TLS 1.2 Support with Analytics Database | Teradata Data Mover - About Supporting TLS 1.2 with Analytics Database - Teradata Data Mover

Teradata® Data Mover User Guide - 20.01

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
Lake
VMware
Product
Teradata Data Mover
Release Number
20.01
Published
November 2023
Language
English (United States)
Last Update
2023-12-05
dita:mapPath
hlv1700545853003.ditamap
dita:ditavalPath
mpm1591127278842.ditaval
dita:id
don1467241476387
Product Category
Analytical Ecosystem

Data Mover supports TLS 1.2 to encrypt communication between itself and Analytics Database. The following utilities support TLS 1.2.

Utility Behavior
TPTAPI Data movement between TPTAPI (running on Data Mover servers) and Source/Target SQL-Engine is encrypted.
JDBC All communication and data movement by JDBC (running on Data Mover servers) and Source/Target SQL-Engine is encrypted. This includes calling DBC Views, creating or dropping tables on target, copy stats, and others.
To enable TLS 1.2 on Data Mover server, the two properties tpt.connection and jdbc.connection are added in the daemon level (daemon configuration parameter). Users can specify extra parameters that are passed to TPTAPI and JDBC which establishes TLS connection to Analytics Database. Data Mover passes the parameters exactly as specified in the configuration to the respective utilities. It does not check, parse, or modify the user input.
Parameters are separated with a semi-colon (;) in tpt.connection, and with a comma (,) in jdbc.connection.

A subset of parameters to allow TLS 1.2 are sslmode, tdmstport, tdmstlsport, sslca, sslcapath, and sslprotocol. Please refer to the documentation on TPTAPI and JDBC to configure the exact parameters.

In daemon configuration , for tpt.connection and jdbc.connection, Data Mover allows user to specify a system specific value and a 'default' value for all systems. The system specific value has precedence of default value. For example,
<property>
         <key>tpt.connection</key>
         <value>sslmode=allow;</value>
         <value system="systemA">sslmode=required; tdmstport=1025; tdmsttlsport=443; sslcapath=/etc/ssl/mycerts</value>
	      </property>
Here, sslmode=required and three other parameters are used for TPTAPI connection when systemA is a source or target; and sslmode=allow is used for all the other systems.

User can specify both properties through the command line (datamovelist/save_configuration) as well as through REST API.

Support for DSA with TLS 1.2 encryption of user data is now available. Refer the Teradata® Data Mover Installation, Configuration, and Upgrade Guide for Customers, B035-4102 for more information about how to configure the encryption of all user data from source to target. This configuration applies to all DM or DSA jobs that are executed.