17.10 - Examples: Enabling Clients and Proxies that are Unable to Automatically Support Security Policy to Log On - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Release Date
July 2021
Content Type
Administration
Security
Publication ID
B035-1100-171K
Language
English (United States)

Example: Enabling Logon for All

Setting the --secpcynotsupported logon flag to all configures the gateway to allow logons using clients or proxies that are unable to automatically support security policy, even when policy applies.

gtwcontrol --secpcynotsupported logon=all

A client that cannot automatically follow policy that has not been manually configured to be within policy can send a single out-of-policy message per session before the security violation is caught and the session is logged off.

Proxies that cannot automatically follow security policy cannot guarantee that the clients that connect through them follow policy, nor can they transmit policy to clients that could otherwise follow it. For this reason, all clients that log on through such proxies must be manually configured to be within policy, even if they are otherwise capable of following policy automatically. In practice, the gateway can identify security violations by client sessions logged on through such a proxy and log them off, but not until after a single out-of-policy message has already been sent.

Example: Enabling Logon for Clients

Setting the --secpcynotsupported logon flag to client configures the gateway to allow logons using clients that are unable to automatically support security policy, even when policy applies.

gtwcontrol --secpcynotsupported logon=client

A client that cannot automatically follow policy that has not been manually configured to be within policy can send a single out-of-policy message per session before the security violation is caught and the session is logged off.

Example: Enabling Logon for Proxy

Setting the --secpcynotsupported logon flag to proxy configures the gateway to allow logons through proxies that are unable to automatically support security policy, even when policy applies.

gtwcontrol --secpcynotsupported logon=proxy

Proxies that cannot automatically follow security policy cannot guarantee that the clients that connect through them follow policy, nor can they transmit policy to clients that could otherwise follow it. For this reason, all clients that log on through such proxies must be manually configured to be within policy, even if they are otherwise capable of following policy automatically. In practice, the gateway can identify security violations by client sessions logged on through such a proxy and log them off, but not until after a single out-of-policy message has already been sent.