Analytics Database (SQL Engine) 17.20 | Security | Changes & Additions - Changes and Additions - Analytics Database

Analytics Database (SQL Engine) 17.20 | Security | Changes & Additions - Changes and Additions - Analytics Database - Teradata Vantage

Security Administration

Deployment

VantageCloud

VantageCore

Edition

Enterprise

IntelliFlex

VMware

Product

Analytics Database

Teradata Vantage

Release Number

17.20

Published

June 2022

ft:locale

en-US

ft:lastEdition

2024-04-05

dita:mapPath

hjo1628096075471.ditamap

dita:ditavalPath

qkf1628213546010.ditaval

dita:id

zuy1472246340572

lifecycle

latest

Product Category

Teradata Vantage™

Date	Description
October 2023	Utility added to convert non-FIPS-compliant LDAP service passwords to FIPS-compliant encrypted password. See Converting an Existing Non-FIPS-compliant Password.
March 2023	When TLS is on for a CLI-based connection, the default TD2 mechanism automatically bypasses the cryptographic services provided by TLS on systems that have installed the enhancement-supported versions of TDGSS, Gateway and CLI/TeraGSS. This improves connection times. If these conditions are not met, then valid logons succeed as usual.
February 2023	Scope parameter added to the IdPConfig section of the TdgssUserConfigFile.xml file. The parameter lets the TTU drivers use the scope parameter with OAuth authorization to re-direct a user to the configured Identity Provider URL for authentication, and MFA/2FA if used. See Configuration for Browser Authentication.
September 2022	RACF (Resource Access Control Facility) authentication support for mainframes. This allows for JSON Web Token (JWT) validation PEM files and JSON Web Key (JWK) from an identity provider (IdP). JWT from mainframe or Vantage IdP can be authenticated in TDGSS at same time. This feature is enabled by the Teradata Vantage Services team.
June 2022	tdsbind was deprecated in release 17.10. Teradata recommends using the tdgssauth tool. Documentation for tdsbind is removed in release 17.20. The SASL/DIGEST-MD5 authentication protocol used by LDAP was deprecated in release 17.10 and must not be used. Use simple binding with TLS protection instead. Documentation for SASL/DIGEST-MD5 is removed in release 17.20. New -n option for tlsutil and nodenames. This option prevents DNS lookup of database names. It is intended for provisioning cloud-based databases. See tlsutil and nodenames Utility. Teradata Unity was discontinued as of version 17.05. Use Business Continuity Manager instead.
July 2021	TLSv1.2 is supported between clients and the database server. See Using TLS with Client to Database Connections. Single Sign-On and JWT: See the new information in Configuring Single Sign-On. JWT dynamically updates JSON Web Keys, if enabled. See Local Validation. JWT supports logons from third-party applications with a token from an external Identity Provider, see Validation by Token Exchanger. For new JWT mechanism properties, see JWT Support Properties. Previously, when the TDGSS configuration changed, a TPA reset was required for the new values in the TDGSSCONFIG GDO to take effect. Now, the following can be modified without a TPA reset: Any attribute or property whose name begins with "Ldap" for KRB5 and LDAP MechanismEnabled property for KRB5, LDAP, JWT, and PROXY AuthorizationSupported property for KRB5 and LDAP LDAP Service ID and password with no impact to user LDAP logons The following properties in the PROXY mechanism: CertificateFile, PrivateKeyFile, PrivateKeyPassword, PrivateKeypasswordProtected, CACertFile, CACertDir, and SigningHashAlgorithm. Any JWT mechanism property whose name begins with "JWT" All canonicalizations including the lightweight authorization structures The following configuration changes still require a tpareset: Changes to any mechanism property not mentioned previous paragraphs require a tpareset QoP configuration Local or global policy configuration, including service name changes TDNEGO and SPNEGO See Modifying the User Configuration File. tdgsstestcfg is a new tool to test configuration changes before making them permanent with run_tdgssconfig, see Working with tdgsstestcfg. tdsbind is deprecated. Teradata recommends using the tdgssauth tool instead of tdsbind. tdgssauth can test more security mechanisms than tdsbind and it more accurately validates security mechanism configurations because it uses actual TDGSS services while performing the offline test of the new configuration. See Working with tdgssauth. tdgssgetinfo is a new diagnostic tool that collects and displays information used to determine the health of the TDGSS or TeraGSS installed on the system. See tdgssgetinfo. See X.509 Certificates Ownership and Permissions for the recommended ownership and permissions for X.509 certificates and private key files.
June 2020	The SASL/DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you stop using SASL/DIGEST-MD5, and instead use simple binding with TLS protection. TDNEGO now supports JWT (JSON web token) authentication. New LDAP Mechanism property: LdapServicePasswordFile. Allows you to provide an encrypted list of passwords in an editable file, which enables switching LDAP passwords without requiring a database restart.