The mainframe Teradata client needs to know which certificate store to find related certificates when performing a TLS connection. This can be specified in environment variables coded within the job or by leveraging the clispb.dat file. Further information on this can be found in the Teradata® Tools and Utilities Workstation-Attached Call-Level Interface Version 2 (CLIv2) Messages, (B035-1096).
With respect to the SYSSSL_KEYRING_FILE parameter, the following examples illustrate leveraging different client certificate stores:
SAF Key Ring
- For a self-signed certificate added to SITE
- SYSSSL_KEYRING_FILE=*SITE*/*
- For a signed certificate with certificate authority chain added to CERTAUTH
- SYSSSL_KEYRING_FILE=*AUTH*/*
- For certificate(s) added to a user’s KEY ring (substitute accordingly)
- SYSSSL_KEYRING_FILE=<keyring_user>/<keyring_name>
Key database file (substitute accordingly)
- SYSSSL_KEYRING_FILE=<path-to-key-database-file>
PKCS#11 token (substitute accordingly)
- SYSSSL_KEYRING_FILE=*TOKEN*/<tokenname>
For example, the customer have a signed certificate and want clients to always connect via TLS. They would edit this file:
- /usr/lpp/teradata/client/20.00/etc/clispb.dat
Adding these two lines:
SYSSSL_KEYRING_FILE=*AUTH*/* SSLMODE=require