Make the following changes to the TdgssUserConfigFile.xml file in the TDGSS site directory on database nodes or in Unity’s copy of the file on Unity servers (for Unity configuration, see Teradata Unity Installation, Configuration, and Upgrade Guide for Customers).
- Add the LdapClientTlsCACertDir property, and specify the full path to the site/ssl/cacerts directory for the property value. This property points to the absolute path of the directory where the two PEM files and the two symlinks are located.If all the CA certs are contained in a single file, you can alternately use the LdapClientTlsCACert property to specify the file name.
- Add the LdapClientTlsReqCert property and set the property value to “demand”. This value causes Teradata Database or the Unity server to ask the directory server for a certificate each time a directory user logs on to the database. If the directory does not provide a certificate, or it provides an invalid certificate, TDGSS terminates the connection.
For configuration information, see LDAP Protection Properties.
The following example shows an LDAP mechanism TdgssUserConfigFile.xml that includes configured certificate properties. This example also applies to KRB5 or SPNEGO if AuthorizationSupported is set to “yes”.
<Mechanism Name="ldap"> <MechanismProperties ... LdapServerName="ldap://someserver/" LdapClientUseTls="yes" LdapClientTlsCACertDir="/opt/teradata/tdat/tdgss/site/ssl/cacerts/" LdapClientTlsReqCert="demand" /> </Mechanism>