TLS 1.2 support with SQL-Engine | Teradata Data Mover - 17.11 - About supporting TLS 1.2 with SQL-Engine - Teradata Data Mover

Teradata® Data Mover User Guide

Product
Teradata Data Mover
Release Number
17.11
Release Date
October 2021
Content Type
User Guide
Publication ID
B035-4101-091K
Language
English (United States)

Data Mover supports TLS 1.2 to encrypt communication between itself and SQL-Engine. The following utilities support TLS 1.2.

Utility Behavior
TPTAPI Data movement between TPTAPI (running on Data Mover servers) and Source/Target SQL-Engine is encrypted.
JDBC All communication and data movement by JDBC (running on Data Mover servers) and Source/Target SQL-Engine is encrypted. This includes calling DBC Views, creating or dropping tables on target, copy stats, and others.
To enable TLS 1.2 on Data Mover server, the two properties tpt.connection and jdbc.connection are added in the daemon level (daemon configuration parameter). Users can specify extra parameters that are passed to TPTAPI and JDBC which establishes TLS connection to SQL-Engines. Data Mover passes the parameters exactly as specified in the configuration to the respective utilities. It does not check, parse, or modify the user input.
Parameters are separated with a semi-colon (;) in tpt.connection, and with a comma (,) in jdbc.connection.

A subset of parameters to allow TLS 1.2 are sslmode, tdmstport, tdmstlsport, sslca, sslcapath, and sslprotocol. Please refer to the documentation on TPTAPI and JDBC to configure the exact parameters.

In daemon confuguration , for tpt.connection and jdbc.connection, Data Mover allows user to specify a system specific value and a 'default' value for all systems. The system specific value has precedence of default value. For example,
<property>
         <key>tpt.connection</key>
         <value>sslmode=allow;</value>
         <value system="systemA">sslmode=required; tdmstport=1025; tdmsttlsport=443; sslcapath=/etc/ssl/mycerts</value>
	      </property>
Here, sslmode=required and three other parameters are used for TPTAPI connection when systemA is a source or target; and sslmode=allow is used for all the other systems.

User can specify both properties through the command line (datamovelist/save_configuration) as well as through REST API.

Support for DSA with TLS 1.2 encryption of user data is now available. Refer the Teradata® Data Mover Installation, Configuration, and Upgrade Guide for Customers, B035-4102 for more information about how to configure the encryption of all user data from source to target. This configuration applies to all DM or DSA jobs that are executed.