Configure TLSv1.2 | DSA Jobs | Teradata Data Mover - 17.11 - Enabling TLS 1.2 Data Path Encryption for DSC on the Data Mover Server - Teradata Data Mover

Teradata® Data Mover Installation, Configuration, and Upgrade Guide for Customers

Product
Teradata Data Mover
Release Number
17.11
Release Date
October 2021
Content Type
Administration
Configuration
Installation
Publication ID
B035-4102-091K
Language
English (United States)
This is an optional configuration

To enable TLS 1.2 encryption in DSA data path for DM DSA jobs using DM self signed certificate, run the dsa_tlscert.py script available in packages directory under the dmdsa_TLSconfig directory.

  • Both the source and the target systems must support TLSv1.2 encryption. To verify, run following command on the system: "openssl ciphers -v | grep TLS"
  • Script needs to connect from the DM/DSC Daemon server to port 22 on source/target systems to copy files and run commands. Make sure ports are enabled.
  • If port 22 does not open due to security reasons, please reach out to customer support for assistance with the manual configuration of DSA TLS 1.2 encryption enablement.
HELP: dsa_tlscert.py  --source <source_TDPID> --source_username <source_system_username>  --source_password <source_system_password>[/ --source_identity_file <identity_file>] --target <target_TDPID> --target_username <target_system_username>  --target_password <target_system_password>[/ --target_identity_file <identity_file>] ] ]
--help                   | --help                                                Displays Help
--source                 | --TDPIP/name of source system                         Source system name
--source_username        | --source sytem user that has sudo permission          Ex: root, ec-user, azureuser, gcpuser
--source_password        | --Source sudo user password  or
--source_identity_file   | --identity file that includes the private key **
--target                 | --TDPIP/name of Target system                         Target system name
--target_usrname         | --Target sytem user that has sudo permission          Ex: root, ec-user, azureuser, gcpuser
--target_password        | --Target sudo user password  or
--target_identity_file   | --identity file that includes the private key **
Example command: python3 dsa_tlscert.py --source sdt35178 --source_username root --source_password datamover --target sdt35179 --target_username root --target_password datamover
This script enables TLS 1.2 Encryption between source sss and target ttt using self-signed certificates for DM DSA jobs.
This script does not support an existing BAR DSA TLS 1.2 certificate on a shared clienthandler.
  1. Generate a new pair of self-signed certificates for source sss and target ttt.
    • This generates the TLS 1.2 certificates for DSMAIN and clienthandler
    • Copies clienthandler.properties to clienthandler.properties.dm_dsaTLS, with added TLS properties
    • Runs enableTLS_dsc.sh script, which copies dsc.properties to dsc.properties.tls, with added TLS properties
    This option overwrites the certificates on sss and ttt if it already exist.

    If one system has already been TLS 1.2 encrypted with another third system, choose option 2 or 3.

  2. Generate a new self-signed certificate for source sss and use existing DM generated self-signed certificate from target ttt.
  3. Use existing DM generated self-signed certificate from source sss and generate a new self-signed certificate for target ttt.
To finish TLS 1.2 encryption, perform the following manual steps when DSMAIN and clienthandler can be restarted:
  • For the newly encrypted DSA system with clienthandler installed, copy clienthandler.properties.dm_dsaTLS to clienthandler.properties and restart clienthandler on all nodes
  • If DSC is not previously TLS enabled, copy dsc.properties.tls to dsc.properties and restart DSC
  • Reconfigure the newly encrypted DSA system using dsa_configsys or dsc commandline
To disable TLS 1.2 encryption:
  1. Edit dsc.properties to set tls.datapath.enabled=false
  2. Restart DSC
  3. Re-configure source system and restart dsmain, using dsa_configsys or dsc commandline
  4. Re-configure target system and restart dsmain, using dsa_configsys or dsc commandline.