Changing the Default QOP Strength - Analytics Database - Teradata Vantage

Security Administration

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2024-04-05
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantage™

If the default QOP strength does not meet site needs, you can edit the DEFAULT QOP configuration for the LDAP, TD2, and JWT mechanisms so sessions that enable encryption default to a stronger algorithm.

  1. Uncomment the DEFAULT QOP in TdgssUserConfigFile.xml (if not done previously) and edit it by reordering the list to put the needed encryption strength at the top of the list or remove a value, for example:
    <!-- To update security uncomment one or more QOPs and edit. -->
    <!-- DEFAULT QOP
     <MechQop Value="Default">
           AES-K128_GCM_PKCS5Padding_SHA2_DH-K2048
           AES-K128_CBC_PKCS5Padding_SHA1_DH-K2048
           AES-K192_GCM_PKCS5Padding_SHA2_DH-K2048
           AES-K192_CBC_PKCS5Padding_SHA1_DH-K2048
           AES-K256_GCM_PKCS5Padding_SHA2_DH-K2048
           AES-K256_CBC_PKCS5Padding_SHA1_DH-K2048
     </MechQop>
      -->
    If you remove AES-128 from the list and the Legacy QOP is still enabled, the run_tdgssconfig utility in the following step exits with an error.
  2. After editing, use the run_tdgssconfig utility to update the TDGSSCONFIG GDO.
    /opt/teradata/tdgss/bin/run_tdgssconfig
  3. Run tpareset to activate the changes to the TDGSS configuration.
    tpareset -f “use updated TDGSSCONFIG GDO”

For more information, see Global QOPs.