16.10 - LdapClientTlsCACert - Teradata Database

Teradata Database Security Administration

prodname
Teradata Database
vrm_release
16.10
created_date
June 2017
category
Administration
Security
featnum
B035-1100-161K

The LdapClientTlsCACert property specifies the name of the file that contains all the Certificate Authorities (CAs), including the certificate for the CA that signed the directory server certificate that TDGSS and OpenLdap tools trust. If the signing CA is not a top-level (root) CA, certificates for the entire sequence of CAs from the signing CA to the top-level CA must be present. The certificate order is not significant.

You can use this property for certificate chain verification when all CAs are in one file, but LdapClientTlsCACertDir is preferred. See LdapClientTlsCACertDir

Valid Settings

Setting Description
"" (default) No file is specified
A file name The file must contain concatenated CA certificates in PEM format.

Supporting Mechanisms for LdapClientTlsCACert

The LdapClientTlsCACert property is required for SSL or TLS protection.

Mechanisms that are not listed in the table do not support this property. The Property Editable column indicates if the setting for a property may be edited.
Mechanism Property Editable?
KRB5 May Be Edited
LDAP
To set a value, you must manually add this property to the TdgssUserConfigFile.xml for the needed mechanisms. See About Editing Configuration Files.

Editing Guidelines

  • Configure this property or LdapClientTlsCACertDir (preferred) when using SSL or TLS. See Verifying the Directory Server Certificate Chain.

  • If you decide to use TLS protection, edit this property for all mechanisms that have the AuthorizationSupported property set to yes.

  • Set the value on each node and the Unity server, if used. Also see Coordinating Mechanism Property Values for Unity.

    The Linux user under which Teradata Database runs must own and have read access to this file. For sites that configured this property before Release 14.0, the permission is granted automatically by a script upon upgrade to Release 14.0. For sites that configure this property on Release 14.0 or later, you must grant the permission manually.