TeraGSS Configuration Guidelines | Teradata Vantage - 17.20 - Guidelines for Configuring TeraGSS - Analytics Database - Teradata Vantage

Teradata Vantage™ - Analytics Database Security Administration - 17.20

Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2023-03-07
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572

The process for configuring TeraGSS and TDGSS is similar, so information about configuring TDGSS from other parts of this document can be used as a guide.

Ensure that the teragssAdmin package has been installed on the client machine. If it is not present, install it from the appropriate TTU package. This package is installed in the 16.10 TTU directory structure. The tools required to manage and debug a TeraGSS configuration are in the TTU bin directory. The supporting XML files and XSD schema are in the TTU etc directory.

If you already have a copy of the TdgssUserConfigFile.xml file in your TTU site directory, you may continue to use that file. Make sure that your TdgssUserConfigFile.xml does not contain any configurations for the removed mechanisms TD1, NTLM, NTLMC, and KRB5C. Also make sure that your TdgssUserConfigFile.xml does not contain any configurations for the server-side-only mechanisms PROXY and SPNEGO. The only configurations that should remain are configurations for the TD2, LDAP, KRB5, JWT, and TDNEGO mechanisms.

If you do not have a copy of the TdgssUserConfigFile.xml file in your TTU site directory, you can copy the one in the TTU etc directory to the site directory and make edits to the copy.

Once your edits are complete, run the run_tdgssconfig script found in the TTU bin directory. This script compiles the changes you made to the TdgssUserConfigFile.xml file into the tdgssconfig.bin file located in the TTU etc directory.

Configurable Items in TeraGSS

The following mechanism attributes and elements are configurable in TeraGSS, following the editing instructions found in other sections of this document:
  • DefaultMechanism – Note that the preferred method of picking a per-client machine specific default mechanism is to configure it through TTU installation and configuration. We recommend that this attribute is set to no for all mechanisms in TeraGSS. See DefaultMechanism for editing guidelines.
  • DefaultNegotiatingMechanism – See DefaultNegotiatingMechanism for editing guidelines.
  • MechanismEnabled – See MechanismEnabled for editing guidelines.
  • <MechQop> elements may be adjusted and managed if defaults are not good enough. See QOP Configuration Options for more information.
  • MechanismRank – See MechanismRank for editing guidelines.
  • <NegotiatedMechanism> - See Configuring TDNEGO Properties for more information.
  • One or more <RequiredLibraryPath> elements may be added to the KRB5 mechanism to specify the location of a libgssapi_krb5.so library when this library resides in a non-standard location. Alternatively, the TDGSS_KRB5_KRB5LIB environment variable may be set to the location of the library if you wish to avoid modifying the TeraGSS configuration. Absolute paths are required in both the <RequiredLibraryPath> element and the environment variable. See Reconfiguring TDGSS for a Non-Standard Installation of Kerberos for a non-standard installation of Kerberos.