17.10 - About tlsutil - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

The tlsutil utility is used to obtain and install signed certificates and private keys for use with TLS.

tlsutil Syntax

tlsutil -c [-s | -l | -u [-e expire_time]] [-d directory] [-v]
                  [-k rsa[:keylength] | ec[:named_curve]]
                  [-g "genpkey_parameters"]
                  [-z] database_name ...

tlsutil -i [-d directory] [-v] [-z [-f filename]]

tlsutil -r [-l] [-d directory] [-v]

tlsutil -t [-l] [-d directory] [-v] [-e expire_time]

tlsutil -h

tlsutil Syntax Elements

The following table contains descriptions of the tlsutil command arguments.

Command Arguments Description
-c Create one or more Certificate Signing Requests(CSR's).
-d Directory to hold certificates, keys and temporary storage. The directory must start with "/".
-e Validity threshold until certificate expiration in days.
-f File (in ZIP format) containing all signed certificates.
-g The -g option allows a quoted string of parameters to be passed to openssl genpkey to generate private keys using genpkey. Do not include "openssl genpkey" or the "-out" parameter.
-h Displays the help text and lists the valid values for named curves.
-i Installs all signed certificates and private keys.
-k The -k option provides parameters for rsa and ec private key generation. For example:
  • rsa key: Optionally specify keylength. Default is 2048.
  • ec key: Optionally specify named curve. Default is secp384r1.
-l Local node only. Note, the default is to perform operations on all nodes.
-r Remove temporary directories and other subdirectories from default locations. If the -d option is used, -r will remove <directory>/tmpdir and all subdirectories
-s The same private key and signed certificate are installed on all nodes.

The -s option is used with tlsutil -c (create CSR mode). This option creates a single CSR which can be used on any node in the system.

When the -s option is used, instead of using the output of nodenames (which may include node-specific names), only the list of database names intended to be passed to nodenames is used.

A single CSR is created. The user is responsible for using the CSR to generate a signed certificate.

When tlsutil -i is run to install the signed certificate, the single signed certificate is installed on all nodes, along with the same private key.

-t Test mode. Used to confirm that signed certificates are valid.
-u Update mode. Only create CSRs for nodes where the installed private key or certificate is missing, invalid, or the certificate is at or near expiration.
-v Verbose mode.
-z Zipped file used to hold all CSRs and signed certificates. -z has no effect when running in local mode.
directory
The name of the directory to hold certificates, keys, and temporary storage. The directory must start with "/".
database_name
Name of the database. Teradata recommends using the fully qualified name of the database. For example: xyz.example.com.
expire_time
Number of days until a certificate expires.
filename
Name of the ZIP file that contains all of the signed certificates.
genpkey_parameters
genpkey is an OpenSSL command that generates a private key.
There are several parameters for genpkey. For details on genpkey parameters, see the web. The "openssl genpkey" and "-out key_file_name" arguments are not allowed in the -g option, because tlsutil supplies those.
named_curve
The name of the elliptical curve encryption cipher you want to use.
tlsutil -h lists the valid named curves.