PROVE IT !!If you know it then PROVE IT !! Skill Proficiency Test

Teradata Wallet – Data Safety in your hand !!

Teradata Wallet

·  Teradata Wallet provides access to a client system user’s stored Teradata Database passwords to the user while protecting these passwords from access by other users of the same client system.

·  Each entry in wallet has two parts, a reference string and value (reference string) and real password. Teradata Wallet returns the password when queried with its associated string to the user who created it. For detailed information on using Teradata Wallet, see the most recent version ofSecurity Administration, B035-1100.

·  ODBC connect functions can process Teradata Wallet reference strings when used in/as password or authentication parameter. Reference string must be enclosed in $tdwallet() token.

Saving a Wallet String in DSN:

o   On DSN Setup dialog, enter the Wallet reference string in Teradata Wallet String field.

o   In odbc.ini, enclose the Wallet reference string in $tdwallet() token and use it as password under the DSN in odbc.ini.

Using Wallet String in connect functions:

·         A wallet reference string can be used in place (or part of) password or authentication parameter.

The  TDWALLET  utility

The Teradata Wallet package contains a rudimentary command-line tool named "tdwallet".  This tool is used to add items to your wallet, delete items from your wallet, list the names of items in your wallet, etc.  tdwallet includes on-line help information; to access this, execute "tdwallet help" from the command line:

EXAMPLE:
$ tdwallet add password_proddev
Enter desired value for the string named "password_proddev":
String named "password_proddev" added.

Simple usage scenario

How to get started:

1.    If you have not done so already, install the Teradata Wallet software package onto your client computer.  This package is part of the Teradata Tools and Utilities 14.00 release.  Teradata Wallet is an optional package, meaning that you need to select it in order to install it, but you need not install it if you do not want to use Teradata Wallet.  Teradata Wallet is also available for download from TDWALLET Download.

2.    Install the Teradata CLIv2 software package onto your client computer.  This should be version 14.00.00.02 or later and should be installed after you install the Teradata Wallet package.

3.    Run the tdwallet utility to add items to your wallet.  For example:
$ tdwallet add password_proddev
Enter desired value for the string named "password_proddev":
UR1geek2B
String named "password_proddev" added.

4.    Use $tdwallet in login information when connecting to the Teradata Database.  For example:
$ cat deptquery.txt
.logon proddev/davepickard,$tdwallet(password_proddev)
.SET SEPARATOR ' | '
SELECT * FROM department;
.logoff
.exit
$ bteq < deptquery.txt
BTEQ 14.00.00.00 Mon Jun 12 15:55:38 2011
+———+———+———+———+———+———+———+—-
.LOGON proddev/davepickard,
*** Logon successfully completed.
*** Teradata Database Release is 14.00.00.00

When the logon information is processed, "$tdwallet(password_proddev)" will be replaced with the value of the item named "password_proddev" from the current user's wallet.

Logon information processing

When found during logon processing, a string of the form $tdwallet(somestring) is replaced as follows:

1.    Process somestring as follows:
(a) Replace ")" with ")".
(b) Replace "$" with "$".
(c) Replace "\" with "".
(d) Replace "$(tdpid)" with the Teradata Database system.

2.    Query the current user's wallet for an item with a name matching the result of the processing in step 1.

3.    The value of the item found by the query in step 2 is the replacement.

Thus, instead of:

.logon proddev/davepickard,$tdwallet(password_proddev)

we could have used:

.logon proddev/davepickard,$tdwallet(password_$(tdpid))

When found during logon processing, a string of the form $tdwallet (without "(somestring)") is replaced as follows:

1.    Query the current user's wallet for an item with a name matching com.teradata.mechanism, where mechanism is the logon mechanism being used (for example, "TD2").

2.    The value of the item found by the query in step 1 is the replacement.

The replacement process is iterative, querying the wallet repeatedly until no instances of $tdwallet(somestring) or $tdwallet remain.

To demonstrate, consider the following:

If joen uses a script that starts as follows:
.logmech TD2
.logon proddev/joen,$tdwallet

The logon processing will detect the $tdwallet in the logon information.  Since logon processing is using the TD2 logon mechanism, the logon processing queries joen's wallet for an item namedcom.teradata.TD2.  This query will result in an item having a value of $tdwallet(password_$(tdpid)).  This matches $tdwallet(somestring) where somestring is password_$(tdpid).  Next "password_$(tdpid)" is processed into "password_proddev".  The logon processing queries joen's wallet for an item named password_proddev.  This query will result in an item having a value ofUR1geek2B.  This does not contain any matches of $tdwallet(somestring) or $tdwallet.  So, UR1geek2B is the ultimate replacement yielding logon information of proddev/joen,UR1geek2B, which is used to attempt to log on to the Teradata Database.

Replacement processing can be useful on other parts of the logon information.  To demonstrate, consider the following:

All three of these users could use a shared script having a LOGON command like:

.logon proddev/$tdwallet(u),$tdwallet(p)

When each user runs the script, the Teradata Database username and Teradata Database password are retrieved from the appropriate wallet during the logon processing.

Notes : Teradata Wallet prevents one user from accessing the wallet information of another user.  However, it makes a user's wallet information freely available to the owning user.  The software provides this enforcement based on the client system's notion of a user.  On Unix/Linux this is by user identifier (UID).  On Windows this is by security identifier (SID).  Obviously, the client computer cannot tell what human is typing on the keyboard, it provides security based on the logged in user.  As such, it is important to secure access to your user account, for example, by logging off or locking your computer when you leave your computer unattended.

At present, only logon processing that is initiated through Teradata CLIv2 for Network Attached Systems and Teradata ODBC Driver utilizes Teradata Wallet.  This includes tools such as:
– Basic Teradata Query Utility (BTEQ)
– Teradata FastLoad
– Teradata MultiLoad
– Teradata Parallel Data Pump (TPump)
– Teradata FastExport
– Teradata ARC
– Teradata Preprocessor2 (PP2)
– Teradata Parallel Transporter (TPT)

As a diagnostic tool, you can set the TDWALLET_DEBUG_FILE environment variable before attempting to use Teradata Wallet.  For example:

TDWALLET_DEBUG_FILE=tdwallet.log
export TDWALLET_DEBUG_FILE
fastload < flinsert.fastload
cat tdwallet.log

This will produce a trace of the calls to the Teradata Wallet subsystem.

Retrieving a Password form Teradata Wallet Using ODBC Driver for Teradata

You can specify a Teradata Wallet string in an ODBC SQLConnect, SQLDriver or BROWSEConnect function, when using ODBC Driver for Teradata 14.0 and up. For example:

SQLConnect(hdbc, “mydsn”, SQL_NTS, “myuid”, SQL_NTS, “$tdwallet(abcd)”, SQL_NTS);

SQLDriverConnect(hdbc, NULL, “DSN=mydsn;UID=myid;PWD=$tdwallet(abcd);”, SQL_NTS, szConnStrout, cbConnStrOutMax, &cbConnectStrOutLen, NULL);

On Windows clients, you can also specify a single connect string in the Teradata Wallet String field of the ODBC Driver Setup for Teradata Database dialog box, according to the following rules:

· Enter only the wallet string. The $tdwallet() token is not required.

· Entering a wallet string precludes the specification of a password in the adjacent Password field.

On Linux/UNIX clients you can enter the entire string and token in either the:

· odbc.ini, for example: $tdwallet(password_alias)

· connection string, for example:

DRIVER={Teradata}; DBCNAME=platinum; AUTHENTICATION=LDAP; AUTHENTICATIONPARAMETER=authcid=$tdwallet(odbc_krb1_ad) password=$tdwallet(odbc_krb1_ad_pwd); "

Logon with Teradata Wallet

· Teradata Wallet is a secure store for client credentials. It stores passwords for Teradata Database authentication, which can automatically be retrieved at run time and submitted to the database. Teradata Wallet must be configured with usernames and passwords before it can be used for logons using DUL and DULTAPE.

Using TDWALLET  parameter in TPT Script

Instructions on  how to reference a wallet string from within a TPT script

Specifically, the TPT script in the DDL operator, for example, requires a value for UserPassword:

DEFINE OPERATOR DDL_OPERATOR
TYPE DDL
ATTRIBUTES
(
VARCHAR PrivateLogName = 'ddl_log',
VARCHAR TdpId = @jobvar_tdpid,
VARCHAR UserName = @jobvar_username,
VARCHAR UserPassword = @jobvar_password,
VARCHAR WorkingDatabase = @jobvar_working_database,
VARCHAR ARRAY ErrorList = [‘3807′,’3803′,’5980’]
);

In your operator definition, Replace:

VARCHAR UserPassword = @jobvar_password,

with:

VARCHAR UserPassword = '$tdwallet(password_proddev)',

—————————————————————————————-

jobvar_password        =  'UR1geek2B'

with:

jobvar_password        =  '$tdwallet(password_proddev)'

—————————————————————————————-

tbuild -f weekly_update.tbr -u "jobvar_password = 'UR1geek2B'"

with:

tbuild -f weekly_update.tbr -u "jobvar_password = '$tdwallet(password_proddev)'"

About Author : Shawn shealy

Reference Article             : Wallet Article

Add a Comment

Your email address will not be published. Required fields are marked *