SSO Security Hardening | Teradata Vantage - 17.10 - SSO Security Hardening - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
Release Date
July 2021
Content Type
Publication ID
English (United States)

A JWT received from a client is validated using the JWK (JSON Web Key) from the JWK URI using REST API calls. For performance reasons JWK is cached, so that future validations are fast and avoid any further REST API calls. Some mechanism properties are added to JWT mechanism for security hardening.


The JWTRestAPIMaxTimeAllowed property specifies the maximum (in seconds) REST API call timeout.

The default setting is 20 seconds.


The JWTRestAPITimeLimit property specifies time (in seconds) between REST API calls. Too many REST API calls causes denial of service.

The default setting is 10 seconds.


The JWTKeyCacheRefreshTime property specifies the interval (in minutes) at which the key cache is purged, so the new key cache is refreshed.

The default setting is 1440 minutes (24 hours).


The JWTClientTlsCACertDir property specifies the location of the CA certificates. It specifies the full path to the site/ssl/cacerts directory.

There is no default, but it is typically here: /opt/teradata/tdat/tdgss/site/ssl/cacerts/.


The JWTClientUseTls property enforces TLS 1.2 or higher for REST API calls. This makes sure that the REST API always uses https and that peer and host verification is done.

The default setting is "Yes". The value "No" should not be used in production.


The JWTSkewTime property specifies the maximum skew time (in seconds) allowed during JWT validation.

The default setting is 300 seconds (5 minutes).