Security Considerations for Trusted Sessions - Advanced SQL Engine - Teradata Database
Security Administration
Product
Advanced SQL Engine
Teradata Database
Release Number
17.10
Published
July 2021
Language
English (United States)
Last Update
2022-02-15
dita:mapPath
ppz1593203596223.ditamap
dita:ditavalPath
wrg1590696035526.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantageā¢
Introduction to Security Administration
Changes and Additions
Teradata Generic Security Services
Implementation Overview
TDGSS Configuration Files
User and Library Configuration File Content
Setting Up TDGSS
Modifying the User Configuration File
Security Administration Tools
Legacy TeraGSS
Setting Up the Administrative Infrastructure
Implementation Process
System-Generated Users
User DBC
Other System-Generated Users
Working with System-Level Space Allocation
Database Space Types
Recommended Space Allocations for System-Generated Users
Creating the Spool Space Reserve
Assigning Perm Space to the Crashdumps Database
Working with Administrative Users
Security Administrator Responsibilities
Database Administrator Responsibilities
Creating the Security Administrator User
CTCONTROL Privilege
Granting CTCONTROL Privileges
Example: GRANT a User CTCONTROL Privilege
Related Information
Setting Up the Database Administrator User
Creating the Database Administrator Profile
Creating User DBADMIN
Granting Privileges to User DBADMIN
Working with the Common Criteria Standard
Common Criteria Standard
Setting Up a System for Common Criteria Compliance
Avoiding Potential Security Hazards
Controlling Physical Access
Controlling Access to the Operating System
Security Hardening
Working with OS-Level Security Options
Implementing User Authentication and Authorization
Teradata Authentication
About External Authentication
External Authentication with Teradata Vantage Authorization
Single Sign-on (Kerberos Authentication)
Sign-on As (Kerberos or LDAP Authentication)
External Authentication with Directory Authorization
LDAP Directory Authentication and Authorization
Kerberos External Authentication with Directory Authorization
Kerberos External Authentication with Directory Authorization (Single Sign-on)
Related Information
External Authentication Controls
Using the External Authentication Controls
External Authentication Requirements
Kerberos Authentication with Teradata Vantage Authorization
LDAP Authentication with Teradata Vantage Authorization
Kerberos or LDAP Authentication with Directory Authorization
Related Information
Using External Authentication from Mainframe Clients
Authentication and Authorization of Middle-Tier Application Users
Authentication of Users Logging On through Unity
Working with Kerberos Authentication
Prerequisites
Client Operating Systems Supported for Kerberos Authentication
Installing and Configuring Kerberos
About Kerberos Minimum Versions
Setting Up Kerberos on Linux and UNIX Clients
Kerberos on Windows Clients and Windows KDCs
Configuring Local Security Policy Encryption Types for Kerberos
Installing Kerberos on Teradata Vantage Nodes and Unity Servers
Reconfiguring TDGSS for a Non-Standard Installation of Kerberos
Changing the Configuration on Teradata Vantage Nodes and Unity Server
Working with Kerberos Setup on the KDC
Setting Up Kerberos for Teradata Vantage on a Windows Kerberos KDC
Creating a Computer Component for Database Nodes and Unity Server
Checking Node and Unity Registration in the Windows DNS
Adding a Database Node or Unity Server to the Windows DNS
Creating an Active Directory User for Each Node and Unity Server
Determining the SPN for Each Node and Unity Server
Running ktpass to Create the Kerberos Keys
Generating the Key for the First Node or for a Unity Server
Generating the Keys for Additional Nodes
Example: ktpass Commands for a Two Node Setup
Moving the Kerberos Keys to a Teradata Vantage System or Unity Server
Setting Up Kerberos on a Linux MIT Kerberos KDC
Creating Teradata Vantage Node and Unity Server Principals
Password Changes for Unity Principals
Checking Registration in UNIX DNS
Adding Database Nodes and Unity Servers to UNIX DNS
Creating the Kerberos Keys
Copying the Kerberos Keys From the KDC to the Principals
Configuring Teradata Vantage and Unity Servers for Kerberos Authentication
Verifying that a Database Node or Unity Server Can Find the Name Server
Setting Up the krb5.conf Kerberos Configuration File
Determining the Kerberos Key Installation Directory
Installing the Kerberos Keys
Checking Nodes and Unity Servers for Existing Kerberos Keys (Optional)
Initial Installation of Kerberos Keys for the First KDC
Installing Kerberos Keys for Additional KDCs (Merging Keys)
Replacing Existing Kerberos Keys Compared to Merging Keys
Synchronizing the Time and Date Within the Domain
Synchronizing Time on Database Nodes and Unity Servers with Time on the KDC
Checking the Kerberos Setup
Using kinit to Test Communication with the Directory
Using klist -e to Check the Credentials Cache and Encryption Type
Logging on to the Database to Check Kerberos Authentication
Configuring Single Sign-On
Single Sign-On Flow
Local Validation
Validation by Token Exchange
Configuration for Browser Authentication
Configuration for OpenID Connect
Local Validation
Validation by Token Exchanger
Configuration of Static Keys
Configuration of Static JSON Web Key
Configuration of Static Decryption and Verification Keys (Legacy)
User Name Mappings
SSO Security Hardening
Related Information
Creating Users and Granting Privileges
User Implementation Process
Prerequisites
Database User Functional Categories
Assessing User Needs
Working with Database Profiles
Privileges Required for Creating Profiles
Creating Profiles
Default Values for the CREATE PROFILE Statement
Precedence of Values for Profile Parameters
Assigning Profiles to Users
Using a Profile to Set a Default Query Band
Dropping Profiles
Database User Types
Creating Permanent Database Users
Privileges Required for Creating Database Users
Creating a Database User
CREATE USER Default Values
Dropping the Default Database for a User
Dropping Permanent Database Users
Working with Directory Users
Auto Provisioned Directory Users
Working with Middle-Tier Application Users
Setting Up a Permanent Application Logon User
Setting Up Trusted User Applications and Proxy Users (Recommended)
Teradata Vantage User Privileges
Database Privilege Types
Ownership Privileges
Giving Ownership
Related Information
Explicit Privileges
Automatic Privileges
Checking Privileges in Data Dictionary Views
Working with User Privileges in Teradata Vantage
Privileges for User Types
Related Information
Working with GRANT and REVOKE Statements
Privileges Required to Use GRANT and REVOKE
Granting Privileges to Permanent Database Users
Granting Privileges to PUBLIC
Granting Privileges in a Unity Environment
Granting Privileges for BAR Users
Using Roles to Manage Privileges
Limitations on Using Roles
Creating Roles
Dropping a Role
Assigning the Default Role
Dropping the Default Role
Related Information
Working with Roles for Proxy Users
Using the SET QUERY BAND Statement to Enable Session Proxy Roles
Using Roles for Directory Users
Implementing Roles for Directory Authorization of Database Privileges
Creating and Dropping External Roles
Default Session Roles for Directory Users
Effects of Dropping an External Role on Directory User Role Privileges
Effects of Changing Directory Role Assignments
Switching Roles During a Session
Other Options for Restricting Database Access
Restricting User Access Using Views
Restricting User Access by Column in a Table or View
Restricting User Access by Row in a Table or View
Restricting User Access with Macros and Stored Procedures
Managing Database Passwords
Prerequisites
Password Management Process
Working with Password Formatting
Password Formatting and Object Name Validation
Password Sharing Among Character Sets
Format Rules for Object Naming
Managing Common Password Problems
Releasing Password Lockouts
Resetting Forgotten Passwords
Resetting the Password Expiration Interval
Tracking Changes to Passwords
Working with Password Controls
Password Controls
Password Control Activation Options
Password Control Recommendations
ExpirePassword
Default Setting
Allowable Values
Strategy
Example: UPDATE Statement to Set Duration of Password
Expired Password Effects on a Session
Using MODIFY USER to Replace an Expired Password
MaxLogonAttempts
Default Value
Allowable Values
Example: UPDATE Statement to Set Maximum Failed Logon Attempts
Strategy
Rescuing Locked-Out Users
PasswordReuse
Default Value
Allowable Values
Strategy
Example: UPDATE Statement to Set PasswordReuse Lock
Password History
LockedUserExpire (Password Lockout Time)
Default Value
Allowable Values
Strategy
Example: UPDATE Statement to Set Lock Duration
PasswordMinChar
Default Value
Allowable Values
Strategy
Example: UPDATE Statement to Set the Minimum Number of Characters in a Password
PasswordMaxChar
Default Value
Allowable Values
Strategy
Example: UPDATE Statement to Set the Maximum Number of Characters in a Password
PasswordDigits
Default Value
Allowable Values
Strategy
Example: UPDATE Statement to Set the Option for Digits in a Password
PasswordSpecChar
Default Value
Allowable Values
Strategy
Example: UPDATE Statement to Require Special Characters in a Password
PasswordRestrictWords
Default Value
Allowable Values
Example: UPDATE Statement Option to Restrict Words in a Password
Strategy
Adding and Removing Restricted Words
Determining if a Password Contains a Restricted Word
Setting Password Controls
Using UPDATE to Manage Global Password Controls
Using CREATE or MODIFY PROFILE to Set Password Controls for Users
Effects of Profile-Based Password Controls
Related Information
Comparing Global and Profile-Based Password Controls
Using Password Controls With Multibyte Characters
Viewing Current Password Control Settings
Logging on to Teradata Vantage
Prerequisites
Logon Implementation Process
Default Logon Privileges
Using Logon Elements
Logon String Format Requirements
User Name and Account String Format
Password Format
Formatting of Logon Elements in .logon and .logdata Statements
Object Names Acquired from External Authenticating Agents
Determining the Authentication Mechanism for a Logon
Changing the Default Mechanism
Mechanism Security Policy
Specifying a Tdpid
Specifying the User Name
Database User Name
Directory User Name
Using Appended Domain Name
Specifying a Password
Submitting a Password for External Authentication
Related Information
Specifying an Account String
Specifying a Domain or Realm
Network Logons
Using Logons with Different Authentication Methods
Working with Logon Syntax Elements
Logging on Using Teradata Authentication and Authorization
Example: TD2 Logon
Logging on Using LDAP Authentication and Authorization
LDAP Authorization Processing
LDAP Logon Format Examples
Example: Logon with User Credentials in the .Logdata Statement
Example: Logon with User Credentials in the .Logon Statement
Explanation of LDAP Logon Format Examples
Common Errors with LDAP UPN Logons
Logging on Using Sign-on As
Using Sign-on As with Teradata Authorization
Using Sign-on As with Directory Authorization
Sign-on As Logon Format Examples
Example: Sign-on As Using the .logdata Statement
Example: Sign-on As Using the .logon Statement
Explanation of Sign-on As Examples
Logging on Using Single Sign-on with Kerberos
Using Single Sign-on with Teradata Authorization
Using Single Sign-on with Directory Authorization
Single Sign-on Examples
Example: Single Sign-on with Teradata Authorization
Example: Single Sign-on with Directory Authorization
Explanation of Single Sign-on Examples
Logging on Using Teradata Negotiating (TDNEGO)
TDNEGO Benefits
TDNEGO Negotiation
TDNEGO Use Cases
TDNEGO Supported Mechanisms
TDNEGO Supported Clients
Unity Support for TDNEGO
TDNEGO Usage Constraints
TDNEGO Compatibility with TTU Client Tools
Configuring TDNEGO Properties
TDNEGO Mechanism Properties
Changing the Configuration on Teradata Vantage Nodes
SPNEGO Mechanism Offered by TDNEGO on Teradata Database 15.10 for TTU 16.0 .NET Clients
Removing a NegotiatedMechanism from TDNEGO
Disabling TDNEGO
Related Information
TDNEGO Logging
TDNEGO Support Considerations
Using Teradata Wallet to Store and Retrieve Logon Elements
Benefits
Use Cases
Restrictions
Prerequisites
Storing Logon Information in Teradata Wallet
Storing a Password Using an Alias Name
Storing Logon Information by System Tdpid
Retrieving Logon Information from Teradata Wallet Using BTEQ
Retrieving a Password Using a Password Alias
Retrieving a Password for a Specified Tdpid
Retrieving a Username and Password for a Specified Tdpid
Retrieving a Password from Teradata Wallet Using ODBC Driver for Teradata
Working with Logon Variations by Application
Specifying Logon Parameters when Setting Up an Application
Logging On from Mainframe Systems
Logging On from Teradata Vantage Nodes
Logging On through Unity
Logging On from .NET Clients
Using Operating System Logons
Using Logon Error Handling Options
Directory Management of Database Users
Directory Database User Implementation Process
Working with Directory User Management Options
Option 1: Directory Authentication Only
Advantages
Limitations
Setting Up Directory Authentication
Option 2: Directory Authentication and Authorization
Advantages
Limitations
Setting Up Directory Authentication and Authorization
Option 3: Non-LDAP External Authentication with Directory Authorization
Advantages
Limitations
Setting Up Non-LDAP External Authentication with Directory Authorization
Option 4: Lightweight LDAP Authorizations
Setting Up Lightweight LDAP Authorizations
<AuthSearch>
Examples Using Lightweight LDAP Authorizations
Directory User Characteristics
Characteristics of Unmapped Directory Users
If All Directory Users Are Unmapped
If Some Directory Users Are Unmapped
Characteristics of Directory Users Mapped to Permanent Database Users
Characteristics of Directory Users Mapped to EXTUSER
Characteristics of Directory Users Mapped to Database Roles and Profiles
Row Level Access Privileges for Directory Users
Ownership of Database Objects Created by Directory Users
Evaluating the System for Directory Management of Users
Evaluation Process
Prerequisites
Certified Directories
Working with LDAPv3-Compliant Directories
Checking the Network Setup
Connecting Teradata Vantage Clients to the Database
Typical Server Configuration in Client Machine Host File or DNS
Teradata Vantage Node Connections to the Directory
Checking the Directory DNS Name from the Database
Querying the Directory Server
Prerequisites
ldapsearch
Finding the RootDSE Object
Example: Using ldapsearch to Find the RootDSE in Active Directory, ADAM, or AD LDS
Finding the RootDSE on Sun Java System Directory Server
Example: Using ldapsearch to Find the RootDSE in Sun Java Directory Server
Ldapsearch Troubleshooting
Authenticating a Directory User
Example: Using ldapsearch to Authenticate an Active Directory, ADAM, or AD LDS User
Example: Using ldapsearch to Authenticate a Sun Java Directory Server User
Common Errors with Active Directory, ADAM, or AD LDS
DNS Naming Issue
Example: Error -- Mismatched DIGEST-uri and LDAP SPN
Correcting the Mismatched DIGEST-uri and LDAP SPN Error
Invalid User, Password, or Realm
Example: Error - Invalid User, Password, or Realm (Simple Binding)
Example: Error - Invalid User, Password, or Realm (DIGEST-MD5 Binding)
Bad Password
Example: Bad Password Error (DIGEST-MD5 Binding)
Example: Bad Password Error (Simple Binding)
Ldapsearch Error Codes
Common Errors with Sun Java Directory Server
Server Down
Bad Canonicalization
Example: Detecting Bad Canonicalization
Example: Bad Canonicalization with Identity Mapping
Bad User
Example: Bad User Error
Provisioning Directory Users with Teradata Schema Extensions
Provisioning Process
Prerequisites
Teradata Schema Extensions
Teradata Directory Object Classes
Teradata Schema Extensions
Teradata Schema Objects
Teradata Schema Object Attributes in the Directory Information Tree
Special Objects and Attributes Required for Active Directory, ADAM, and AD LDS
Installing Teradata Schema Extensions in a Certified Directory
Schema Installation Options
Installing Schema Extensions on Active Directory, ADAM, or AD LDS
Procedure
Installing Schema Extensions on Sun Java System Directory Server
Installing Schema Extensions on Novell eDirectory
Installing Schema Extensions on OpenLDAP
Teradata Schema Objects in the DIT
Teradata Schema Objects in the DIT Hierarchy
Teradata Security Policy Objects
Lower-level Teradata Schema Objects in the DIT Hierarchy
Creating the Top-Level Objects in the DIT
Object Creation Process
Creating the tdatRootNode Object
Example: tdatRootNode
Creating the tdatSystem Object
Example: tdatSystem
Configuring tdatSystem Objects
Creating Containers and Inserting Objects
Container and Object Creation Process
Naming Conventions
Creating Users Containers and Inserting User Objects
Example: tdatContainer (Users)
Example: tdatUser
Creating Roles Containers and Inserting Role Objects
Example: tdatContainer (Roles)
Examples: tdatRole
Creating Profiles Containers and Inserting Profile Objects
Example: tdatContainer (Profiles)
Examples: tdatProfile
Creating IP Filters Containers and Inserting IP Filters
Example: tdatContainer (IPFilters)
Examples: tdatIPFilter
Applying IPFilters to Directory Users
Example: Applying an IP Filter to tdatUser Objects
Example: Applying an IP Filter to All Vantage Users
Mapping Directory Users to Teradata Vantage Objects
Mapping Directory Users to Vantage Users
Example: Mapping a Directory User to a tdatUser
Mapping Directory Users to Vantage External Roles
Examples: Mapping a Directory Group to a tdatRole
Mapping Directory Users to Vantage Profiles
Examples: Mapping a Directory User to a tdatProfile
Using Native Directory Schema to Provision Directory Users
Process Overview
Prerequisites
Required Teradata Objects
Creating the RootNode and System Objects
RootNode Object
Example: Creating the RootNode Object
System Object
Example: Creating a System Object
Configuring System Objects
Creating Containers and Inserting Database Objects
Users
Example: Creating a Users Container
Example: Inserting User Objects into a Users Container
Roles
Example: Creating a Roles Container
Examples: Inserting Role Objects into a Roles Container
Profiles
Example: Creating a Profiles Container
Examples: Inserting Profile Objects into a Profiles Container
Mapping Additional Directory Users to Vantage User, Role, and Profile Objects
Mapping Directory Users to Database Users
Example: Mapped User
Mapping Directory Groups to Teradata Vantage External Roles
Example: Mapped Roles
Mapping Directory Users to Vantage Profiles
Example: Mapped Profiles
Changing the TDGSS Configuration
Prerequisites
Configuration Change Process
About the TDGSS Configuration Files
User and Library Configuration File Content
TDGSS Configuration for the Teradata Viewpoint Server
Related Information
Using the dumpcfg Utility to Check the Current Configuration
Example: Sample dumpcfg Statements
Example: Using dumpcfg
Editing Configuration Files
Adding New Mechanisms and Properties to the TdgssUserConfigFile.xml
Effects of Upgrade and Migration on TDGSS Configuration Changes
On Teradata Vantage Nodes and Unity Servers
On Teradata Vantage Clients
General Rules for Editing the TDGSS Configuration
Working with LDAP Mechanism Properties
Prerequisites
Configuring LDAP for Authentication Only
Configuring LDAP for Directory Authentication and Authorization
Configuring LDAP Properties for Kerberos or Directory Authorizations
Setting Global LDAP Protection Properties
Making Changes to TdgssUserConfigFile.xml on Database Nodes
Changing the TDGSS Configuration
TDGSS Configuration Errors
Returning to an Old Configuration
Testing Directory Authentication and Authorization Setup
Working with tdgsstestcfg
Working with tdgssauth
Using tdgssauth Syntax
Example: tdgssauth Verifying a Permanent User's Authentication and Authorization Properties
Example: tdgssauth Verifying an Unmapped User's Authentication and Authorization Parameters Using LDAP
Example: tdgssauth Verifying a Database User's Security Properties Using TD2
Example: tdgssauth Wrap and Unwrap
Example: tdgssauth Debugging LDAP
Example: Using tdgssauth to Debug Kerberos
Working with tdsbind
Using Tdsbind Syntax
Using Tdsbind Options
Usage Notes
Diagnosing Logon Failure Due to Incorrect Realm Information
tdsbind Error Output
Example: Tdsbind Output for a Directory User not Mapped to a Database User
Example: Tdsbind Output for a Directory User Mapped to a Database User
Using BTEQ to Verify Directory User Mapping
Common BTEQ Error Messages and Related Directory Setup Problems
Working with Ldapsearch
Running Ldapsearch
Syntax for Use of DIGEST-MD5 Binding [Deprecated]
Syntax for Use of Simple Binding
Working with Ldapsearch Options
ldapsearch Attributes and System Names
Attributes
System Names [Deprecated]
Finding User Information with Ldapsearch
Step 1: Obtain the defaultNamingContext
Search Input
Search Output
Explanation of the defaultNamingContext Search
Step 2: Search for User drct01
Search Input [Deprecated]
Search Output
Explanation of the Search for User drct01
Determining the schemaNamingContext Value
Search Input
Search Output
Explanation of Search for a schemaNamingContext Value
Other LDAP Tools
Directory Tool For Active Directory, ADAM, and AD LDS
LDAP Binding Options
Evaluation and Implementation Process
Using DIGEST-MD5 Binds [Deprecated]
DIGEST-MD5 Binds
Implementing DIGEST-MD5 Binds
Using Simple Binds
Simple Binds
Implementing Simple Binds
Using Service Binds
Service Binds
Working with Service Binds
LDAP Mechanism Properties that Support Service Binds
Service Bind Configuration Process
Creating a Bindable Object for the Service
Creating a Bindable Object on Sun Java Directory Server and OpenLdap
Creating a Bindable Object on Active Directory, ADAM, or AD LDS
Editing TdgssUserConfigFile.xml for Service Binds
Using Anonymous Binds
Anonymous Binds
Configuring Anonymous Binds
TLS Protection Options
Using TLS with a Directory Server
Protection Implementation Process
Prerequisites
X.509 Certificates Ownership and Permissions
Using Basic TLS Protection
TLS Protection
Configuring SSL Protection [Deprecated]
Configuring TLS Protection
Related Information
Advanced Protection Options
Preparing to Configure Advanced Protection
Preparation Process
Checking the Directory Server Certificates
Example: Using openssl to Examine a Certificate
Testing the CN Value
Verifying the Directory Server Certificate Chain
Verification Process
Obtaining the Directory Server Certificate Chain
Preparation
When the Directory Supports TLS Only
When the Directory Supports SSL
Example: Certificate Chain
Creating the CA Certificate Symlinks
Creating Symlinks Using the Certlink Utility
Testing the Connection
Configuring TDGSS to Use Advanced Binding Options
Prerequisites
Example Configuration
Using Mutual Authentication Between the Directory Server and Teradata Vantage
Mutual Authentication
Working with Certificates and Private Keys
Mutual Authentication Implementation Process
Installing the Private Key
Installing the Certificate
Sample of a Certificate File Installed on a Database Node
Installing Keys and Certificates for the Entire Teradata Vantage System
Updating the TDGSS Configuration
Sample Configuration for Mutual Authentication
Troubleshooting TLS Setup with a Directory Server
Hostname Does Not Match CN in Peer Certificate
Error Message Text
Corrective Action
SSL: Certificate Verify Failure
Error Message Text
Corrective Action
TLS: Self-signed Certificate Offered or Is Part of the Certificate Chain
Error Message Text
Corrective Action
TLS: Unable to Get Local Issuer Certificate
Error Message Text
Using openssl to Identify the Certificates Not Verified
Corrective Action
Obtain the Needed Certificate
Using TLS with Client to Database Connections
Configuring Signed Certificates and Private Keys
Example: Create Signed Certificates and Private Keys on All Nodes Using ZIP Archives
Example: Update Only Invalid Signed Certificates
Signed Certificates and Private Keys Default Locations
tlsutil
tlsutil Usage
tlsutil Examples
nodenames Utility
Cipher Suites and Overriding the Configuration File
Updating Cipher Suites and Versions
Updating TLS Certificate and Private Key
Using gtwcontrol to Enable or Disable TLS and to Set the Port
Troubleshooting TLS
Optimizing Directory Searches
Search Optimization Options
Configuring LDAP Properties to Narrow the Search Base
Working with Directory User Identification Options
Directory User Identification
Comparing User Identification Options
Using Identity Mapping
Prerequisites
Identity Mapping Implementation Process
Configuring an Identity Map
Sample Identity Map for Logging on with a UPN
Explanation of the Pattern Substitution Schema
Sample Identity Map for Simple User Names
Sample of an Identity Map for NT-Styled Logons
Using Identity Searches
Prerequisites
Identity Search Implementation Process
Configuring an Identity Search
Example Identity Search
Using Multiple IdentityMap and IdentitySearch Elements in Combination
Use Case for Combined IdentityMap and IdentitySearch
Configuring Combined Identity Map and Identity Search
Search Results for Combined Identity Map and Identity Search
Search Characteristics
Using Identity Map and Identity Search for Multiple Directory Services
Sample Configuration for Multiple Directory Services
Configuring LDAP for Site-Aware Authentication
Prerequisites
Configuring Site Aware User Authentication in a Windows Domain
Configuration Process
Locating the Configuration Naming Context
Locating the Site Objects in a Domain
Specifying a Binding Method for an ldapsearch
Searching for Site Objects
Finding Directories that Serve a Site
Configuring Site-Aware SRV Resource Records in TDGSS
Configuring Site Aware Authentication in a Global Catalog
Configuration Process
Finding the Root Domain Name
Finding All GC Servers in the Forest
Finding the Available Sites in the Forest
Choosing a Site
Configuring TDGSS
Configuring LDAP to Use Multiple Directory Services
Prerequisites
Implementation Overview
Adding Multiple Directory Services to the TDGSS Configuration
Preparing to Edit the TdgssUserConfigFile.xml
Preparing to Edit the TdgssUnityConfigFile.xml
Disabling the Existing LDAP Mechanism
Creating the <LdapConfig> Section in the TdgssUserConfigFile.xml
Adding Identity Map and Identity Search Elements to the LdapConfig
Completing the <LdapConfig> Configuration Change
Using <LdapConfig> with Unity
Network Security Policy
Prerequisites
Implementation Overview
Network Security Policy
Security Policy and Related Client Settings
System Processing of Security Policies
Directory Schema Considerations
Using Teradata Schema Extensions to Configure Security Policy
Standard Directory Entries and Security Policy
Creating a Service Object for Each Teradata Vantage System
Creating ipNetwork Objects for Use in Assigning Policies by IP Address
Using LDAP Directory Objects in Policies
Rules for Specifying Users as Policy Members
Specifying Profiles as Policy Members
Configuring Top-Level Security Policy Objects
Creating the tdatRootNode Object
Using Teradata Schema Extensions to Create a tdatRootNode
Using Native Directory Schema to Create a RootNode Object
Creating the tdatPolicy Object
Using Teradata Schema Extensions to Create the Top-Level Policy Object
Using Native Directory Schema to Create the Top-Level Policy Object
Configuring a Security Mechanism Policy
About Security Mechanism Policies
Creating the Mechanisms Container
Using Teradata Schema Extensions to Create a Mechanism Container
Using Native Directory Schema to Create a Mechanism Container
Creating Mechanism Objects in the Mechanisms Container
Using Teradata Schema Extensions to Create Mechanism Objects
Using Native Directory Schema to Create Mechanism Objects
Adding Member Users to a Mechanism Policy
Using Teradata Schema Extensions to Add Users to a Mechanism
Using Native Directory Schema to Add Users to a Mechanism
Confidentiality and Integrity QOP Policy
System Processing of Confidentiality and Integrity QOP Policies
Mechanism Effects
Configuring ipNetworks and Network Groups
Using ipNetworks and Network Groups to Assign Policy
Comparing the Function of Internal and External Network Groups
Rules for Using Network Groups to Define Policy Effects
Directory Schema Requirements for Using ipNetwork Objects
Installing the ipNetwork Schema Extension on ADAM and AD LDS
Creating ipNetwork Objects
Network Groups
Creating Network Group Containers
Using Teradata Schema to Create a Network Group Container
Using Native Directory Schema to Create a Network Group Container
Creating Internal Network Groups
Using Teradata Schema Extensions to Create an Internal Network Group
Using Native Directory Schema to Create an Internal Network Group
Creating External Network Groups
Using Teradata Schema Extensions to Create an External Network Group
Using Native Directory Schema to Create an External Network Group
Adding ipNetworks to a Network Group
Using Teradata Schema Extensions to Add ipNetwork Objects to an External Network Group
Using Native Directory Schema to Add ipNetwork Objects to an External Network Group
Removing ipNetworks from a Network Group
Using Teradata Schema Extensions to Remove ipNetwork Objects from an External Network Group
Using Native Directory Schema to Remove ipNetwork Objects from an External Network Group
Configuring an Integrity QOP Policy
Prerequisites
Creating the integ-qops Container
Using Teradata Schema Extensions
Using Native Directory Schema
Creating Integrity QOP Objects in the integ-qops Container
Using Teradata Schema Extensions
Using Native Directory Schema
Assigning Members to an Integrity QOP Policy
Applying Integrity QOP Policy to a Teradata Vantage User
Applying Integrity QOP Policy to a Directory User
Applying Integrity QOP Policy to a Teradata Vantage Profile
Applying Integrity QOP Policy to a Network Group
Removing Members from an Integrity QOP
Configuring a Confidentiality QOP Policy
Prerequisites
Creating the conf-qops Container
Using Teradata Schema Extensions
Using Native Directory Schema
Creating Confidentiality QOP Objects in the Confidentiality QOP Container
Using Teradata Schema Extensions
Using Native Directory Schema
Adding Members to a Confidentiality QOP to Require QOP Usage
Applying Confidentiality QOP Policy to Teradata Vantage Users
Applying Confidentiality QOP Policy to Directory Principals
Applying Confidentiality QOP Policy to Teradata Vantage Profiles
Applying QOP Restrictions to Network Groups
Removing Members from a Confidentiality QOP
Configuring Options Policies
Has-Policy Option
No-Direct-Connect Option
Creating the Options Container
Creating the has-policy Option
Creating the no-direct-connect Option
Adding Members to an Option Policy
Applying an Option Policy to a Teradata Vantage User
Applying an Option Policy to a Directory Principal
Applying an Option Policy to a Teradata Vantage Profile
Applying an Option Policy to a Network Group
Removing Members from an Option Policy
Security Policies in the TDGSS Configuration
Global and Local Security Policies
Basic Policy Structure
Use Case for Configuring Global and Local Security Policies
System Processing of Global and Local Policies
Configuring Security Policies in the TdgssUserConfigFile.xml
Configuring the Directory Services
Directory Service Setup in the TdgssUserConfigFile.xml
Standard LDAP Properties Used for All Policy Configurations
Configuring Policy-Related Properties for a Global Security Policy
Configuring Policy-Related Properties for a Local Security Policy
Sample Configuration Containing Both Local and Global Policies
Configuring the Gateway to Allow Logons from Older Interfaces or Proxies
Examples: Enabling Clients and Proxies that are Unable to Automatically Support Security Policy to Log On
Related Information
Requiring Confidentiality
Setting Up Host Groups
Investigating Security Policy Assignments
Using tdgssauth to Determine tdspolicy Search Parameters
Using tdspolicy to Find Policy Assignments for a User
tdspolicy for a Directory Principal Mapped to a Teradata Vantage User
tdspolicy for a Directory Principal not Mapped to a Teradata User
tdspolicy for a TD2 User
tdspolicy for a TD2 User with No Assigned Policy
Monitoring QOP Security Policy
Logging QOP Security Policy in the DBC.LogOnOffV
Logging QOP Security Policy on Unity
Logging QOP Policy Violations
Auditing Policy Violations
Using Logon Controls
Logon Control Implementation Options
Logon Privileges
Controlling the Granting and Revoking of Logons
Working with Precedence of Clauses
Granting and Revoking Logon Privileges
Enforcing Temporary Logon Restrictions When Restoring Data
Revoking Logons in a Unity Environment
Controlling Logons through a Middle-Tier Application
Setting Up Trusted Sessions and Proxy Users
Trusted Sessions and Space Usage
Session Processing for Trusted Sessions
Security Considerations for Trusted Sessions
Restricting Logons by Host Group
Using Host Group Restrictions
Related Information
Restricting Logons by IP Address
GDO-Based IP Access Restriction
Using IP Access Restrictions
Ensuring Security
Creating XML-Based IP Restrictions
Prerequisites
Implementation Process for XML-Based Restrictions
Designing IP XML Restrictions
IP XML Documents
Example: IP Restriction Elements
IP Restriction Elements
tdat
system
users
user
ipfilters
ipfilter
allow
deny
appliesto
Working with Restrictions on XML Attribute Name Values
IP Filters
Example: IP Filter
Working with the Effects of Filter Type on allow and deny Elements
IP Addresses and Mask Structure
Example: Allow IP
Masking Effects on an Incoming IP Address
Applying a Mask to a Filter
Masking Partial Binary IP Segments
Example: Complex Mapping
Understanding Interactions Between Primary and Secondary Masked IPs
Example: Primary Element Processing
Example: Secondary Element ProcessingāSingle Address Exception
Example: Secondary Element ProcessingāAddress Range Exception
Example: Secondary Element ProcessingāCarve Out Exception
Related Information
Permissive Filters
Gateway Processing of Permissive Filters
Example: Permissive Filter
Restrictive Filters
Gateway Processing of Restrictive Filters
Example: Restrictive Filtering
Creating an IP XML Restriction Document
Example: Completed IP XML Restriction Document
Enabling IP Restrictions
When Multiple Filters Exist
When No Filter Exists
Applying a Filter to All Users
Example: XML Document Linking a Filter to All Users
Saving a Completed XML IP Restriction Document
Enabling XML-Based IP Restrictions with the ipxml2bin Utility
Testing XML-Based IP Restrictions
Creating IP Restrictions in a Directory
Prerequisites
Implementation Process for Directory-Based IP Restrictions
Designing Directory-Based IP Restrictions
Standard Teradata Schema Objects in IP Restrictions
tdatRootNode
tdatSystem
tdatUsers
tdatUser
Special IP Filter Schema Objects in IP Restrictions
tdatIPFilters
tdatIPFilter
Working with IP Filter Attributes
tdatAllowDeny
tdatAllowedIP
tdatDeniedIP
tdatIPFilterMember
Mapping IP Filters to Directory Users
Enabling Directory-Based IP Restrictions with the ipdir2bin Utility
ipdir2bin Errors
Testing Directory-Based IP Restrictions
Example: Test of IP Access Restrictions for Directory Users
Editing or Disabling IP Restrictions
Editing IP Restrictions in an XML Document
Editing IP Restrictions in the Directory
Removing All IP Restrictions in an Emergency
Encryption
Password Encryption
Teradata Vantage Passwords Stored in the Teradata Vantage System
Teradata Vantage Passwords Stored in Teradata Wallet
Message Encryption
Message Encryption for Teradata (TD2) and LDAP Authentication
Message Encryption for Kerberos Authentication
Message Encryption and Performance
Enabling Encryption
Data Integrity
Working with Quality of Protection Options
Quality of Protection
Default QOP Settings
QOP Configuration Options
Working with TdgssUserConfigFile.xml QOP Entries
Teradata Vantage Fresh Install
QOP Configuration Change Guidelines
Preparing to Change the QOP Configuration
Changing the QOP Configuration
Changing the Default QOP Strength
Enabling and Changing Low, Medium, and High QOP Entries
Full Disk Encryption
Monitoring Database Access
Access-Monitoring Implementation Process
Default Logging
Working with Access Logging
Setting Up the DBC.AccLogRule Macro
Enabling Logging with the BEGIN LOGGING Statement
Database Level Logging
Logging Sequence
Table-Level Logging
Using BEGIN LOGGING With GRANT
Logging MODIFY Statements
Verifying that the Access Log Rule Is Correct
DBC.AccLogTbl Entries
Disabling Access Logging with the END LOGGING Statement
Using Access Logging for Directory-Based Users
Identifying Directory Users in Access Logs
DBC.SessionTbl Information for Directory User Sessions
Using Access Logging for Auto-Provisioned Users
Using Access Logging for Proxy Users
Example: Investigating Proxy User Activity in DBC.AccessLogV
Example: Investigating Proxy User Activity in DBC.QryLogV
Example: Finding the Query Band for an Active Session
Access Logging for Viewpoint Users
Sample Implementation of Access Logging
Sample Logging Requirements
Sample Logging Setup
Monitoring Query Band Logs
Monitoring Security Policy Violations
Using Network Encryption Auditing
Auditing Logons by Clients that Cannot Automatically Follow Security Policy
Examples: Enable Logging for Clients and Proxies that are Unable to Automatically Support Security Policy
Related Information
Using External Monitoring Software
Investigating Database Access Attempts
Investigation Process
About Access Logging Information in System Views
Accessing System Views
Specifying Parameters to Narrow the Search of System Views
Using MONITOR Related Queries
Example: Identifying Which Users Can Force Other Users Off the System
Example: Identifying Users Recently Forced Off the System
Example: Identifying Current MONITOR Function Users
Querying Session-Related Views
DBC.LogOnOffV
DBC.SessionInfoX
Example: Querying Session DBC.SessionInfoX Using BTEQ
Access Log Maintenance
Implementing Row Level Security
Row-Level Security
Row Level Security Compared to View and Column Access Controls
Related Information
Elements of Row Level Security
Row-Level Security Implementation Process
Security Labels
Defining Security Labels for Users and Rows
Working with Row Level Security UDFs
Security Constraint UDFs
Basic SQL Access Control Guidelines
Example: Hierarchical Rules
Example: Non-Hierarchical Rules
Related Information
Creating Row Level Security UDFs
Related Information
Altering and Replacing Row Level Security UDFs
Dropping Row Level Security UDFs
Working with Security Constraint Administrative Privileges
Security Constraint Administrative Privileges
Granting Security Constraint Administrative Privileges
Related Information
Revoking Security Constraint Administration Privileges
Working with Security Constraints
CONSTRAINT Objects
Security Classification Types and Required CONSTRAINT Object Settings
Creating CONSTRAINT Objects
Related Information
Altering or Dropping CONSTRAINT Objects
Related Information
Investigating Security Constraint Object Definitions
Working with Constraint Assignments
Assigning Security Constraints
Assigning Security Constraints in a CREATE USER Statement
Related Information
Changing Security Constraints for a User
Changing or Dropping Security Constraints in a MODIFY USER Statement
Related Information
Assigning Security Constraints in a CREATE PROFILE Statement
Changing or Dropping Security Constraints in a Profile
Adding, Changing, and Dropping Security Constraints in a Profile
Working with Security Constraint Columns
Security Constraint Columns in Tables
Limits on Applying Security Constraints to Tables
Related Information
Creating a Table with Security Constraint Columns
Related Information
Adding a Security Constraint Column to a Table
Removing a Security Constraint Column from a Table
Working with Constraint OVERRIDE Privileges
OVERRIDE Privileges
Granting SQL DML OVERRIDE Privileges
Related Information
Revoking SQL DML OVERRIDE Privileges
Related Information
Working with Row-Level Security Effects
Aggregate Function Requirements
Required Action
Archive, Copy, and Restore Requirements
Using COPY and RESTORE After a Constraint Change
Using COPY or RESTORE to Migrate the Row Level Security Setup to Another System
Compound Statement SQL Requirements
Example: Setting an Alternate Constraint Value
Example: Using the Results of a UDF to Set the Constraint Value
COLLECT STATISTICS AND HELP STATISTICS Requirements
Error Table Requirements
Indexing and Partitioning Requirements
Join Requirements
Load/Export Utility Requirements
Recommended Action
Macro Requirements
Macro Privileges
OLAP Function Requirements
Required Action
Pooled Session Requirements
Statistics Requirements
Stored Procedure Requirements
Stored Procedure Privileges
Temporary Table and Volatile Table Restrictions
Unity Requirements
View Requirements
Determining the Session Constraint Values
Session Constraint Values for Permanent Database Users
Session Constraint Values for Directory Users
Session Constraint Values for Application Pooled Users
Session Constraint Values for Trusted User Applications and Proxy Users
SET QUERY_BAND Processing
Session Constraint Values in OVERRIDE Sessions
Specifying Non-Hierarchical Constraint Values when Loading Tables
Example: Loading Tables without User OVERRIDE Privileges
Resetting the Session Constraint
Example: Loading Tables with User OVERRIDE Privileges
Using SET SESSION to Change the Session Security Constraint Value
Using HELP SESSION to Investigate Session Constraint Values
About Row-Level Security and Bulk Table Loads
Session Constraints and Bulk Table Loads
Using Access Logging with Row Level Security
Access Logging for Row-Level Security
Beginning RLS Access Logging
Example: Logging Denials of Access Attempts
Example: Logging the First Operation on a Specified Object
Example: Logging Denials for a Specified User on a Specified Object
Ending RLS Access Logging
Constraint-Related System Tables and Views
DBC Security Constraint Tables and Views
Other DBC Tables with Security Constraint Columns
Restricted Access to Statistics in DBC Views
Finding Security Constraint Assignments
Finding Tables and Indexes with a Security Constraint
Finding Views that Include a Security Constraint
Finding Users or Profiles with an Assigned Constraint
Determining Whether a Column is a Security Constraint
Related Information
Implementing Teradata Secure Zones
Teradata Secure Zones Overview
Secure Zone Objects
Secure Zone User Types
Privileges in Teradata Secure Zones
Implementing Teradata Secure Zones
Creating a Zone
Adding a Primary DBA to a Zone
Creating Zone Users in a Zone
Adding Zone Guests to a Zone
Using a Proxy User or Directory User in a Zone
Granting Privileges to Zone Users and Zone Guests
Dropping the Root From a Secure Zone
Dropping Zone Users From a Secure Zone
Revoking Access From Zone Guests
Dropping a Zone
Example Scenario
Setting Up a Zone for Testing
Security Considerations
Using External Authentication and Authorization with Zones
Using Trusted Sessions and Proxy Users with Zones
Table and View Privileges
Using Logging to Monitor Zones
Access Logging
Query Logging
TDGSS Configuration Files, Valid Settings, and Editing Guidelines
Configuration File Header
Example: TDGSS Library Configuration File
Example: TDGSS User Configuration File
AlgorithmName
Example: Algorithm Names
KeyLength, KeyLengthP
Example: Key Lengths
Mode
Example: Modes
Padding
Example: Padding Types
InterfaceType
AlgorithmType
Mechanism Properties
Modifying Mechanism Properties Without a TPA Reset
Supporting Mechanisms
Special Handling for New Properties
Basic Functional Properties
AuthenticationSupported
AuthorizationSupported
GenerateCredentialFromLogon
NegotiationSupported
SingleSignOnSupported
Confidentiality Properties
DHKeyP and DHKeyG
VerifyDHKey
Directory Identification and Search Properties
LdapBaseFQDN [Deprecated]
LdapClientDebug
LdapClientDeref
LdapClientRebindAuth
LdapClientReferrals
LdapCredentialIsUPN
LdapGroupBaseFQDN
LdapServerName
LdapServerPort [Deprecated]
LdapServerRealm [Deprecated]
LdapSystemFQDN
LdapUserBaseFQDN
UseLdapConfig
JWT Support Properties
JWTClientTlsCACertDir
JWTClientUseTls
JWTDecryptionKeyFile
JWTDynamicKey
JWTKeyCacheRefreshTime
JWTKeyDirectory
JWTRestAPIMaxTimeAllowed
JWTRestAPITimeLimit
JWTSkewTime
JWTTokenExchange
JWTVerificationKeyFile
LDAP Binding Properties [Deprecated]
LdapClientMechanism
LdapServiceBindRequired
LdapServiceFQDN
LdapServicePassword
LdapServicePasswordFile
LdapServicePasswordProtected
LDAP Policy Properties
LdapNetworkBaseFQDN
LdapPolicyFQDN
MechanismIgnoreQOP
LDAP Protection Properties
Avoiding Conflicts with OpenLDAP Tunables
LdapAllowUnsafeServerConnect
LdapClientSASLSecProps
LdapClientTlsCACert
LdapClientTlsCACertDir
LdapClientTlsCert
LdapClientTlsCipherSuite
LdapClientTlsCRLCheck
LdapClientTlsKey
LdapClientTlsRandFile
LdapClientTlsReqCert
LdapClientUseTLS
Mechanism Status Properties
DefaultMechanism
DefaultNegotiatingMechanism
MechanismEnabled
MechanismRank
Operational Properties
AnonymousAuthentication
ConfidentialityDesired
CredentialUsage
DelegateCredentials
DesiredContextTime
DesiredCredentialTime
IntegrityDesired
MutualAuthentication
OutOfSequenceDetection
ReplayDetection
TeradataKeyTab
Unity Support Properties
CACertDir
CACertFile
CertificateFile
PrivateKeyFile
PrivateKeyPassword
PrivateKeyPasswordProtected
ProxySupported
SigningHashAlgorithm
Coordinating Mechanism Property Values for Unity
Quality of Protection (QOP)
Global QOPs
Mechanism QOPs
Mechanism Configurations
TD2 Mechanism
KRB5 Mechanism
SPNEGO Mechanism
TDNEGO Mechanism
TDNEGO Mechanism Properties
Example: TDNEGO Configuration
LDAP Mechanism
PROXY Mechanism
JWT Mechanism
Diagnostic Tools
tdgssgetinfo
Syntax
Examples
Privilege Dictionary
Privileges
Multiple Privileges with a Single Keyword
Required DBC Privileges
Default PUBLIC Privileges
Privileges Needed for Database Administration
Databases
DATASET SCHEMA
Geospatial Data Types
GLOP
Hash Index and Join Index
Macros
Teradata Vantage MAPS architecture (MAPS)
Profiles
Proxy Users and Trusted Users
Roles and External Roles
Security Constraints
Statistics
SQL and External Procedures
Tables
Triggers
Users
User-Defined Functions (UDFs)
UDTs and UDMs
Views
Teradata Secure Zones
Determining Privileges for a User
Sample Macro for Determining User Privileges
Executing the Privilege Check Macro
Teradata GSS Administrative Package
TeraGSS Limitations
Guidelines for Configuring TeraGSS
Password Restricted Words
Default Restricted Words
Frequently Used Words
Frequently Used Names
Additional Information
Teradata Links
The middle-tier application authenticates end users before it connects them to Teradata Vantage through a trusted session. Then Vantage controls access to database objects based on the proxy user role.
Use the WITH TRUST ONLY clause in the GRANT CONNECT THROUGH to require that SET QUERY_BAND statements be part of trusted requests.
The system enforces logon controls, such as logons restrictions by IP address, only for the middle-tier application logon user (trusted user), because it does not authenticate proxy users.
When a trusted session is established with a permanent proxy user, the permanent proxy user is the owner of and is granted default privileges on new objects.
When a trusted session is established with an application proxy user, no automatic privileges are granted on new objects.
The system enforces security policies based on the trusted user, not the end (proxy) user. For information on security policy, see Network Security Policy .
The system does not allow the SET ROLE statement in a trusted session. The operant role for a proxy user connection is determined by the roles you specify in the CONNECT THROUGH statement that defines the proxy user, along with any role limitations contained in the SET QUERY_BAND statement submitted by the application.
Construct the SET QUERY_BAND statement to uniquely identify each end user so that the system can accurately log user sessions.