP address, and cannot be changed in DNS, you must install a new certificate on the directory server. See Checking the Directory Server Certificates.
      The CN attribute must meet these requirements:
      • The subject for the certificate must contain the DNS name (preferably, the fully qualified DNS name) that resolves to the IP address where the server is listening.
      • The DNS name must correctly resolve on the Teradata Vantage nodes or Unity server.
      • If the LdapServerName attribute is configured to explicitly name directory servers, the value in the subject's CN attribute must be used in the configured LDAP or LDAPS URI.