2.10 - Oracle Target Connector Security Guidelines - Teradata QueryGrid

Teradata® QueryGrid™ Installation and User Guide

prodname
Teradata QueryGrid
vrm_release
2.10
created_date
September 2019
category
Administration
Configuration
Installation
User Guide
featnum
B035-5991-099K
Oracle connectors support authentication for database (DB Password), operating system (OS Auth), encryption (SSL or NNE), and Kerberos security mechanisms when acting as target connectors. The following considerations apply to each of the security mechanisms:
  • The username and password assigned and communicated from the initiator connector takes precedence over the one defined for the Oracle target connector properties.

    For example, if the Teradata initiator provides an authorization object, the Teradata initiator settings take precedence over security-related Oracle connector property settings. Defining these connector properties is optional. However, if credentials are not provided by the initiator connector, a username and password must exist in the connector property settings.

  • An Administrator can define user mappings in the QueryGrid portlet if using the OS Auth authorization.
  • For user mapping, the local user submitting the query is mapped to the target user that submits the query. User mapping is applicable when the Oracle database is set up with the OS Auth mechanism and the target user is not the same as the authenticating user.

Authentication

Database
Oracle stores encrypted credential information and user passwords in the data dictionary to authenticate users attempting to connect to the database.
The following property settings are required for Oracle target connectors using the DB Password authentication.
Setting Description
Authentication Mechanism Set to DB Password.
Username [Optional] Set to the authorized user name.
Password [Optional] Set the password for the authorized user.
Operating System
The operating system authentication option is only available with on-premises systems.
The following property settings are required for Oracle target connectors using the OS Auth authentication. The Teradata Connector username takes precedent over the username and password set in the Oracle connector properties.
Setting Description
Authentication Mechanism Set to OS Auth.
Username [Optional] Set to the authorized user name.
Kerberos

Teradata Kerberos set up must be completed before configuring QueryGrid. The following property settings are required for Teradata target connectors using the Kerberos security model. The Teradata Connector username takes precedent over the username and password set in the Oracle connector properties. Both password and keytab can be selected for authentication, if both are provided, password takes precedence over keytab authentication.

Setting Description
Authentication Mechanism Set to Kerberos.
Username [Optional] Set to the Kerberos principal name.
Password [Optional] Set to the password for the Kerberos principal name.

QueryGrid authenticates a principal using a password.

Keytab Set to the absolute path to the Kerberos Keytab file.

For more information, see Oracle Connector and Link Properties.

SSL
SSL can be used to authenticate any client to any oracle database server that is configured to communicate over SSL. SSL authentication can be used in conjunction with other authentication methods like DB Password, Kerberos, and so on. The following connector properties must be configured when setting up SSL.
Setting SSL authentication requires setting SSL encryption.
Setting Description
Authentication Mechanism Set to SSL.
Encryption Mechanism Set to SSL.
SSL Authentication Set the type of authentication to use between the active and standby servers using one of the following options:
  • Server – only the server authenticates to the client
  • Server and Client – both authenticate to each other
  • Neither – only encryption is used, no authentication
Port Set to the port used for encrypted communication.
Truststore Password Set the SSL truststore password.
Truststore Path Set the truststore certificate path sent by the server for verification. Only available when SSL authentication is set to Server or Both.
Truststore Type Set the SSL truststore type.
Keystore Password Set the SSL keystore password.
Keystore Path Set the keystore certificate path sent by the client for verification. Only available when SSL authentication is set to Server or Both.
Keystore Type Set the keystore type.

Encryption

Oracle databases can be configured to support either secure sockets layer (SSL) or native network encryption (NNE), but not both. For more information, refer to your Oracle user manuals.

SSL
SSL encrypted communication occurs between the Oracle client and the Teradata Database instance. The following connector properties must be configured when setting up SSL.
Setting Description
Encryption Mechanism Set to SSL.
SSL Authentication Set the type of authentication to use between the active and standby servers using one of the following options:
  • Server – only the server authenticates to the client
  • Server and Client – both authenticate to each other
  • Neither – only encryption is used, no authentication
Port Set to the port used for encrypted communication.
SSL Server DN The Server Distinguished Name to match. When SSL authentication is set to server or both, you can optionally choose to match the distinguished name in addition to the server authentication.
Truststore Path Set the truststore certificate path sent by the server for verification. Only available when SSL authentication is set to Server or Both.
Truststore Type Set the SSL truststore type.
Truststore Password Set the SSL truststore password.
Keystore Password Set the SSL keystore password.
Keystore Path Set the keystore certificate path sent by the client for verification. Only available when SSL authentication is set to Server or Both.
Keystore Type Set the keystore type.
NNE
NNE encryption allows data to be encrypted as the data moves back and forth from a database instance.
Setting Description
Encryption Mechanism Set to NNE.
NNE Encryption Level Set to the level of encryption behavior when a client, or server acting as a client, connects to the database instance.
NNE Encryption Types List of encryption algorithms used by the database instance. The algorithms are used in the listed order for decryption until one succeeds or the end of the list is reached.
NNE Integrity Level Set to the level of data integrity when a client, or server acting as a client, connects to the database instance.
NNE Integrity Types Set the algorithm for checksum.