Previously, when the TDGSS configuration changed a TPA reset was required for the new values in the TDGSSCONFIG GDO to take effect. Now, the following can be modified without a TPA reset:
- Any attribute or property whose name begins with "Ldap" for KRB5 and LDAP
- MechanismEnabled property for KRB5, LDAP, JWT, and PROXY
- AuthorizationSupported property for KRB5 and LDAP
- LDAP Service ID and password with no impact to user LDAP logons
- The following properties in the PROXY mechanism:
- CertificateFile
- PrivateKeyFile
- PrivateKeyPassword
- PrivateKeypasswordProtected
- CACertFile
- CACertDir
- SigningHashAlgorithm
- Any JWT mechanism property whose name begins with "JWT"
- All canonicalizations including the lightweight authorization structures
Additionally, tdgsstestcfg is a new tool to test configuration changes before making them permanent with run_tdgssconfig.
Benefits
- Decreases downtime previously caused by mechanism property reconfiguration.
- Simplifies steps when modifying mechanism properties.
- The run_tdgssconfig tool informs you when a tpareset is required.
Considerations
The following configuration changes still require a tpareset:
- Changes to any mechanism property not mentioned above require a tpareset
- QoP configuration
- Local or global policy configuration, including service name changes
- TDNEGO and SPNEGO
Additional Information
For more information about security, see Teradata Vantageā¢ - Advanced SQL Engine Security Administration, B035-1100.