16.10 - Sample Configuration for Mutual Authentication - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

The following example shows a typical TdgssUserConfigFile.xml update to support TLS mutual authentication on the LDAP mechanism. Configuration of the KRB5 or SPNEGO mechanism is similar.

<Mechanism Name="ldap">
    <MechanismProperties
        ...
        LdapClientTlsCert="/opt/teradata/tdat/tdgss/site/ssl/certs/clientcert.pem"
        LdapClientTlsKey="/opt/teradata/tdat/tdgss/site/ssl/certs/clientkey.pem"
        />
</Mechanism>

After you add the client certificate and key to the TdgssUserConfigFile.xml, and run the run_tdgssconfig utility in the TDGSS bin directory, you can test the setup with tdgssauth. See Working with tdgssauth.

Make sure to verify the configuration on each Teradata node and on the Unity server, if used. Failure to adequately test the configuration can result in loss of connectivity for Teradata clients using LDAP authentication.

After you verifying the results, restart the Teradata Database system to enable the new configuration.