JWT Manual Key Rotation | Analytics Database (SQL Engine) | Teradata Vantage - Configuration of Static JSON Web Key - Analytics Database - Teradata Vantage

Security Administration
Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
ft:locale
en-US
ft:lastEdition
2024-04-05
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantage™

To manually configure keys:

  1. Make a backup copy of /opt/teradata/tdat/tdgss/site/TdgssUserConfigFile.xml and save it according to your site standard backup procedures.
  2. Edit TdgssUserConfigFile.xml and uncomment IdentityProvider. Edit it so it is similar to the following with your site information: 
    <Mechanism Name="JWT">
   <MechanismProperties
       MechanismEnabled="yes"
       DefaultMechanism="no"
       JWTDecryptionKeyFile=""
       JWTVerificationKeyFile=""
       JWTSkewTime="300"
       JWTKeyDirectory="/opt/teradata/tdat/tdgss/site/JWTKeyDir"
				
        .../>
              
            <IdentityProvider
               Id="Keycloak2"
               Url="https://Customer_IdP_URL"
               Type="keycloak"
           />
   </Mechanism>
  3. Use the getjwk tool to add the JWK file to the directory specified in JWTKeyDirectory.

    getjwk gets the JWK file from the identity provider and saves it in the specified directory. For example, run:

    /opt/teradata/tdgss/bin/getgwk -d /opt/teradata/tdat/tdgss/site/JWTKeyDir -i Keycloak2 -u http://sdw01827.labs.teradata.com:8080/auth/realms/TGTE

    getjwk options are as follows:

    Option Description
    -h or --help Help information for the command.
    -d or --dir [Required] Absolute path of the directory to store the JWK file.

    The path should match the path in the configuration file shown in JWTKeyDirectory.
    -i or --idp-id Id of the Identity Provider configured the IdentityProvider section.
    -u or --idp-url IdentityProvider URL to do the service discovery.
    -m or --max-timeout Maximum time in seconds that the operation is allowed to take.

    Default value is 900.
    -v or --verbose Displays detailed output.
    INFO CA Certs path is fetched from the location specified in the JWTClientTlsCACertDir property.

    If JWTClientTlsCACertDir is not defined, the default location /etc/ssl/certs is used.

    Result: After a successful run, there are two files in the directory specified in the -d option.

  4. Verify the configuration is correct:
    1. Run tdgsstestcfg to verify the new configuration is correct. It launches a test environment in a new shell that contains the updates to the configuration file.
      /opt/teradata/tdgss/bin/tdgsstestcfg
    2. Test the configuration with the tdgssauth tool:
      tdgssauth -m JWT -a token=JWT_from_IdP

      Where JWT_from_IdP is the IdP you configured in TdgssUserConfigFile.xml.

    3. Exit the test shell:
      exit
    4. Continue editing and testing until the configuration is correct.
  5. Run:
    /opt/teradata/tdgss/bin/run_tdgssconfig
  6. If run_tdgssconfig indicates that a TPA reset is required, run tpareset to activate the changes to the TDGSS configuration:
    tpareset -f “use updated TDGSSCONFIG GDO”
  7. Remove the old key from the directory.