16.10 - Corrective Action - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)
  1. Obtain the certificate from the directory with the openssl command:
    openssl s_client -connect  server_name:port

    where:

    • server_name is the DNS name of the directory server
    • port is the number of the port where the directory server listens
  2. In the output from this command, find the line that begins with subject. This string should contain a CN attribute. The CN attribute value, a name, must resolve in DNS to the IP address of the directory server. The error message occurs because the name is either unresolved, or resolves to the wrong IP address. The error is related to either a DNS problem or a problem with the name in the server certificate.
  3. Check the following items to determine the problem and then fix it.
    1. If the LdapServerName property names the directory server explicitly, make sure the name in the property value matches the name in the subject for the directory server certificate. For example, if the subject CN attribute contains:
      dlopldap.td.teradata.com

      then make sure the LdapServerName property contains either the TLS specification:

      ldap://dlopldap.td.teradata.com/

      or the SSL specification:

      ldaps://dlopldap.td.teradata.com/
    2. Make sure that the name in the CN attribute is resolvable and returns the correct IP address. Fix any errors and try again.
    3. If the name in the CN attribute cannot be resolved or resolves to the wrong IP address, and cannot be changed in DNS, you must install a new certificate on the directory server. See Checking the Directory Server Certificates.

      The CN attribute must meet these requirements:

      • The subject for the certificate must contain the DNS name (preferably, the fully qualified DNS name) that resolves to the IP address where the server is listening.
      • The DNS name must correctly resolve on the Teradata Database nodes or Unity server.
      • If the LdapServerName attribute is configured to explicitly name directory servers, the value in the subject's CN attribute must be used in the configured LDAP or LDAPS URI.