16.10 - Initial Installation of Kerberos Keys for the First KDC - Teradata Database

Teradata Database Security Administration

Product
Teradata Database
Release Number
16.10
Release Date
June 2017
Content Type
Administration
Security
Publication ID
B035-1100-161K
Language
English (United States)

This procedure copies the Kerberos keys for the first KDC from the temporary location used in Moving the Kerberos Keys to a Teradata Database System or Unity Server to the permanent location (/etc/teradata.keytab) on a Teradata Database system or on a Unity server.

On a single node Teradata Database system or a Unity server:

  1. Log on to the database node or Unity server:
    • Database node from the Teradata command prompt as teradata or another user with permission to run utilities.
    • Unity server as root.
  2. Copy the temporary keytab file from the temporary location shown in Moving the Kerberos Keys to a Teradata Database System or Unity Server to the permanent location chosen in Determining the Kerberos Key Installation Directory, for example, the default permanent location:
    • cp /opt/teradata/tdat/tdgss/site/domain_name.sys_name.keytab /etc/teradata.keytab

      domain_name.sys_name is defined in Generating the Key for the First Node or for a Unity Server.

      If you use a custom location, be sure to specify the custom location as the TeradataKeyTab property value for the KRB5 mechanism.
  3. Display a list of Kerberos keys to verify that all keys installed correctly:
    klist -ke /etc/teradata.keytab
  4. After verifying that all keys are installed correctly to the permanent location, delete the key file from the temporary location.

For multi-node Teradata Database systems:

  1. From the Teradata command prompt, log on to the Teradata Database node that has the temporary keytab file, as teradata or another user with permission to run utilities.
  2. Distribute the temporary keytab file to all nodes, using the pcl command. For example, using the default permanent location:
    pcl -send /opt/teradata/tdat/tdgss/site/domain_name.sys_name.keytab /etc/teradata.keytab
    If you use a custom location, be sure to specify the custom location as the TeradataKeyTab property value for the KRB5 mechanism.
  3. Display a list of Kerberos keys to verify that all keys installed correctly:
    pcl -s klist -ke /etc/teradata.keytab
  4. After verifying that all keys are installed correctly to the permanent location, delete the key file from the temporary location.