16.10 - Checking Nodes and Unity Servers for Existing Kerberos Keys (Optional) - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

Any Kerberos keys that already exist in a node or Unity server keytab file could be overwritten (destroyed) when you install new keys. When replacing existing keys, overwriting is normal. However, if you want to retain and add to the existing keys, you must use the key merge procedure, which avoids overwriting.

You can use the pcl command to find and display any Kerberos keys that already exist on database nodes or a Unity server to help determine if you should use the merge procedure when installing new keys:

pcl -s klist -ke [keytab_file_name]

This example keytab file (standard location) shows a two-node system, with pre-existing keys in bold italics :

l3592:/ > pcl -s klist -ke /etc/teradata.keytab
All 2 node(s) have connected
<---------------------   node_name2_bynet  ------------------------->
Keytab name: FILE:/etc/teradata.keytab
KVNO Principal
------------------------------------------------------------------
      14  TERADATA/l3592.esrootdom.esdev.tdat@ESROOTDOM.ESDEV.TDAT (DES cbc mode with RSA-MD5) 
      13  TERADATA/l3593.esrootdom.esdev.tdat@ESROOTDOM.ESDEV.TDAT (DES cbc mode with RSA-MD5)<---------------------   node_name1_bynet  ------------------------->
Keytab name: FILE:/etc/teradata.keytab
KVNO Principal
------------------------------------------------------------------
      14  TERADATA/l3592.esrootdom.esdev.tdat@ESROOTDOM.ESDEV.TDAT (DES cbc mode with RSA-MD5) 
      13  TERADATA/l3593.esrootdom.esdev.tdat@ESROOTDOM.ESDEV.TDAT (DES cbc mode with RSA-MD5)------------------------------------------------------------------

If no keys are present, the output appears without the key entries:

l3592:/ > pcl -s klist -ke /etc/teradata.keytab
All 2 node(s) have connected
<--------------------- node_name2_bynet  ------------------------->
Keytab name: FILE:/etc/teradata.keytab
KVNO Principal
------------------------------------------------------------------
<--------------------- node_name1_bynet  ------------------------->
Keytab name: FILE:/etc/teradata.keytab
KVNO Principal
------------------------------------------------------------------
The key files are similar on a Unity server.