Troubleshooting TLS - Analytics Database

Troubleshooting TLS - Analytics Database - Teradata Vantage

Security Administration

Deployment

VantageCloud

VantageCore

Edition

Enterprise

IntelliFlex

VMware

Product

Analytics Database

Teradata Vantage

Release Number

17.20

Published

June 2022

ft:locale

en-US

ft:lastEdition

2024-04-05

dita:mapPath

hjo1628096075471.ditamap

dita:ditavalPath

qkf1628213546010.ditaval

dita:id

zuy1472246340572

lifecycle

latest

Product Category

Teradata Vantage™

You use TLS logs, signed certificates reviews, and the data dictionary to troubleshoot TLS issues.

TLS Logging

Use the gtwcontrol trace option to turn on tracing for TLS:

gtwcontrol --TLS require,trace=all

The debug traces are logged to /var/opt/teradata/tdtemp/gtw/*.log .

TLS File and Directory Permissions

The TLS related files and directories must have correct the permissions because Analytics Database runs as the teradata user, which is a member of the tdtrusted group.

Use the following commands to display the permissions of the TLS files and directories /opt/teradata/tdat/tgtw/site:

ls -l /opt/teradata/tdat/tgtw
ls -lR /opt/teradata/tdat/tgtw/site

If the output shows that the directories and its files are only read and write by the user root and the group root, such as the following:

drwxr-x--- 3 root root 4096 Dec  9 15:22 site
drwxr-x--- 5 root root 4096 Feb 28 10:26 tls

Use the following commands to correct the permissions of TLS relegated files and directories:

chmod -R 775 /opt/teradata/tdat/tgtw/site
chown -R root:tdtrusted /opt/teradata/tdat/tgtw/site

Test the Signed Certificates and Private Keys on All Nodes

tlsutil –t

Test the Signed Certificates and Private Keys on All Nodes and Show Which Are Expiring within 30 Days

tlsutil -t -e 30

Check the Log File for Warnings about Expiring Certificates

Check /var/log/messages. For example, the following sample shows the TLS certificate is expiring in 11 days.

INFO: Teradata: 6210 #Event number 34-06210-00 (severity 0, category 10), occurred on Thu Nov  5 13:44:25 2020 at 00
way, version PDE:17.10c.00.28,TDBMS:17.10c.00.28,PDEGPL:17.10c.00.28,TGTW:17.10c.00.47cert,TDGSS:17.10c.00.28
gtwTLSContext.cpp @290 (83900744): Thu Nov  5 13:44:25 2020
        The TLS certificate will expire after 11 days.

Test the Signed Certificate and Private Key on a Single Database

tlsutil -t –l

Display Detailed Information to Help Diagnose Issues

tlsutil -c -v mydb.example.com

Use the Data Dictionary Views to Troubleshoot Issues

The data dictionary stores information about TLS connections.

For example: Query the client confidentiality type in DBC.SessionInfoV:

select clientconftype from dbc.sessioninfov;

The type is determined by the client and represents the connection between client and the gateway:

Type	SSLMODE	Gateway Require Confidentiality	Client Data Encryption	Description
E	DISABLE or ALLOW	ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption)		TLS was not attempted because SSLMode was DISABLE or ALLOW. Connection was made to a legacy port. TDGSS used for encryption, and the application does not have the option to change this during the session.
U	DISABLE or ALLOW	OFF	OFF	TLS was not attempted. Unencrypted, and the application does not have the option to change this during the session.
O	DISABLE or ALLOW	OFF	ON or OFF	TLS was not attempted because SSLMode was DISABLE or ALLOW. May be encrypted using TDGSS or unencrypted, and the application has the option of changing this at any time. This situation primarily refers to BTEQ, which lets the user turn encryption on and off during the session. Other drivers don’t permit this.
F	ALLOW or PREFER	ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption)		TLS was attempted, but the TLS failed, so this is a fallback to using TDGSS for encryption because ENCRYPTDATA is specified.
R	PREFER	ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption)		TLS used for encryption. Server certificate was ignored; client did not validate the identity of the server.
H	Prefer	OFF for Gateway Require Confidentiality and/or Client Data Encryption		TLS was attempted, but the TLS failed, so this is a fallback to unencrypted because ENCRYPTDATA is not specified.
C	Verify-CA	ON or OFF for Gateway Require Confidentiality and/or Client Data Encryption		TLS used for encryption. Client validated the Certificate-Authority chain but ignored the Subject-Alternative-Name and the Common-Name.
V	Verify-Fully	ON or OFF for Gateway Require Confidentiality and/or Client Data Encryption		TLS used for encryption. Client validated the Certificate-Authority chain and the Subject-Alternative-Name or the Common-Name.

See LogOnOffV, QryLogClientAttrV, and SessionInfoV in Teradata Vantage™ - Data Dictionary, B035-1092.