Certificate Authority | QueryGrid - Certificate Authority Rotation - Teradata QueryGrid

QueryGridâ„¢ Installation and User Guide - 3.06

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
Lake
VMware
Product
Teradata QueryGrid
Release Number
3.06
Published
December 2024
ft:locale
en-US
ft:lastEdition
2024-12-07
dita:mapPath
ndp1726122159943.ditamap
dita:ditavalPath
ft:empty
dita:id
lxg1591800469257
Product Category
Analytical Ecosystem

When QueryGrid Manager is first started, a certificate authority is created. The certificate authority is used to generate the QueryGrid Manager server certificates used for securing communications. When a QueryGrid Manager instance is added to a cluster, the new instance inherits the certificate authority of the cluster. Every QueryGrid node in the cluster has a copy of that certificate authority to verify communication is with a trusted QueryGrid Manager instance.

The default expiration of a certificate authority is 100 years. When QueryGrid detects that a certificate authority is within 90 days of expiration, an alert is generated and displays in the Viewpoint QueryGrid portlet Issues view.

To change an expiration date or rotate certificate authority keys, all QueryGrid Managers, nodes, and fabrics must be online and running QueryGrid version 02.13 or later.

Use the following command to change the expiration date of the certificate authority or rotate the certificate authority keys, as required by security guidelines:

/opt/teradta/tdqgm/bin/rotate-cert.sh

If the rotate-cert command fails, the task is stopped and QueryGrid remains functional.

QueryGrid supports the following key generation algorithms:
  • RSA - supported key size is 2048+
  • EC (ECDSA) - supported key size options are 256, 384, or 521
Use the -h command to get help.
If the rotate-certs command fails, re-running the request attempts to resume the process from the previous error. Add the reset argument (-r) to reset the certificate to its previous state and start the task from the beginning:

/opt/teradta/tdqgm/bin/rotate-cert.sh -r

Rotate Certificate Authority Keys

Running the rotate-cert command requires multiple restarts of QueryGrid Manager and can take an average of 5 minutes per QueryGrid Manager instance in the cluster. The following is an example of a successful rotate-cert command:

[tdqgm@qgm1 ~]# /opt/teradata/tdqgm/bin/rotate-cert.sh
Starting rotate-cert command, just a moment...
Checking Manager, Nodes, and Fabric versions for compatibility
Generating new Certificate Authority certificate
Enter validity period in days for Certificate Authority [365-40000]: 3650
Adding new Certificate Authority to Managers trust store (requires Manager restart)
Restarting Manager on qgm1...
Manager on qgm1 restarted successfully
Restarting Manager on qgm2...
Manager on qgm2 restarted successfully
Verifying Managers trust new Certificate Authority
Verifying Nodes trust new Certificate Authority
Activating new Certificate Authority (requires Manager restart)
Restarting Manager on qgm1...
Manager on qgm1 restarted successfully
Restarting Manager on qgm2...
Manager on qgm2 restarted successfully
Removing previous Certificate Authority (requires Manager restart)
Restarting Manager on qgm1...
Manager on qgm1 restarted successfully
Restarting Manager on qgm2...
Manager on qgm2 restarted successfully
Verifying previous Certificate Authority is removed
 
 
rotate-cert command successful.
 
 
=== Additional Information ===
- If not using a custom certificate for port 9443 then add the new CA public certificate to Viewpoint to enable the QueryGrid portlet to continue to work.
- If using Automatic Deployment of QueryGrid on scalable clusters, tdqg-node.json will need to be regenerated so it contains the new certificate.
- If operating Teradata SQLE in AWS, a new NFR image will need to be generated so it has the updated certificate.
Additional tasks may be necessary after rotation based on certain criteria:
  • If not using a custom certificate for port 9443, add the new certificate authority public certificate to Viewpoint to enable the QueryGrid portlet to continue working.
  • If using Automatic Deployment of QueryGrid on scalable clusters, regenerate tdqg-node.json to add the new certificate.
  • If operating Vantage Analytics Database in AWS or Google Cloud, generate a new NFR image to update the certificate.

Change Server Certificate Expiration

Default server certificates generate automatically on startup from the QueryGrid Manager cluster-wide certificate authority. The default expiration of a server certificate is 2 years. When QueryGrid detects a server certificate is within 90 days of expiration, an alert is generated and displays in the Viewpoint QueryGrid portlet Issues view. After a server certificate expires, communication with the QueryGrid Manager instance is no longer allowed. Restarting QueryGrid Manager generates a new certificate.

The following command changes the expiration date of the server certificate:

/opt/teradata/tdqgm/rotate-cert.sh -s days

This command only changes the server certificate for the local QueryGrid Manager and restarts the QueryGrid Manager to take effect. Any custom server certificates that have been installed for access over port 9443 are not affected by this command.

Change Root Certificate Authority Certificate Expiration

The default root Certificate Authority (CA) expires in 100 years. Your security policy may require a root CA that expires in a shorter amount of time.

The following command changes the expiration date of the root CA:
/opt/teradata/tdqgm/rotate-cert.sh -c [days 365-40000]

This command changes the expiration date of the root CA for all QueryGrid Manager in the cluster. This command also restarts all the QueryGrid Managers in the cluster. The cluster must be operational during the process for high availability continuity.