If the default QOP strength does not meet site needs, you can edit the DEFAULT QOP configuration for the LDAP, TD2, and JWT mechanisms so sessions that enable encryption default to a stronger algorithm.
- Uncomment the DEFAULT QOP in TdgssUserConfigFile.xml (if not done previously) and edit it by reordering the list to put the needed encryption strength at the top of the list or remove a value, for example:
<!-- To update security uncomment one or more QOPs and edit. --> <!-- DEFAULT QOP <MechQop Value="Default"> AES-K128_GCM_PKCS5Padding_SHA2_DH-K2048 AES-K128_CBC_PKCS5Padding_SHA1_DH-K2048 AES-K192_GCM_PKCS5Padding_SHA2_DH-K2048 AES-K192_CBC_PKCS5Padding_SHA1_DH-K2048 AES-K256_GCM_PKCS5Padding_SHA2_DH-K2048 AES-K256_CBC_PKCS5Padding_SHA1_DH-K2048 </MechQop> -->If you remove AES-128 from the list and the Legacy QOP is still enabled, the run_tdgssconfig utility in the following step exits with an error. - After editing, use the run_tdgssconfig utility to update the TDGSSCONFIG GDO.
/opt/teradata/tdgss/bin/run_tdgssconfig
- Run tpareset to activate the changes to the TDGSS configuration.
tpareset -f “use updated TDGSSCONFIG GDO”
For more information, see Global QOPs.