Corrective Action - Advanced SQL Engine - Teradata Database

Security Administration
Product
Advanced SQL Engine
Teradata Database
Release Number
17.05
17.00
Published
September 2020
Language
English (United States)
Last Update
2021-01-23
dita:mapPath
ied1556235912841.ditamap
dita:ditavalPath
lze1555437562152.ditaval
dita:id
B035-1100
lifecycle
previous
Product Category
Teradata Vantageā„¢
  1. Obtain the certificate from the directory with the openssl command:
    openssl s_client -connect  server_name:port
    where:
    • server_name is the DNS name of the directory server
    • port is the number of the port where the directory server listens
  2. In the output from this command, find the line that begins with subject. This string should contain a CN attribute. The CN attribute value, a name, must resolve in DNS to the IP address of the directory server. The error message occurs because the name is either unresolved, or resolves to the wrong IP address. The error is related to either a DNS problem or a problem with the name in the server certificate.
  3. Check the following items to determine the problem and then fix it.
    1. If the LdapServerName property names the directory server explicitly, make sure the name in the property value matches the name in the subject for the directory server certificate. For example, if the subject CN attribute contains:
      dlopldap.td.teradata.com

      then make sure the LdapServerName property contains either the TLS specification:

      ldap://dlopldap.td.teradata.com/

      or the SSL specification:

      ldaps://dlopldap.td.teradata.com/
    2. Make sure that the name in the CN attribute is resolvable and returns the correct IP address. Fix any errors and try again.
    3. If the name in the CN attribute cannot be resolved or resolves to the wrong IP address, and cannot be changed in DNS, you must install a new certificate on the directory server. See Checking the Directory Server Certificates.
      The CN attribute must meet these requirements:
      • The subject for the certificate must contain the DNS name (preferably, the fully qualified DNS name) that resolves to the IP address where the server is listening.
      • The DNS name must correctly resolve on the Teradata Vantage nodes or Unity server.
      • If the LdapServerName attribute is configured to explicitly name directory servers, the value in the subject's CN attribute must be used in the configured LDAP or LDAPS URI.