Authentication Mechanisms - ODBC Driver for Teradata

ODBC Driver for Teradata® User Guide

Product
ODBC Driver for Teradata
Release Number
17.10
Published
October 2021
Language
English (United States)
Last Update
2021-11-02
dita:mapPath
wxs1608578396899.ditamap
dita:ditavalPath
nkw1500504256726.ditaval
dita:id
B035-2526
lifecycle
previous
Product Category
Teradata Tools and Utilities

To enable network security, an Authentication Mechanism that corresponds to one of the mechanisms configured on the gateway by a system administrator must be specified, and other parameters such as password and username must be passed from the client application through network security. The following table summarizes the authentication mechanisms.

Authentication Mechanism Name Client/Servers Description
Teradata 2 TD2 All The Teradata 2 (TD2) mechanism provides authentication using a database system username and password.

The difference between Teradata 1 and Teradata 2 is that the Teradata 2 encryption key offers a higher degree of security.

Encryption: When the Teradata 2 (TD2) mechanism is selected, both logon string and data are encrypted.

Availability: The Teradata 2 mechanism is available on all supported client and server platforms.

Username and Password: A valid Teradata username and password are always required.

TDNEGO TDNEGO All A security mechanism that automatically determines the actual mechanism required, based on policy, without user's involvement. The actual mechanism is determined by the TDGSS server configuration and by the security policy's mechanism restrictions. This simplifies user logons, because the user does not need to specify which logon mechanism to use. It also provides better ease of use and improved support for applications and tools which do not support specification of logon mechanisms.

The Client and Server versions of TDNEGO automatically negotiate and select an appropriate TDGSS security mechanism to use.

Encryption: Depends based on the chosen mechanism.

Availability: The TDNEGO mechanism is available on all supported client and server platforms.

Username and Password: Depends based on the chosen mechanism.

LDAP LDAP All w/ LDAPv3 Library When the LDAP authentication mechanism is employed, the server authenticates by binding to the LDAP directory using the username and password.

Encryption: When LDAP is selected, both the logon string and data are encrypted.

Availability: The LDAP mechanism is available on all supported client and server platforms, which provide an LDAPv3 compliant library.

Username and Password: The application supplies a username, password, and domain or realm.

When the user has been authenticated, an implicit logon will proceed using a Teradata username derived from the directory.

The gateway directory maps the username to a specific Teradata username or to the system-defined username EXTUSER.

If the directory maps the username to a specific Teradata username, then that user must have previously been granted the logon with null password privilege.

If the directory maps to EXTUSER, then the characteristics of the user (role, rights, space, and so forth) are determined from settings in the directory.

Kerberos KRB5 Windows

Linux

Apple macOS

AIX

Solaris OP

Solaris SP

Once the identity of the user has been verified by Kerberos (KRB5), the KRB5 mechanism implicit logon proceeds using the same username as the Teradata username.

Encryption: When KRB5 is selected, both the logon string and data are encrypted.

Availability: The KRB5 mechanism is available on all supported client and server platforms.

Username, Password, Domain and Realm: The application supplies a username, password, and domain or realm.

The username must have previously been granted the logon with null password privilege.

Single Sign On: The Kerberos (KRB5) mechanism supports SSO where no username and password are provided explicitly by the application, but both are derived from the security context of the application.

For KRB5 authentication, ODBC Driver for Teradata performs reverse DNS lookup and must succeed. The reverse lookup result must be the FQDN of the database node.

JSON Web Token JWT All The client’s credentials (username and password) is authenticated by UDA User Service. The UDA User Service returns a JSON Web Token containing encrypted credentials. The client uses this token to connect to the database.
The client needs to provide the following two parameters to ODBC Driver for Teradata in the connection string when using JWT authentication mechanism:
AUTHENTICATION=JWT;
AuthenticationParameter={token=<JWT token>};
where <JWT token> is the token obtained from the UDA User Service.

Encryption: When JWT is selected, both the logon string and data are encrypted.

Availability: The JWT mechanism is available on all supported client and server platforms.

Username, Password, Domain and Realm: The username and password are encrypted in the JWT token.

Single Sign On: The JWT mechanism supports SSO as long as the JWT token is not expired.

EXTERNALBROWSER EXTERNALBROWSER Windows/Apple MacOS When the EXTERNALBROWSER is employed, the user is authenticated through Keycloak or PingFederate login using external browser without username and password.

Encryption: When EXTERNALBROWSER is selected, both the logon stringand data are encrypted.

Availability: Windows and Apple MacOS

Username and Password: username and password of the database are not needed. Users will need Keycloak or Pingfederate login credentials to get authenticated on the external browser.

Single Sign on: The EXTERNALBROWSER mechanism supports CloudSSO when no username or password is provided. External browser will be invoked and users will need to enter Keycloak or PingFederate credentials to get authenticated.

Other To be determined All Users can define other authentication mechanisms.

Encryption: A user-defined mechanism can also provide logon and data encryption.

Username and Password: Input to a mechanism will be the username, password, and possibly authentication information specific for the particular mechanism.