LOGMECH and LOGDATA BTEQ Commands | Basic Teradata Query - LOGMECH (LM) and LOGDATA (LD) - Basic Teradata Query

Purpose

LOGMECH

This control enables users to specify the logon mechanism, such as NTLM, KRB5, LDAP or TD2, which defines the security context under which the established sessions will operate.

If the LOGMECH command is not used, or is used without specifying a logmech_name, the logon will proceed with using the default mechanism name indicated in the TeraGSS XML config file.

LOGDATA

This control enables users to specify a character string that is used to supply non-Teradata-managed user credentials to an external authentication mechanism.

If the LOGDATA command is used without a logdata_string, BTEQ resets the mechanism data string to NULL.

LOGMECH

Valid values for LOGMECH are a single mechanism name up to eight characters in length and not case-sensitive. The initial value for LOGMECH is eight spaces, which specifies the default mechanism. When the LOGMECH command is used without specifying a value, BTEQ sets LOGMECH to its initial default value.

The logon mechanism names can be any of the external logon mechanisms that CLI supports, such as NTLM, KRB5, LDAP, BROWSER, CODE, BEARER etc. More details on the supported security mechanisms can be found in the Teradata® Call-Level Interface Version 2 Reference for Workstation-Attached Systems manual.

where the following is true:

logmech_name

Defines the logon mechanism. For a discussion of supported logon mechanisms, see Teradata Vantage™ - Analytics Database Security Administration, B035-1100.

The name is limited to eight characters; it is not case-sensitive.

The DEFAULTS command does not affect LOGMECH setting.

The LOGMECH command cannot be used in an SQL macro.

LOGDATA

For LOGDATA, valid values are a single mechanism data value up to 32000 bytes in length. When the LOGDATA command is used without specifying a value, BTEQ sets LOGDATA to its initial default value.

where the following is true:

logdata_string

Indicates the parameters for the logon mechanism (specified using the LOGMECH command). For information about the logon parameters for supported mechanisms, see Teradata Vantage™ - Analytics Database Security Administration, B035-1100.

Usage Notes

As the LOGDATA argument is considered sensitive information, BTEQ (in interactive mode) prompts for a value, which is specified in protected mode (keyboard entry is not displayed). The value cannot be supplied as an argument to the LOGDATA command.

The SHOW CONTROLS command does not display the LOGDATA setting.

For workstation-attached systems or mainframe-attached systems employing Gateway-mediated CLI, you can use Teradata Wallet to keep your database user passwords private and not be exposed in scripts. For more information about using Teradata Wallet for the username and password entries in the LOGDATA command, see Teradata Vantage™ - Analytics Database Security Administration, B035-1100.

For more information about using security mechanisms, see Teradata Vantage™ - Analytics Database Security Administration, B035-1100.

In z/OS 2.4, RACF introduced a new assertion mechanism, the JSON Web Token, also known as an Identity Token, which can be used to validate distributed users who have a valid RACF user id and provide a secure way to logon to Teradata database server without specifying a password.

Starting TTU 17.20, z/OS BTEQ users employing Gateway-mediated CLI can use the new RACFJWT logon mechanism that supports Identity Token. In order to use the RACFJWT mechanism, issue the LOGMECH command to provide the mechanism name and provide the user name without a password.

.LOGMECH RACFJWT

.LOGON <tdpid>/<username>

See "IBM z/OS Mainframe Support" in Teradata Call-Level Interface Version 2 Reference for Workstation-Attached Systems, B035-2418 on how to setup a valid username and details about other required configurations.

The LOGDATA command cannot be used in an SQL macro.