16.10 - Changing the Default QOP Strength - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

If the default QOP strength does not meet site needs, you can edit the DEFAULT QOP configuration for the LDAP and TD2 mechanisms so sessions that enable encryption default to a stronger algorithm.

  1. Prepare the DEFAULT QOP section for editing:
    • On systems where the last fresh install of Teradata Database was Release 13.10 or before, replace the existing QOP section in the TdgssUserConfigfile.xml,
      <MechQop Value="0"> GLOBAL_QOP_1 </MechQop>

      with copies of the LEGACY QOP and DEFAULT QOP section from /opt/teradata/tdgss/etc/TdgssUserConfigFile.xml. Uncomment the DEFAULT QOP section and edit as needed:

      <!-- LEGACY QOP
      <MechQop Value="0"/>
        -->
      <!-- To update security to a common level,
           uncomment "DEFAULT QOP" and edit. -->
      <!-- DEFAULT QOP
      <MechQop Value="Default">
           AES-K128_CBC_PKCS5Padding_SHA1_DH-K2048
          AES-K192_CBC_PKCS5Padding_SHA1_DH-K2048
          AES-K256_CBC_PKCS5Padding_SHA1_DH-K2048
      </MechQop>
        -->
    • On systems where Teradata Database was freshly installed at Release 14.0 or above, the DEFAULT QOP section already exists in the TdgssUserConfigFile.xml.
  2. Uncomment the DEFAULT QOP (if not done previously) and edit it by reordering the list to put the needed encryption strength at the top of the list or remove a value, for example:
    <!-- DEFAULT QOP -->
      <MechQop Value="Default">
           AES-K256_CBC_PKCS5Padding_SHA1_DH-K2048
           AES-K192_CBC_PKCS5Padding_SHA1_DH-K2048
      </MechQop>
    If you remove AES-128 from the list and the Legacy QOP is still enabled, execution of the run_tdgssconfig utility in the following step exits with an error.
  3. After editing, use the run_tdgssconfig utility to update the TDGSSCONFIG GDO.
    /opt/teradata/tdgss/bin/run_tdgssconfig
  4. Run tpareset to activate the changes to the TDGSS configuration.
    tpareset -f “use updated TDGSSCONFIG GDO”