17.10 - Prerequisites - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)
  • The KRB5 and SPNEGO (if used) mechanisms are enabled.
  • The AuthorizationSupported property for the mechanisms is set to:
    • ‘no’ if users are authorized privileges by Teradata Vantage
    • ‘yes’ if users are authorized privileges in a directory
  • External authentication is set up for Vantage. See About External Authentication Controls and About External Authentication Requirements.
  • Vantage clients and Teradata Vantageare connected to the network. TeradataVantage clients are already capable of executing Kerberos logons elsewhere in the network, and the Vantage system is accessible to your client system.
  • For sites that use Unity, complete the configuration of the PROXY connection and related procedures shown in Teradata® Unity™ Installation, Configuration, and Upgrade Guide for Customers, B035-2523, before doing the Kerberos configuration.
  • KDCs are set up for Kerberos authentication (except for the specialized Teradata Vantage requirements shown in the procedures that follow), and are operational.
  • KDCs must run either Windows Kerberos or MIT Kerberos on Linux. Heimdal Kerberos is not supported.
  • Users who plan to access Vantage using Kerberos authentication are already fully set up to use Kerberos for other non-Vantage network logons. For Kerberos authentication the authorized username must match a Teradata Vantage user having WITH NULL PASSWORD privileges, but the Vantage username does not have to be the same as the authenticated username for the user. If there is no authorization, the Kerberos username and Vantage name must match and be granted WITH NULL PASSWORD. For a description of valid Kerberos username forms, see Logging on to Teradata Vantage.
  • If a Vantage (service) in one realm can be accessed by a client situated in a different realm, a cross-realm trust must exist between the realms.