16.10 - Changing the Configuration on Teradata Database Nodes - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)
  1. On the Teradata Database node with the lowest ID number, navigate to the directory that contains TdgssUserConfigFile.xml.
    cd /opt/teradata/tdat/tdgss/site
  2. Make a backup copy of TdgssUserConfigFile.xml and save it according to your site standard backup procedures.
  3. Edit the TdgssUserConfigFile.xml using a text editor, such as vi.
  4. Uncomment the TDNEGO mechanism section, if not already done, and edit the properties as desired.
    Do not set the DefaultMechanism property to “yes” in the TDNEGO section. If DefaultMechanism is set to yes, older clients requesting the default mechanism will get a failed logon.
    • If you are performing an upgrade, rather than a new installation, the TdgssUserConfigFile.xml in /opt/teradata/tdat/tdgss/site directory is preserved so the TDNEGO mechanism may not be present in the file. Copy the TDNEGO mechanism from the TdgssUserConfigFile.xml in the /opt/teradata/tdat/tdgss/<version>/etc directory. Paste the mechanism into /opt/teradata/tdat/tdgss/site/TdgssUserConfigFile.xml file. Edit it as needed.
    • (Optional) If there are Windows .NET 16.0 or higher clients that want to use SPNEGO as a TDNEGO negotiated mechanism to access Teradata Database 15.10, see the following for configuration details: SPNEGO Mechanism Offered by TDNEGO on Teradata Database 15.10 for Windows .NET 16.0 Clients.
    • (Optional) Edit the DefaultNegotiatingMechanism. For example, to set TDNEGO as the DefaultNegotiatingMechanism update the property to “yes” in the TDNEGO mechanism.
  5. Run the run_tdgssconfig utility to update the TDGSSCONFIG GDO.
    /opt/teradata/tdgss/bin/run_tdgssconfig
  6. Run tpareset to activate the changes to the TDGSS configuration.
    tpareset -f “use updated TDGSSCONFIG GDO”
You only need to perform this procedure once from any node in a Teradata Database system. Running the run_tdgssconfig tool distributes the change to all database nodes.

SPNEGO Mechanism Offered by TDNEGO on Teradata Database 15.10 for Windows .NET 16.0 Clients

TDNEGO offers TD2 and LDAP as negotiated mechanisms for Windows .NET 16.0 or higher clients to access Teradata Database 15.10 or higher. TDNEGO offers SPNEGO as a negotiated mechanism for Windows .NET 16.0 or higher clients to access Teradata Database 16.0.

For a Windows .NET 16.0 or higher client that wants to use SPNEGO as a TDNEGO negotiated mechanism to access Teradata Database 15.10, add SPNEGO to the TDGSS configuration file on the Teradata Database 15.10 server.
Teradata Database 16.0 is already configured to offer SPNEGO to Windows .NET clients. CLI, ODBC, and JDBC do not support SPNEGO, so the only time the following configuration needs to be done is with a Teradata Database 15.10 server and Windows .NET 16.0 clients that want to use SPNEGO.
  1. On the Teradata Database 15.10 server, edit TdgssUserConfigFile.xml, add the highlighted line below to the TDNEGO mechanism, and uncomment the TDNEGO section (if not already done):
     <!-- TDNEGO: Teradata Negotiated Method -->
    
          <!-- To modify TDNEGO configuration, uncomment this section and edit
          <Mechanism Name="TDNEGO"
          <MechanismProperties
    
          MechanismEnabled="yes"
          DefaultMechanism="no"
          DefaultNegotiatingMechanism="no"
          MechanismRank="10"
    
          />
    
         <!-- Mechanisms offered for negotiation: KRB5, SPNEGO, ldap, TD2 -->
         <NegotiatedMechanism ObjectId="1.2.840.113554.1.2.2" Enable="yes"/>
          <NegotiatedMechanism ObjectId="1.3.6.1.5.5.2" Enable="yes"/> 
         <NegotiatedMechanism ObjectId="1.3.6.1.4.1.191.1.1012.1.20" Enable="yes"/>
         <NegotiatedMechanism ObjectId="1.3.6.1.4.1.191.1.1012.1.1.9" Enable="yes"/>																											
     </Mechanism>
    
            (end of commented out section) -->
  2. Complete the configuration steps (run_tdgssconfig, tpareset, and so on) in Changing the Configuration on Teradata Database Nodes.