JWT Dynamic Key Rotation | Advanced SQL Engine 17.10 | Teradata Vantage - Local Validation - Advanced SQL Engine - Teradata Database

Security Administration
Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Published
July 2021
Language
English (United States)
Last Update
2022-02-15
dita:mapPath
ppz1593203596223.ditamap
dita:ditavalPath
wrg1590696035526.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantage™

The JWT mechanism can be configured to dynamically update JSON Web Keys (JWKs).

When logging on to Teradata Vantage using JWT, an Identity Provider (IdP) signs the token using its private key and the Teradata server verifies the token's signature using the corresponding public key. Keys returned from IdPs are in JSON Web Key (JWK) format. Keys used to validate the token can be in in PEM or JWK format.

Key pairs are rotated by the IdP for various reasons, such as security policy or a compromised key. If a key is rotated by the identity provider the Teradata Gateway must update the public keys to validate the token issued with the new keys. This is done automatically if dynamic key rotation is enabled.

By default, this feature is disabled.

To enable dynamic key rotation:

  1. Make a backup copy of the /opt/teradata/tdat/tdgss/site/TdgssUserConfigFile.xml and save it according to your site standard backup procedures.
  2. Edit TdgssUserConfigFile.xml and uncomment IdentityProvider. Edit it so it looks similar to the following with your site information: 
    <Mechanism Name="JWT">
     <MechanismProperties
         JWTDynamicKey ="yes|no"
         JWTClientTlsCACertDir="ca_cert_dir"
            
       .../>

       <IdentityProvider
           Id="Keycloak"
           Url="https://Customer_IdP_URL"
           Type="keycloak"
        />
</Mechanism>

    Set the following properties:

    Property Description
    JWTDynamicKey Set it to yes to enable dynamic key rotation.
    JWTClientTlsCACertDir

    Location of the CA certificates. Specify the full path to site/ssl/cacerts directory for this property. For example: /opt/teradata/tdat/tdgss/site/ssl/cacerts/

    Set <IdentityProvider> section properties:

    Property Description
    Id Uniquely identifies the IdP in the configuration file.
    Url Url is the customer's IdP end point. From the URL, TDGSS can issue REST API calls to get the required URLs and other information, such as Issuer, JWK URI, and so on.

    Based on the Url, TDGSS decides whether to establish a TLS connection with the IdP. For a TLS connection JWTClientTlsCACertDir is the directory where all the CA certificates are configured.
    Type Type is the Identity Provider type. Example values are: Ping-Federate, keycloak, vantage-keycloak, azuread, okta, and auth0.
  3. Place the CA certificates in the location specified in JWTClientTlsCACertDir. This directory is typically here: /opt/teradata/tdat/tdgss/site/ssl/cacerts.
  4. Verify the configuration is correct:
    1. Run tdgsstestcfg to verify the new configuration is correct. It launches a test environment in a new shell that contains the updates to the configuration file.
      /opt/teradata/tdgss/bin/tdgsstestcfg
    2. Test the configuration with the tdgssauth tool:
      tdgssauth -m JWT -a token=JWT_from_IdP

      Where JWT_from_IdP is the IdP you configured in TdgssUserConfigFile.xml.

    3. Exit the test shell:
      exit
    4. Continue editing and testing until the configuration is correct.
  5. Run:
    /opt/teradata/tdgss/bin/run_tdgssconfig
  6. If run_tdgssconfig indicates that a TPA reset is required, run:
    tpareset -f “use updated TDGSSCONFIG GDO”