Checking Nodes and Unity Servers for Existing Kerberos Keys (Optional) - Advanced SQL Engine - Teradata Database

Security Administration

Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
September 2020
Language
English (United States)
Last Update
2021-01-23
dita:mapPath
ied1556235912841.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantageā„¢

Any Kerberos keys that already exist in a node or Unity server keytab file could be overwritten (destroyed) when you install new keys. When replacing existing keys, overwriting is normal. However, if you want to retain and add to the existing keys, you must use the key merge procedure, which avoids overwriting.

You can use the pcl command to find and display any Kerberos keys that already exist on database nodes or a Unity server to help determine if you should use the merge procedure when installing new keys:

pcl -s klist -ke [keytab_file_name]

This example keytab file (standard location) shows a two-node system, with pre-existing keys in bold italics :

l3592:/ > pcl -s klist -ke /etc/teradata.keytab
All 2 node(s) have connected
<---------------------   node_name2_bynet  ------------------------->
Keytab name: FILE:/etc/teradata.keytab
KVNO Principal
------------------------------------------------------------------
      14  TERADATA/l3592.esrootdom.esdev.tdat@ESROOTDOM.ESDEV.TDAT (DES cbc mode with RSA-MD5) 
      13  TERADATA/l3593.esrootdom.esdev.tdat@ESROOTDOM.ESDEV.TDAT (DES cbc mode with RSA-MD5)<---------------------   node_name1_bynet  ------------------------->
Keytab name: FILE:/etc/teradata.keytab
KVNO Principal
------------------------------------------------------------------
      14  TERADATA/l3592.esrootdom.esdev.tdat@ESROOTDOM.ESDEV.TDAT (DES cbc mode with RSA-MD5) 
      13  TERADATA/l3593.esrootdom.esdev.tdat@ESROOTDOM.ESDEV.TDAT (DES cbc mode with RSA-MD5)------------------------------------------------------------------

If no keys are present, the output appears without the key entries:

l3592:/ > pcl -s klist -ke /etc/teradata.keytab
All 2 node(s) have connected
<--------------------- node_name2_bynet  ------------------------->
Keytab name: FILE:/etc/teradata.keytab
KVNO Principal
------------------------------------------------------------------
<--------------------- node_name1_bynet  ------------------------->
Keytab name: FILE:/etc/teradata.keytab
KVNO Principal
------------------------------------------------------------------
The key files are similar on a Unity server.