Run tdgssauth from the Teradata Database command prompt. Enter the tdgssauth options needed for your test. For example:
su - teradata tdgssauth -u username -m mechanism -i IP_address
The following rules apply when using tdgssauth:
- You can specify tdgssauth options in any order, but they must be separated by spaces.
- The input is case sensitive.
- Become the teradata user (su - teradata) if the system is configured for CA certificates as part of setting up SSL/TLS. This causes tdgssauth to run under the Linux user teradata instead of root, which accurately represents how the system processes authentication when CA certificates are present. Also see SSL/TLS Protection Options.
Using tdgssauth Options
|Options that control initialization (only one may be specified):|
|-s||Perform a server-mode TDGSS initialization. The default on database nodes. Not available on Unity.
Mutually exclusive with -t.
|-t dir||Perform a test mode initialization.
Mutually exclusive with -s.
|-v ver||Specify the TDGSS version to test.
May not be used with -t. May be used only with server-mode initialization.
|Options that control the token exchange:|
|-m mechname||Specify the mechanism to use. If a mechanism is not specified, the default mechanism is selected.|
|-n SPN||Specify the target Service Principal Name (SPN).|
|-M||Request mutual authentication.|
|-R||Request replay detection.|
|-S||Request out of sequence detection.|
|-I||Request integrity support.|
|-C||Request confidentiality support.|
|-?||Request that a usage message be displayed.|
|Options that control authentication (see Rules for tdgssauth Options That Control Authentication)|
|-u user||Specify the user name to authenticate.|
|-w password||Specify the user's password. If -w is omitted the tool prompts for the password securely (without echoing) if the mechanism is an authenticating mechanism.|
|-a additional-logdata||Allows specification of additional authorization information other than authcid and password; for example, you can specify profile information: tdgssauth -u user -w password -a profile=myprofile -m ldap|
|Options that control security policy checks:|
|-i ipaddr||The IPv4 or IPv6 address of the client to use in security policy tests. If this option is not included, security policy checks will not be performed.
If -i is included but -u has not been specified and the mechanism is non-authenticating (such as TD2), security policy checks will not be performed.
|Options that control wrapping and unwrapping:|
|-T text string||Specifies a text string to wrap and unwrap. This string will be wrapped on the client side, unwrapped on the server side, rewrapped on the server side and unwrapped again on the client side. As many -T options as desired may be specified. If none are specified, no wrapping and unwrapping will be performed.|
|-c||Requests confidentiality on the initial wrap operation.|
|-e||Requests encryption during wrapping. Without this option, the message text specified in -T options will only have a message integrity checksum (MIC) appended.|
|-q [low|medium|high|default|0|1|2|3]||Specifies the quality of protection to use when generating MICs and encrypting.|
|Options that control the output:|
|-V num||Request verbose output. In this mode, the tokens will be dumped and return codes from all TDGSS functions will be formatted and displayed.
If included the tokens will be dumped. If num is non-zero, LDAP logging will be enabled using the value as OpenLDAP's trace flags.
The output includes the user's password and the database service password. Both the character interpretation and dumped hex need to be changed before sharing this trace information.
|-l||Dumps TDNEGO logs if TDNEGO is the chosen mechanism.|
Rules for tdgssauth Options That Control Authentication
The tdgssauth options that control authentication are: -u, -w, and -a. The following rules apply for using these options:
- If the mechanism supports authentication then at least one of -u or -a must be specified.
- If the mechanism supports authentication and -u is specified, the user's name and password are hardcoded into a properly escaped and quoted User Principal Name (UPN). If -a has been specified, then a space character and the value provided in the -a option are appended to the UPN and the resulting string is used as mechdata (.logdata).
- If the mechanism supports authentication and -u is not specified, -a must be specified and the value passed must be complete mechdata, which includes the user's name and password (legacy mode).
- If the mechanism does not support authentication, then -u must be specified only if security policy checks are to be made.