You use TLS logs, signed certificates reviews, and the data dictionary to troubleshoot TLS issues.
Use the gtwcontrol trace option to turn on tracing for TLS:
gtwcontrol --TLS require,trace=all
The debug traces are logged to /var/opt/teradata/tdtemp/gtw/*.log .
TLS File and Directory Permissions
The TLS related files and directories must have correct the permissions because Analytics Database runs as the teradata user, which is a member of the tdtrusted group.
ls -l /opt/teradata/tdat/tgtw ls -lR /opt/teradata/tdat/tgtw/site
drwxr-x--- 3 root root 4096 Dec 9 15:22 site drwxr-x--- 5 root root 4096 Feb 28 10:26 tlsUse the following commands to correct the permissions of TLS relegated files and directories:
chmod -R 775 /opt/teradata/tdat/tgtw/site chown -R root:tdtrusted /opt/teradata/tdat/tgtw/site
Test the Signed Certificates and Private Keys on All Nodes
Test the Signed Certificates and Private Keys on All Nodes and Show Which Are Expiring within 30 Days
tlsutil -t -e 30
Check the Log File for Warnings about Expiring Certificates
Check /var/log/messages. For example, the following sample shows the TLS certificate is expiring in 11 days.
INFO: Teradata: 6210 #Event number 34-06210-00 (severity 0, category 10), occurred on Thu Nov 5 13:44:25 2020 at 00 way, version PDE:17.10c.00.28,TDBMS:17.10c.00.28,PDEGPL:17.10c.00.28,TGTW:17.10c.00.47cert,TDGSS:17.10c.00.28 gtwTLSContext.cpp @290 (83900744): Thu Nov 5 13:44:25 2020 The TLS certificate will expire after 11 days.
Test the Signed Certificate and Private Key on a Single Database
tlsutil -t –l
Display Detailed Information to Help Diagnose Issues
tlsutil -c -v mydb.example.com
Use the Data Dictionary Views to Troubleshoot Issues
The data dictionary stores information about TLS connections.
For example: Query the client confidentiality type in DBC.SessionInfoV:
select clientconftype from dbc.sessioninfov;
The type is determined by the client and represents the connection between client and the gateway:
|Type||SSLMODE||Gateway Require Confidentiality||Client Data Encryption||Description|
|E||DISABLE or ALLOW||ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption)||
TLS was not attempted because SSLMode was DISABLE or ALLOW. Connection was made to a legacy port. TDGSS used for encryption, and the application does not have the option to change this during the session.
|U||DISABLE or ALLOW||OFF||OFF||TLS was not attempted. Unencrypted, and the application does not have the option to change this during the session.|
|O||DISABLE or ALLOW||OFF||ON or OFF||TLS was not attempted because SSLMode was DISABLE or ALLOW. May be encrypted using TDGSS or unencrypted, and the application has the option of changing this at any time. This situation primarily refers to BTEQ, which lets the user turn encryption on and off during the session. Other drivers don’t permit this.|
|F||ALLOW or PREFER||ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption)||TLS was attempted, but the TLS failed, so this is a fallback to using TDGSS for encryption because ENCRYPTDATA is specified.|
|R||PREFER||ON (for Gateway Require Confidentiality) and/or ON (for Client Data Encryption)||TLS used for encryption. Server certificate was ignored; client did not validate the identity of the server.|
|H||Prefer||OFF for Gateway Require Confidentiality and/or Client Data Encryption||TLS was attempted, but the TLS failed, so this is a fallback to unencrypted because ENCRYPTDATA is not specified.|
|C||Verify-CA||ON or OFF for Gateway Require Confidentiality and/or Client Data Encryption||TLS used for encryption. Client validated the Certificate-Authority chain but ignored the Subject-Alternative-Name and the Common-Name.|
|V||Verify-Fully||ON or OFF for Gateway Require Confidentiality and/or Client Data Encryption||TLS used for encryption. Client validated the Certificate-Authority chain and the Subject-Alternative-Name or the Common-Name.|
See LogOnOffV, QryLogClientAttrV, and SessionInfoV in Teradata Vantage™ - Data Dictionary, B035-1092.