Make the following changes to the TdgssUserConfigFile.xml file in the TDGSS site directory on database nodes.
See Changing the TDGSS Configuration.
- Add the LdapClientTlsCACertDir property, and specify the full path to the site/ssl/cacerts directory for the property value. This property points to the absolute path of the directory where the two PEM files and the two symlinks are located.If all the CA certs are contained in a single file, you can alternately use the LdapClientTlsCACert property to specify the file name.
- Add the LdapClientTlsReqCert property and set the property value to “demand”. This value causes Teradata Vantage to request the directory server for a certificate each time a directory user logs on to the database. If the directory does not provide a certificate, or it provides an invalid certificate, TDGSS terminates the connection.
For configuration information, see LDAP Protection Properties.
The following example shows an LDAP mechanism TdgssUserConfigFile.xml that includes configured certificate properties. This example also applies to KRB5 or SPNEGO if AuthorizationSupported is set to “yes”.
<Mechanism Name="ldap"> <MechanismProperties ... LdapServerName="ldap://someserver/" LdapClientUseTls="yes" LdapClientTlsCACertDir="/opt/teradata/tdat/tdgss/site/ssl/cacerts/" LdapClientTlsReqCert="demand" /> </Mechanism>
For configuration requirements when authentication is set for multiple directory services, see Creating the <LdapConfig> Section in the TdgssUserConfigFile.xml.