16.10 - Enabling and Changing Low, Medium, and High QOP Entries - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

You can enable the LOW, MEDIUM, and HIGH QOP entries for the TD2, PROXY, and LDAP mechanisms to support the use of QOP security policies. For information about configuring a QOP security policy, see Network Security Policy.

You can change the encryption strength for any entry by substituting another algorithm.

  1. Prepare the LOW, MEDIUM, and HIGH QOP section for editing, if required, depending on how the system arrived at Release 14.10.
    • On systems upgraded to Teradata Database 14.10 from Release 14.0 or before, add the LOW, MEDIUM, and HIGH QOP entries to the TdgssUserConfigFile.xml for the TD2 and LDAP mechanisms from the sample configuration in /opt/teradata/tdgss/etc/TdgssUserConfigFile.xml.
      <!-- LOW SECURITY QOP
      <MechQop Value="Low">
          AES-K128_CBC_PKCS5Padding_SHA1_DH-K2048
      </MechQop>
      -->
      <!-- MEDIUM SECURITY QOP
      <MechQop Value="Medium">
          AES-K192_CBC_PKCS5Padding_SHA1_DH-K2048
      </MechQop>
      -->
      <!-- HIGH SECURITY QOP
      <MechQop Value="High">
          AES-K256_CBC_PKCS5Padding_SHA1_DH-K2048
      </MechQop>
      -->
    • On systems with a freshly installed Teradata Database 14.10 Release, the TdgssUserConfigFile.xml already contains the LOW, MEDIUM, and HIGH QOP entries, so you can skip to the next step.
  2. Uncomment the LOW, MEDIUM, and HIGH QOP entries to enable them for use with QOP security policies.
    <!-- LOW SECURITY QOP -->
    <MechQop Value="Low">
        AES-K128_CBC_PKCS5Padding_SHA1_DH-K2048
    </MechQop>
    <!-- MEDIUM SECURITY QOP -->
    <MechQop Value="Medium">
        AES-K192_CBC_PKCS5Padding_SHA1_DH-K2048
    </MechQop>
    <!-- HIGH SECURITY QOP -->
    <MechQop Value="High">
        AES-K256_CBC_PKCS5Padding_SHA1_DH-K2048
    </MechQop>
  3. You can optionally edit the LOW, MEDIUM, and HIGH QOP entries by changing to a stronger encryption algorithm, for example:
    <!-- LOW SECURITY QOP -->
    <MechQop Value="Low">
        AES-K192_CBC_PKCS5Padding_SHA1_DH-K2048
    </MechQop>
  4. After you complete editing, run the run_tdgssconfig utility to update the TDGSSCONFIG GDO.
    /opt/teradata/tdgss/bin/run_tdgssconfig
  5. Run tpareset to activate the changes to the TDGSS configuration.
    tpareset -f “use updated TDGSSCONFIG GDO”

For more information, see Changing the TDGSS Configuration.