16.10 - Creating Teradata Node and Unity Server Principals - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

You must create a Kerberos principal and password for each node on each Teradata Database system, and for each Unity server (if used), that is served by the MIT Kerberos Linux KDC.

Use the addprinc command to create the principal and password, for example, for a node:

kadmin.local: addprinc TERADATA/principal_name.esrootdom.esdev.tdat

WARNING: no policy specified for TERADATA/principal_name.esrootdom.esdev.tdat@UNIX.ESROOTDOM.ESDEV.TDAT; defaulting to no policy
Enter password for principal "TERADATA/principal_name.esrootdom.esdev.tdat@UNIX.ESROOTDOM.ESDEV.TDAT":
Re-enter password for principal "TERADATA/principal_name.esrootdom.esdev.tdat@UNIX.ESROOTDOM.ESDEV.TDAT":
Principal "TERADATA/principal_name.esrootdom.esdev.tdat@
UNIX.ESROOTDOM.ESDEV.TDAT" created.

where:

Element Description
principal_name.esrootdom.esdev.tdat The FQDN of a Teradata Database node or Unity server.

principal_name should use the naming conventions shown in step 4 of Creating a Computer Component for Database Nodes and Unity Server.

UNIX.ESROOTDOM.ESDEV.TDAT The Kerberos realm in which the Teradata Database node or Unity server principal(s) is being added.

The string: TERADATA/principal_name .esrootdom.esdev.tdat@UNIX.ESROOTDOM.ESDEV.TDAT, used to represent the principal, also constitutes the SPN for the principal. The SPN is used later in Creating the Kerberos Keys and Installing the Kerberos Keys to uniquely identify the keys.

When creating a Unity server principal, the service name is still TERADATA, for example:
kadmin.local: addprinc TERADATA/principal_name.esrootdom.esdev.tdat