Troubleshooting TLS - Analytics Database - Teradata Vantage

Security Administration

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2024-04-05
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantage™

You use TLS logs, signed certificates reviews, and the data dictionary to troubleshoot TLS issues.

TLS Logging

Use the gtwcontrol trace option to turn on tracing for TLS:

gtwcontrol --TLS require,trace=all

The debug traces are logged to /var/opt/teradata/tdtemp/gtw/*.log .

TLS File and Directory Permissions

The TLS related files and directories must have correct the permissions because Analytics Database runs as the teradata user, which is a member of the tdtrusted group.

Use the following commands to display the permissions of the TLS files and directories /opt/teradata/tdat/tgtw/site:
ls -l /opt/teradata/tdat/tgtw
ls -lR /opt/teradata/tdat/tgtw/site
If the output shows that the directories and its files are only read and write by the user root and the group root, such as the following:
drwxr-x--- 3 root root 4096 Dec  9 15:22 site
drwxr-x--- 5 root root 4096 Feb 28 10:26 tls
Use the following commands to correct the permissions of TLS relegated files and directories:
chmod -R 775 /opt/teradata/tdat/tgtw/site
chown -R root:tdtrusted /opt/teradata/tdat/tgtw/site

Test the Signed Certificates and Private Keys on All Nodes

tlsutil –t

Test the Signed Certificates and Private Keys on All Nodes and Show Which Are Expiring within 30 Days

tlsutil -t -e 30

Check the Log File for Warnings about Expiring Certificates

Check /var/log/messages. For example, the following sample shows the TLS certificate is expiring in 11 days.

INFO: Teradata: 6210 #Event number 34-06210-00 (severity 0, category 10), occurred on Thu Nov  5 13:44:25 2020 at 00
way, version PDE:17.10c.00.28,TDBMS:17.10c.00.28,PDEGPL:17.10c.00.28,TGTW:17.10c.00.47cert,TDGSS:17.10c.00.28
gtwTLSContext.cpp @290 (83900744): Thu Nov  5 13:44:25 2020
        The TLS certificate will expire after 11 days.

Test the Signed Certificate and Private Key on a Single Database

tlsutil -t –l

Display Detailed Information to Help Diagnose Issues

tlsutil -c -v mydb.example.com

Use the Data Dictionary Views to Troubleshoot Issues

The data dictionary stores information about TLS connections.

For example: Query the client confidentiality type in DBC.SessionInfoV:

select clientconftype from dbc.sessioninfov;

The type is determined by the client and represents the connection between client and the gateway:

Type SSLMODE Gateway Require Confidentiality Client Data Encryption Description
E DISABLE or ALLOW ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption)

TLS was not attempted because SSLMode was DISABLE or ALLOW. Connection was made to a legacy port. TDGSS used for encryption, and the application does not have the option to change this during the session.

U DISABLE or ALLOW OFF OFF TLS was not attempted. Unencrypted, and the application does not have the option to change this during the session.
O DISABLE or ALLOW OFF ON or OFF TLS was not attempted because SSLMode was DISABLE or ALLOW. May be encrypted using TDGSS or unencrypted, and the application has the option of changing this at any time. This situation primarily refers to BTEQ, which lets the user turn encryption on and off during the session. Other drivers don’t permit this.
F ALLOW or PREFER ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption) TLS was attempted, but the TLS failed, so this is a fallback to using TDGSS for encryption because ENCRYPTDATA is specified.
R PREFER ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption) TLS used for encryption. Server certificate was ignored; client did not validate the identity of the server.
H Prefer OFF for Gateway Require Confidentiality and/or Client Data Encryption TLS was attempted, but the TLS failed, so this is a fallback to unencrypted because ENCRYPTDATA is not specified.
C Verify-CA ON or OFF for Gateway Require Confidentiality and/or Client Data Encryption TLS used for encryption. Client validated the Certificate-Authority chain but ignored the Subject-Alternative-Name and the Common-Name.
V Verify-Fully ON or OFF for Gateway Require Confidentiality and/or Client Data Encryption TLS used for encryption. Client validated the Certificate-Authority chain and the Subject-Alternative-Name or the Common-Name.

See LogOnOffV, QryLogClientAttrV, and SessionInfoV in Teradata Vantage™ - Data Dictionary, B035-1092.