JWT Dynamic Key Rotation | Analytics Database (SQL Engine) | Teradata Vantage - Local Validation - Analytics Database - Teradata Vantage

Security Administration
Deployment
VantageCloud
VantageCore
Edition
Enterprise
IntelliFlex
VMware
Product
Analytics Database
Teradata Vantage
Release Number
17.20
Published
June 2022
Language
English (United States)
Last Update
2024-04-05
dita:mapPath
hjo1628096075471.ditamap
dita:ditavalPath
qkf1628213546010.ditaval
dita:id
zuy1472246340572
lifecycle
latest
Product Category
Teradata Vantage™

The JWT mechanism can be configured to dynamically update JSON Web Keys (JWKs).

When logging on to Teradata Vantage using JWT, an Identity Provider (IdP) signs the token using its private key and the Teradata server verifies the token's signature using the corresponding public key. Keys returned from IdPs are in JSON Web Key (JWK) format. Keys used to validate the token can be in PEM or JWK format.

Key pairs are rotated by the IdP for various reasons, such as security policy or a compromised key. If a key is rotated by the identity provider the Teradata Gateway must update the public keys to validate the token issued with the new keys. This is done automatically if dynamic key rotation is enabled.

By default, this feature is disabled.

To enable dynamic key rotation:

  1. Make a backup copy of the /opt/teradata/tdat/tdgss/site/TdgssUserConfigFile.xml and save it according to your site standard backup procedures.
  2. Edit TdgssUserConfigFile.xml and uncomment IdentityProvider. Edit it so it looks similar to the following with your site information: 
    <Mechanism Name="JWT">
     <MechanismProperties
         JWTDynamicKey ="yes"
         JWTClientTlsCACertDir="ca_cert_dir"
            
       .../>

       <IdentityProvider
           Id="Keycloak"
           Url="https://Customer_IdP_URL"
           Type="keycloak"
        />
</Mechanism>

    Set the following properties:

    Property Description
    JWTDynamicKey Set it to yes to enable dynamic key rotation.
    JWTClientTlsCACertDir

    Location of the CA certificates. Specify the full path to site/ssl/cacerts directory for this property. For example: /opt/teradata/tdat/tdgss/site/ssl/cacerts/

    Set <IdentityProvider> section properties:

    Property Description
    Id Uniquely identifies the IdP in the configuration file.
    Url Url is the customer's IdP end point. From the URL, TDGSS can issue REST API calls to get the required URLs and other information, such as Issuer, JWK URI, and so on.

    Based on the Url, TDGSS decides whether to establish a TLS connection with the IdP. For a TLS connection JWTClientTlsCACertDir is the directory where all the CA certificates are configured.
    Type Type is the Identity Provider type. Example values are: Ping-Federate, keycloak, vantage-keycloak, azuread, okta, and auth0.
  3. Place the CA certificates in the location specified in JWTClientTlsCACertDir. This directory is typically here: /opt/teradata/tdat/tdgss/site/ssl/cacerts.
  4. Verify the configuration is correct:
    1. Run tdgsstestcfg to verify the new configuration is correct. It launches a test environment in a new shell that contains the updates to the configuration file.
      /opt/teradata/tdgss/bin/tdgsstestcfg
    2. Test the configuration with the tdgssauth tool:
      tdgssauth -m JWT -a token=JWT_from_IdP

      Where JWT_from_IdP is the IdP you configured in TdgssUserConfigFile.xml.

    3. Exit the test shell:
      exit
    4. Continue editing and testing until the configuration is correct.
  5. Run:
    /opt/teradata/tdgss/bin/run_tdgssconfig
  6. If run_tdgssconfig indicates that a TPA reset is required, run:
    tpareset -f “use updated TDGSSCONFIG GDO”