17.10 - Configuration of Static Decryption and Verification Keys (Legacy) - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
Release Date
July 2021
Content Type
Publication ID
English (United States)

The JSON Web Token (JWT) authentication mechanism enables single sign-on (SSO) to Teradata Vantage after the user successfully authenticates to Teradata UDA User Service. The UDA User Service authenticates users to various UDA applications and services, such as AppCenter and the Teradata® Query Service (REST services). JWT allows a user that has been authenticated to one of the applications or services to do a single sign-on to establish a session withTeradata Vantage.

Complete the following setup to enable the use of JWT authentication:

  1. Get the decryption and verification keys from the UDA User Service by calling Teradata® Query Service (REST APIs). This can either be done through the service’s built in Swagger UI browser interface or by using cURL commands. By default, the Swagger UI endpoints are configured to be blocked, so the recommended method is to use cURL.

    The following commands can be used to authenticate and retrieve the keys. Do the following from a database node that has access to the UDA User Service:

    1. Authenticate as an Admin user and get a JWT:
      curl -X POST --header 'Content-Type: application/json' --header 'Accept: application/json' -d '{ \ 
         "password": <PW>, \ 
         "username": <USERNAME> \ 
       }' 'https://<server_name>:<port_num>/token'
    2. Get the decryption key:
      curl -X GET --header 'Accept: text/plain' --header 'Authorization: Bearer <MY JWT TOKEN>' 'https://<server_name>:<port_num>/decryptionKey'
    3. Get the signature (verification) key:
      curl -X GET --header 'Accept: text/plain' --header 'Authorization: Bearer <My JWT TOKEN>' 'https://<server_name>:<port_num>/signatureKey'

      Where <server_name> is the server running the UDA User Service and <port_num> is the port number of the UDA User Service.

      The port number (<port_num>) is configurable. For the RPM version of the user service it is usually 8001. Replace <port_num> in the example commands with the port number for your configuration.
    4. Save the key files to any file name and in any location. The decryption and verification key files should have a .pem extension and should contain a header and a footer.

      For example, the decryption key is similar to this:

      # cat decryption_key.pem
      -----BEGIN RSA PRIVATE KEY-----
      -----END RSA PRIVATE KEY-----

      For example, the verification key is similar to this:

      # cat verification_key.pem
      -----BEGIN PUBLIC KEY-----
      -----END PUBLIC KEY-----
  2. (For multi-node installations) Securely transfer the keys to the other database nodes. Check the permissions of the key files to make sure Teradata Vantage can access them. To transfer the keys, do the following:
    1. Log on to the database node that contains the keys.
    2. Move the keys to the other database nodes:
      pcl -send <location>/<decryption_key_file_name> <location>/<decryption_key_file_name>
      pcl -send <location>/<verification_key_file_name> <location>/<verification_key_file_name>
      Store the decryption and verification key files in the same location on all the nodes.
  3. Make a backup copy of /opt/teradata/tdat/tdgss/site/TdgssUserConfigFile.xml and save it according to your site standard backup procedures.
  4. Edit the TdgssUserConfigFile.xml and uncomment the following section:
    <!-- JWT -->
    <!-- To modify JWT mechanism configuration, uncomment this section and edit
            <Mechanism Name="JWT">
    (end of commented out section)-->
  5. Optional. Set JWTDecryptionKeyFile to the absolute path to the file containing the decryption key.
  6. Set JWTVerificationKeyFile to the absolute path to the file containing the verification key.
  7. Optional. Edit and set JWTSkewTime. JWTSkewTime is the number of seconds a JWT will be still valid after its expiration.
  8. Save the file.
  9. Run the run_tdgssconfig utility to update the TDGSSCONFIG GDO:
  10. Run tdgssfixpaths to set the owner and permissions on the JWTDecryptionKeyFile and JWTVerificationKeyFile:
    psh 'perl /opt/teradata/tdgss/bin/tdgssfixpaths'
  11. You can edit mechanism properties that begin with JWT without performing a TPA reset. Other modifications may require a reset. run_tdgssconfig indicates when you need to do a TPA reset. If indicated, run:
    tpareset -f “use updated TDGSSCONFIG GDO”