17.10 - Changing the Default QOP Strength - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

If the default QOP strength does not meet site needs, you can edit the DEFAULT QOP configuration for the LDAP, TD2, and JWT mechanisms so sessions that enable encryption default to a stronger algorithm.

  1. Uncomment the DEFAULT QOP in TdgssUserConfigFile.xml (if not done previously) and edit it by reordering the list to put the needed encryption strength at the top of the list or remove a value, for example:
    <!-- To update security uncomment one or more QOPs and edit. -->
    <!-- DEFAULT QOP
     <MechQop Value="Default">
           AES-K128_GCM_PKCS5Padding_SHA2_DH-K2048
           AES-K128_CBC_PKCS5Padding_SHA1_DH-K2048
           AES-K192_GCM_PKCS5Padding_SHA2_DH-K2048
           AES-K192_CBC_PKCS5Padding_SHA1_DH-K2048
           AES-K256_GCM_PKCS5Padding_SHA2_DH-K2048
           AES-K256_CBC_PKCS5Padding_SHA1_DH-K2048
     </MechQop>
      -->
    If you remove AES-128 from the list and the Legacy QOP is still enabled, execution of the run_tdgssconfig utility in the following step exits with an error.
  2. After editing, use the run_tdgssconfig utility to update the TDGSSCONFIG GDO.
    /opt/teradata/tdgss/bin/run_tdgssconfig
  3. Run tpareset to activate the changes to the TDGSS configuration.
    tpareset -f “use updated TDGSSCONFIG GDO”

For more information, see Global QOPs.