TLSv1.2 is supported between clients and the database server in Release 17.10. This includes new tools and utilities:
- gtwcontrol - New options to enable or disable TLSv1.2 and trace the protocol.
- gtwglobal - New options to update the TLS configuration from the gateway TLS configuration.
- nodenames - Displays the network interfaces that a node is known by. The node names are discovered by querying DNS. This information is helpful when you generate a Certificate Signing Request (CSR) because nodenames provides the common name (CN) and subject alternative names (SANs) that are used in the CSR.
- tlsutil - A tool used to obtain and install signed certificates and private keys that are required for TLS. tlsutil uses the nodenames command internally.
The cipher suite has been updated.
- The following ciphers are included by default:
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_AES_128_GCM_SHA256
- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-RSA-AES256-GCM-SHA384
- DHE-RSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-RSA-CHACHA20-POLY1305
- DHE-RSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES128-GCM-SHA256
- AES256-GCM-SHA384
- AES128-GCM-SHA256
- Customers may change the ciphers as needed.
Benefits
- TLSv1.2 is an industry standard protocol to secure network traffic between client and server.
- SQL Engine Release 17.10 system can be configured to prevent client applications from logging on if they are not using TLSv1.2. As a default configuration, SQL Engine Release 17.10 is capable of supporting TLSv1.2. Certificates must be configured appropriately for SQL Engine to take advantage of the TLSv1.2 feature.
Considerations
- Client applications must be updated to Teradata Tools and Utilities (TTU) Release 17.10 to use TLSv1.2.
- DNS setup is required to use the tlsutil and nodenames tools.
Additional Information
- Teradata Vantage™ - Advanced SQL Engine Security Administration, B035-1100
- Teradata Vantage™ - Database Utilities