[Optional] Checking Nodes for Existing Kerberos Keys - Analytics Database - Teradata Vantage

Security Administration

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-11-02
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantage™

Any Kerberos keys that already exist in a node could be overwritten (destroyed) when you install new keys. When replacing existing keys, overwriting is normal. However, if you want to retain and add to the existing keys, you must use the key merge procedure, which avoids overwriting.

You can use the pcl command to find and display any Kerberos keys that already exist on database nodes to help determine if you should use the merge procedure when installing new keys:

pcl -s klist -ke [keytab_file_name]

This example keytab file (standard location) shows a two-node system, with pre-existing keys in bold italics:

l3592:/ > pcl -s klist -ke /etc/teradata.keytab
All 2 node(s) have connected
<---------------------   node_name2_bynet  ------------------------->
Keytab name: FILE:/etc/teradata.keytab
KVNO Principal
------------------------------------------------------------------
      14  TERADATA/l3592.esrootdom.esdev.tdat@ESROOTDOM.ESDEV.TDAT (DES cbc mode with RSA-MD5) 
      13  TERADATA/l3593.esrootdom.esdev.tdat@ESROOTDOM.ESDEV.TDAT (DES cbc mode with RSA-MD5)<---------------------   node_name1_bynet  ------------------------->
Keytab name: FILE:/etc/teradata.keytab
KVNO Principal
------------------------------------------------------------------
      14  TERADATA/l3592.esrootdom.esdev.tdat@ESROOTDOM.ESDEV.TDAT (DES cbc mode with RSA-MD5) 
      13  TERADATA/l3593.esrootdom.esdev.tdat@ESROOTDOM.ESDEV.TDAT (DES cbc mode with RSA-MD5)------------------------------------------------------------------

If no keys are present, the output appears without the key entries:

l3592:/ > pcl -s klist -ke /etc/teradata.keytab
All 2 node(s) have connected
<--------------------- node_name2_bynet  ------------------------->
Keytab name: FILE:/etc/teradata.keytab
KVNO Principal
------------------------------------------------------------------
<--------------------- node_name1_bynet  ------------------------->
Keytab name: FILE:/etc/teradata.keytab
KVNO Principal
------------------------------------------------------------------