Advanced SQL Engine 17.10 | Security | Changes & Additions - Changes and Additions - Advanced SQL Engine

Advanced SQL Engine 17.10 | Security | Changes & Additions - Changes and Additions - Advanced SQL Engine - Teradata Database

Security Administration

Product

Advanced SQL Engine

Teradata Database

Release Number

17.10

Published

July 2021

Language

English (United States)

Last Update

2022-02-15

dita:mapPath

ppz1593203596223.ditamap

dita:ditavalPath

wrg1590696035526.ditaval

dita:id

B035-1100

lifecycle

Product Category

Teradata Vantage™

Date	Description
July 2021	TLSv1.2 is supported between clients and the database server. See Using TLS with Client to Database Connections. Single Sign-On and JWT: See the new information in Configuring Single Sign-On. JWT dynamically updates JSON Web Keys, if enabled. See Local Validation. JWT supports logons from third-party applications with a token from an external Identity Provider, see Validation by Token Exchanger. For new JWT mechanism properties, see JWT Support Properties. Previously, when the TDGSS configuration changed, a TPA reset was required for the new values in the TDGSSCONFIG GDO to take effect. Now, the following can be modified without a TPA reset: Any attribute or property whose name begins with "Ldap" for KRB5 and LDAP MechanismEnabled property for KRB5, LDAP, JWT, and PROXY AuthorizationSupported property for KRB5 and LDAP LDAP Service ID and password with no impact to user LDAP logons The following properties in the PROXY mechanism: CertificateFile, PrivateKeyFile, PrivateKeyPassword, PrivateKeypasswordProtected, CACertFile, CACertDir, and SigningHashAlgorithm. Any JWT mechanism property whose name begins with "JWT" All canonicalizations including the lightweight authorization structures The following configuration changes still require a tpareset: Changes to any mechanism property not mentioned above require a tpareset QoP configuration Local or global policy configuration, including service name changes TDNEGO and SPNEGO See Modifying the User Configuration File. tdgsstestcfg is a new tool to test configuration changes before making them permanent with run_tdgssconfig, see Working with tdgsstestcfg. tdsbind is deprecated. Teradata recommends using the tdgssauth tool instead of tdsbind. tdgssauth can test more security mechanisms than tdsbind and it more accurately validates security mechanism configurations because it uses actual TDGSS services while performing the offline test of the new configuration. See Working with tdgssauth. tdgssgetinfo is a new diagnostic tool that collects and displays information used to determine the health of the TDGSS or TeraGSS installed on the system. See tdgssgetinfo. See X.509 Certificates Ownership and Permissions for the recommened ownership and permissions for X.509 certificates and private key files.
June 2020	The SASL/DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you stop using SASL/DIGEST-MD5, and instead use simple binding with TLS protection. TDNEGO now supports JWT (JSON web token) authentication. New LDAP Mechanism property: LdapServicePasswordFile. Allows you to provide an encrypted list of passwords in an editable file, which enables switching LDAP passwords without requiring a database restart.

Date

Description

July 2021

TLSv1.2 is supported between clients and the database server. See Using TLS with Client to Database Connections.
Single Sign-On and JWT:
- See the new information in Configuring Single Sign-On.
- JWT dynamically updates JSON Web Keys, if enabled. See Local Validation.
- JWT supports logons from third-party applications with a token from an external Identity Provider, see Validation by Token Exchanger.
- For new JWT mechanism properties, see JWT Support Properties.
Previously, when the TDGSS configuration changed, a TPA reset was required for the new values in the TDGSSCONFIG GDO to take effect. Now, the following can be modified without a TPA reset:
- Any attribute or property whose name begins with "Ldap" for KRB5 and LDAP
- MechanismEnabled property for KRB5, LDAP, JWT, and PROXY
- AuthorizationSupported property for KRB5 and LDAP
- LDAP Service ID and password with no impact to user LDAP logons
- The following properties in the PROXY mechanism: CertificateFile, PrivateKeyFile, PrivateKeyPassword, PrivateKeypasswordProtected, CACertFile, CACertDir, and SigningHashAlgorithm.
- Any JWT mechanism property whose name begins with "JWT"
- All canonicalizations including the lightweight authorization structures
The following configuration changes still require a tpareset:
- Changes to any mechanism property not mentioned above require a tpareset
- QoP configuration
- Local or global policy configuration, including service name changes
- TDNEGO and SPNEGO
  See Modifying the User Configuration File.
tdgsstestcfg is a new tool to test configuration changes before making them permanent with run_tdgssconfig, see Working with tdgsstestcfg.
tdsbind is deprecated. Teradata recommends using the tdgssauth tool instead of tdsbind. tdgssauth can test more security mechanisms than tdsbind and it more accurately validates security mechanism configurations because it uses actual TDGSS services while performing the offline test of the new configuration. See Working with tdgssauth.
tdgssgetinfo is a new diagnostic tool that collects and displays information used to determine the health of the TDGSS or TeraGSS installed on the system. See tdgssgetinfo.
See X.509 Certificates Ownership and Permissions for the recommened ownership and permissions for X.509 certificates and private key files.

June 2020

The SASL/DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you stop using SASL/DIGEST-MD5, and instead use simple binding with TLS protection.
TDNEGO now supports JWT (JSON web token) authentication.
New LDAP Mechanism property: LdapServicePasswordFile. Allows you to provide an encrypted list of passwords in an editable file, which enables switching LDAP passwords without requiring a database restart.