Analytics Database (SQL Engine) 17.20 | Security | Changes & Additions - Changes and Additions - Analytics Database - Teradata Vantage

Security Administration

Analytics Database
Teradata Vantage
Release Number
June 2022
English (United States)
Last Update
Product Category
Teradata Vantage™
Date Description
October 2023 Utility added to convert non-FIPS-compliant LDAP service passwords to FIPS-compliant encrypted password. See Converting an Existing Non-FIPS-compliant Password.
March 2023 When TLS is on for a CLI-based connection, the default TD2 mechanism automatically bypasses the cryptographic services provided by TLS on systems that have installed the enhancement-supported versions of TDGSS, Gateway and CLI/TeraGSS. This improves connection times. If these conditions are not met, then valid logons succeed as usual.
February 2023 Scope parameter added to the IdPConfig section of the TdgssUserConfigFile.xml file. The parameter lets the TTU drivers use the scope parameter with OAuth authorization to re-direct a user to the configured Identity Provider URL for authentication, and MFA/2FA if used. See Configuration for Browser Authentication.
September 2022 RACF (Resource Access Control Facility) authentication support for mainframes. This allows for JSON Web Token (JWT) validation PEM files and JSON Web Key (JWK) from an identity provider (IdP). JWT from mainframe or Vantage IdP can be authenticated in TDGSS at same time. This feature is enabled by the Teradata Vantage Services team.
June 2022
  • tdsbind was deprecated in release 17.10. Teradata recommends using the tdgssauth tool. Documentation for tdsbind is removed in release 17.20.
  • The SASL/DIGEST-MD5 authentication protocol used by LDAP was deprecated in release 17.10 and must not be used. Use simple binding with TLS protection instead. Documentation for SASL/DIGEST-MD5 is removed in release 17.20.
  • New -n option for tlsutil and nodenames. This option prevents DNS lookup of database names. It is intended for provisioning cloud-based databases. See tlsutil and nodenames Utility.
  • Teradata Unity was discontinued as of version 17.05. Use Business Continuity Manager instead.
July 2021
  • TLSv1.2 is supported between clients and the database server. See Using TLS with Client to Database Connections.
  • Single Sign-On and JWT:
  • Previously, when the TDGSS configuration changed, a TPA reset was required for the new values in the TDGSSCONFIG GDO to take effect. Now, the following can be modified without a TPA reset:
    • Any attribute or property whose name begins with "Ldap" for KRB5 and LDAP
    • MechanismEnabled property for KRB5, LDAP, JWT, and PROXY
    • AuthorizationSupported property for KRB5 and LDAP
    • LDAP Service ID and password with no impact to user LDAP logons
    • The following properties in the PROXY mechanism: CertificateFile, PrivateKeyFile, PrivateKeyPassword, PrivateKeypasswordProtected, CACertFile, CACertDir, and SigningHashAlgorithm.
    • Any JWT mechanism property whose name begins with "JWT"
    • All canonicalizations including the lightweight authorization structures

    The following configuration changes still require a tpareset:

    • Changes to any mechanism property not mentioned previous paragraphs require a tpareset
    • QoP configuration
    • Local or global policy configuration, including service name changes

      See Modifying the User Configuration File.

  • tdgsstestcfg is a new tool to test configuration changes before making them permanent with run_tdgssconfig, see Working with tdgsstestcfg.
  • tdsbind is deprecated. Teradata recommends using the tdgssauth tool instead of tdsbind. tdgssauth can test more security mechanisms than tdsbind and it more accurately validates security mechanism configurations because it uses actual TDGSS services while performing the offline test of the new configuration. See Working with tdgssauth.
  • tdgssgetinfo is a new diagnostic tool that collects and displays information used to determine the health of the TDGSS or TeraGSS installed on the system. See tdgssgetinfo.
  • See X.509 Certificates Ownership and Permissions for the recommended ownership and permissions for X.509 certificates and private key files.
June 2020
  • The SASL/DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you stop using SASL/DIGEST-MD5, and instead use simple binding with TLS protection.
  • TDNEGO now supports JWT (JSON web token) authentication.
  • New LDAP Mechanism property: LdapServicePasswordFile. Allows you to provide an encrypted list of passwords in an editable file, which enables switching LDAP passwords without requiring a database restart.