Advanced SQL Engine 17.10 | Security | Changes & Additions - 17.10 - Changes and Additions - Advanced SQL Engine - Teradata Database

Teradata Vantage™ - Advanced SQL Engine Security Administration

Advanced SQL Engine
Teradata Database
Release Number
July 2021
English (United States)
Last Update
Date Description
July 2021
  • TLSv1.2 is supported between clients and the database server. See Using TLS with Client to Database Connections.
  • Single Sign-On and JWT:
  • Previously, when the TDGSS configuration changed, a TPA reset was required for the new values in the TDGSSCONFIG GDO to take effect. Now, the following can be modified without a TPA reset:
    • Any attribute or property whose name begins with "Ldap" for KRB5 and LDAP
    • MechanismEnabled property for KRB5, LDAP, JWT, and PROXY
    • AuthorizationSupported property for KRB5 and LDAP
    • LDAP Service ID and password with no impact to user LDAP logons
    • The following properties in the PROXY mechanism: CertificateFile, PrivateKeyFile, PrivateKeyPassword, PrivateKeypasswordProtected, CACertFile, CACertDir, and SigningHashAlgorithm.
    • Any JWT mechanism property whose name begins with "JWT"
    • All canonicalizations including the lightweight authorization structures

    The following configuration changes still require a tpareset:

    • Changes to any mechanism property not mentioned above require a tpareset
    • QoP configuration
    • Local or global policy configuration, including service name changes

      See Modifying the User Configuration File.

  • tdgsstestcfg is a new tool to test configuration changes before making them permanent with run_tdgssconfig, see Working with tdgsstestcfg.
  • tdsbind is deprecated. Teradata recommends using the tdgssauth tool instead of tdsbind. tdgssauth can test more security mechanisms than tdsbind and it more accurately validates security mechanism configurations because it uses actual TDGSS services while performing the offline test of the new configuration. See Working with tdgssauth.
  • tdgssgetinfo is a new diagnostic tool that collects and displays information used to determine the health of the TDGSS or TeraGSS installed on the system. See tdgssgetinfo.
  • See X.509 Certificates Ownership and Permissions for the recommened ownership and permissions for X.509 certificates and private key files.
June 2020
  • The SASL/DIGEST-MD5 authentication protocol used by LDAP is deprecated. Teradata strongly recommends you stop using SASL/DIGEST-MD5, and instead use simple binding with TLS protection.
  • TDNEGO now supports JWT (JSON web token) authentication.
  • New LDAP Mechanism property: LdapServicePasswordFile. Allows you to provide an encrypted list of passwords in an editable file, which enables switching LDAP passwords without requiring a database restart.