16.10 - Changing the Default QOP Strength - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

If the default QOP strength does not meet site needs, you can edit the DEFAULT QOP configuration for the LDAP and TD2 mechanisms so sessions that enable encryption default to a stronger algorithm.

  1. Prepare the DEFAULT QOP section for editing:
    • On systems where the last fresh install of Teradata Database was Release 13.10 or before, replace the existing QOP section in the TdgssUserConfigfile.xml,
      <MechQop Value="0"> GLOBAL_QOP_1 </MechQop>

      with copies of the LEGACY QOP and DEFAULT QOP section from /opt/teradata/tdgss/etc/TdgssUserConfigFile.xml. Uncomment the DEFAULT QOP section and edit as needed:

      <!-- LEGACY QOP
      <MechQop Value="0"/>
        -->
      <!-- To update security to a common level,
           uncomment "DEFAULT QOP" and edit. -->
      <!-- DEFAULT QOP
      <MechQop Value="Default">
           AES-K128_CBC_PKCS5Padding_SHA1_DH-K2048
          AES-K192_CBC_PKCS5Padding_SHA1_DH-K2048
          AES-K256_CBC_PKCS5Padding_SHA1_DH-K2048
      </MechQop>
        -->
    • On systems where Teradata Database was freshly installed at Release 14.0 or above, the DEFAULT QOP section already exists in the TdgssUserConfigFile.xml.
  2. Uncomment the DEFAULT QOP (if not done previously) and edit it by reordering the list to put the needed encryption strength at the top of the list or remove a value, for example:
    <!-- DEFAULT QOP -->
      <MechQop Value="Default">
           AES-K256_CBC_PKCS5Padding_SHA1_DH-K2048
           AES-K192_CBC_PKCS5Padding_SHA1_DH-K2048
      </MechQop>
    If you remove AES-128 from the list and the Legacy QOP is still enabled, execution of the run_tdgssconfig utility in the following step exits with an error.
  3. After editing, use the run_tdgssconfig utility to update the TDGSSCONFIG GDO.
    /opt/teradata/tdgss/bin/run_tdgssconfig
  4. Run tpareset to activate the changes to the TDGSS configuration.
    tpareset -f “use updated TDGSSCONFIG GDO”