16.10 - Guidelines for Configuring TeraGSS - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

The process for configuring TeraGSS and TDGSS is similar, so information about configuring TDGSS from other parts of this book can be used as a guide.

Ensure that the teragssAdmin package has been installed on the client machine. If it is not present, install it from the appropriate TTU package. This package is installed in the 16.10 TTU directory structure. The tools required to manage and debug a TeraGSS configuration are in the TTU bin directory. The supporting XML files and XSD schema are in the TTU etc directory.

If you already have a copy of the TdgssUserConfigFile.xml file in your TTU site directory, you may continue to use that file. If TdgssUserConfigFile.xml is configured for the deprecated mechanisms (see the list of limitations above) or contains configuration for PROXY and SPNEGO, those configurations must be removed. The only configurations that should remain are configurations for the TD2, LDAP, KRB5 and TDNEGO mechanisms.

If you do not have a copy of the TdgssUserConfigFile.xml file in your TTU site directory, you may copy the one in the TTU etc directory to the site directory and make edits to the copy.

Once your edits are complete, execute the run_tdgssconfig script found in the TTU bin directory. This script will compile the changes you made to the TdgssUserConfigFile.xml file into the tdgssconfig.bin file located in the TTU etc directory.

Configurable Items in TeraGSS

The following mechanism attributes and elements are configurable in TeraGSS, following the editing instructions found in other sections of this document:

  • DefaultMechanism – Note that the preferred method of picking a per-client machine specific default mechanism is to configure it through TTU installation and configuration. We recommend that this attribute is set to no for all mechanisms in TeraGSS. See DefaultMechanism for editing guidelines.
  • DefaultNegotiatingMechanism – See DefaultNegotiatingMechanism for editing guidelines.
  • MechanismEnabled – See MechanismEnabled for editing guidelines.
  • <MechQop> elements may be adjusted and managed if defaults are not good enough. See QOP Configuration Options for more information.
  • MechanismRank – See MechanismRank for editing guidelines.
  • <NegotiatedMechanism> - See Configuring TDNEGO Properties for more information.
  • One or more <RequiredLibraryPath> elements may be added to the KRB5 mechanism to specify the location of a libgssapi_krb5.so library when this library resides in a non-standard location. Alternatively, the TDGSS_KRB5_KRB5LIB environment variable may be set to the location of the library if you wish to avoid modifying the TeraGSS configuration. Absolute paths are required in both the <RequiredLibraryPath> element and the environment variable. See Reconfiguring TDGSS for a Non-Standard Installation of Kerberos for a non-standard installation of Kerberos.