Configure CLI to Reference Key Ring and Use TLS|CLIv2| Teradata Vantage - Configure CLI to Reference Key Ring and Use TLS - Call-Level Interface Version 2

Teradata® Call-Level Interface Version 2 Reference for Workstation-Attached Systems - 20.00

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
Lake
VMware
Product
Call-Level Interface Version 2
Release Number
20.00
Published
January 2024
Language
English (United States)
Last Update
2024-05-14
dita:mapPath
bmn1691484839905.ditamap
dita:ditavalPath
obe1474387269547.ditaval
dita:id
fvz1470444150352
Product Category
Teradata Tools and Utilities

The mainframe Teradata client needs to know which certificate store to find related certificates when performing a TLS connection. This can be specified in environment variables coded within the job or by leveraging the clispb.dat file. Further information on this can be found in the Teradata® Tools and Utilities Workstation-Attached Call-Level Interface Version 2 (CLIv2) Messages, (B035-1096).

With respect to the SYSSSL_KEYRING_FILE parameter, the following examples illustrate leveraging different client certificate stores:

SAF Key Ring

  • For a self-signed certificate added to SITE
    • SYSSSL_KEYRING_FILE=*SITE*/*
  • For a signed certificate with certificate authority chain added to CERTAUTH
    • SYSSSL_KEYRING_FILE=*AUTH*/*
  • For certificate(s) added to a user’s KEY ring (substitute accordingly)
    • SYSSSL_KEYRING_FILE=<keyring_user>/<keyring_name>

Key database file (substitute accordingly)

  • SYSSSL_KEYRING_FILE=<path-to-key-database-file>

PKCS#11 token (substitute accordingly)

  • SYSSSL_KEYRING_FILE=*TOKEN*/<tokenname>

For example, the customer have a signed certificate and want clients to always connect via TLS. They would edit this file:

  • /usr/lpp/teradata/client/20.00/etc/clispb.dat

Adding these two lines:

SYSSSL_KEYRING_FILE=*AUTH*/* 
SSLMODE=require