17.10 - Installing Kerberos Keys for Additional KDCs (Merging Keys) - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

If one or more sets of Kerberos keys are already installed to the permanent keytab file location and you want to add another set of keys, for example, because you configured an additional KDC, you must install the additional keys so that they merge with the existing keys.

  1. Run ktutil from the command prompt of the database node containing the existing keytab files, or from the Linux prompt of the Unity server with existing keys:
    ktutil
    For information on ktutil options, see the ktutil man page on any node or on the Unity server.
  2. At the ktutil prompt, enter the command to read the current keys:
    rkt /etc/teradata.keytab
    This procedure assumes that any existing keytab files are in the standard location. If an alternate location was used, it is shown in the value of the TeradataKeyTab property in the TdgssUserConfigFile.xml.
  3. Enter the command to read the new keys:
    rkt /opt/teradata/tdat/tdgss/site/keytab_filename

    where keytab_filename is the name of a keytab file that you generated in Running ktpass to Create the Kerberos Keys or Creating the Kerberos Keys, and stored on a database node or Unity server in Moving the Kerberos Keys to a Teradata Vantage System or Unity Server.

    If you are installing keys for more than one domain, rerun this step for each set of files, for example, domain2.sys_name.keytab, domain3.sys_name.keytab, and so on.
  4. List all keys to verify rkt has read all the new files:
    list
  5. Save all keys:
    wkt /etc/teradata.keytab
  6. Exit the command:
    quit
  7. From the Teradata command prompt, distribute the merged keytab file to all nodes, using the pcl command. The new merged file, containing pre-existing and new keys, replaces the old file containing only pre-existing keys on all nodes. For example:
    pcl -send  /etc/teradata.keytab  /etc/teradata.keytab
    Step 7 is not required for a single node database system or Unity servers.