16.10 - LdapClientTlsCACertDir - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

The LdapClientTlsCACertDir property specifies the path of a directory that contains individual CA certificates in separate files. You can use the LdapClientTlsCACert property to support SSL/TLS certificate chain verification, but LdapClientTlsCACertDir is preferred.

To assign a value to the LdapClientTlsCACertDir property, you must generate symbolic links, using the TDGSS certlink utility, which point to the actual certificate files. See Creating the CA Certificate Symlinks for instructions on using the certlink utility.

Valid Settings

Setting Description
"" (default) No cert directory is specified
A valid directory path The path to a directory that contains individual CA certificates, in separate files, for all of the Certificate Authorities the client recognizes. The file system you use for the path must support symbolic links.

Supporting Mechanisms for LdapClientTLSCACertDir

Mechanisms that are not listed in the table do not support this property. The Property Editable column indicates if the setting for a property may be edited.
Mechanism Property Editable?
KRB5 May Be Edited
LDAP
The LdapClientTlsCACertDir property appears only in the library configuration file. To set a value, you must manually add it to the TdgssUserConfigFile.xml for the needed mechanisms. See About Editing Configuration Files.

Editing Guidelines

  • If you decide to use TLS protection, edit this property for all mechanisms that have the AuthorizationSupported property set to yes.
  • Edit this property on the database and the Unity server. Also see Coordinating Mechanism Property Values for Unity.
  • Specify the path of a directory that contains individual CA certificates in separate files for all of the Certificate Authorities the client recognizes.
    The Linux user under which Teradata Database runs must own and have read access to this file. For sites that configured this property before Release 14.0, the permission is granted automatically by a script upon upgrade to Release 14.0. For sites that configure this property on Release 14.0 or later, you must grant the permission manually.