Teradata 2 (TD2) is the default authentication method that is provided by Teradata. When TD2 is the default authentication method, use your standard user ID and password values. To use TD2 authentication when TD2 is not the default authentication method, append the “@TD2” token to the Teradata user name and provide the corresponding password. Appending the “@TD2” token to a user name overrides any default authentication that is configured.
This example shows how to connect using a TD2 user name:
libname x teradata user="janedoe@TD2" password="janedoeworld";For more information about TD2 authentication, see the Teradata security documentation.
Kerberos authentication allows nodes to communicate over a network after providing credentials to the system in a secure manner. Typically, symmetric key encryption is used to mask credentials during the authentication process. Kerberos authentication provides mutual authentication between the nodes on a network. Once authenticated, nodes can communicate freely across the network.
To use single sign-on
(SSO) to Teradata with Kerberos authentication, your system must have
a valid Kerberos ticket (Ticket Granting Ticket or TGT) before you
can initiate a LIBNAME connection to Teradata using Kerberos authentication.
On UNIX systems, one way to generate a TGT is to use the kinit command.
Other methods are available to the security administrator at your
site. On the Windows platform, most systems are preconfigured to generate
a TGT when you log on and authenticate to your workstation or server.
However, methods to authenticate are specific to your site. The security
administrator must properly set the TGT expiration time so that any
long running jobs have time to complete.
Here are the ways to initiate Kerberos authentication to Teradata in a LIBNAME statement:
USER="myname@KRB5".
Alternatively, you can specify simply USER="@KRB5".
This syntax ignores any values that you provide for USER= and PASSWORD=
and sets the authentication method to Kerberos (KRB5). Using this
syntax overrides any other authentication method that is configured.Each of the following LIBNAME statements shows how to connect to Teradata using Kerberos authentication:
libname teralib1 TERADATA SERVER=xxx ;
libname teralib2 TERADATA SERVER=xxx USER="myname@KRB5" PASSWORD="myPwd" ;
libname teralib3 TERADATA SERVER=xxx USER="@KRB5" PASSWORD="myPwd" ;
libname teralib4 TERADATA SERVER=xxx USER="myname@KRB5" ;
libname teralib5 TERADATA SERVER=xxx USER="@KRB5" ;
You might encounter the following error messages when attempting Kerberos authentication. Consult this table for guidance.
|
Error |
Meaning |
|---|---|
|
ERROR: Teradata connection: MTDP: EM_GSSINITFAIL(235): call to gss_init failed. ERROR: Error in the LIBNAME |
Kerberos is not enabled on the Teradata client software. See the SAS/ACCESS Interface to Teradata configuration documentation for information about how to enable Kerberos for a SAS client or server. |
|
ERROR: Teradata connection: MTDP: EM_GSSCALLFAIL(236): call to gss_call failed. ERROR: Error in the LIBNAME statement. |
The Kerberos ticket (TGT) either does not exist, or it is expired. Consult the security administrator at your site. |
LDAP is an authentication method that uses an LDAP server to store user names and passwords. Peripheral applications pass user names and passwords to the LDAP server for user authentication. The LDAP authentication system at your organization might also use security realms. These realms specify groups, such as administrators or managers, that have access to specified roles and subsets of information.
For LDAP authentication with either a NULL or single security realm, append only the “@LDAP” token to the Teradata user name. In this case, no realm name is needed. If you append a realm name, the LDAP authentication server ignores it and authentication proceeds.
This example shows how to connect to a single or NULL realm.
libname x teradata user=”johndoe@LDAP” password=”johndoeworld”;If your system is configured with multiple security realms, you must append the realm name to the “@LDAP” token. In this case, an LDAP server must already be configured to accept authentication requests from the Teradata server.
Here is an example of how to make the connection to a specific realm, jsrealm, where multiple realms are configured.
libname x teradata user=”johndoe@LDAPjsrealm” password=”johndoeworld”;Single sign-on is not supported with LDAP authentication.
The Teradata Wallet feature enables you to store encrypted database passwords for users without exposing those passwords within system scripts. The Teradata Wallet feature is available with TTU 14.00 and higher in UNIX or Windows environments. The Teradata Wallet feature can be used in systems that use LDAP.
Each user’s wallet contains items that consist of an item name in plain text and a corresponding encrypted value. The name serves as a hint to identify the encrypted value. For example, a wallet might contain an item with the name uid_td2_server2 and a corresponding value that is the encrypted version of myuserid.
Within a script, you call the $tdwallet function that returns the encrypted value that the system uses in place of a text value. To assign the user ID from the previous example to a parameter that is called user, your command might contain this code:
... user="$tdwallet(uid_td2_server2)" ...In a SAS program, the values are used similarly.
For more information, including details about adding items to and deleting items from a wallet, see your Teradata documentation.
Here is code to specify items in a Teradata wallet on a UNIX command line. The UNIX prompt and command are on the first line. Below this line you can see the resulting prompt and message from the system:
machine> tdwallet add uid_td2_server2
Enter desired value for he string named "uid_td2_server2": dbtester
String named "uid_td2_server2" added.The value dbtester is
stored in an encrypted form in the Teradata wallet, and the encrypted
value is passed via the $tdwallet function as "$tdwallet(uid_td2_server2)".
Here are some additional item definitions:
machine> tdwallet add password_td2_server2
Enter desired value for he string names "password_td2_server2": db666444333
String named "password_td2_server2" added.
machine> tdwallet add com.teradata.TD2
Enter desired value for the string named "com.teradata.TD2":
$tdwallet(password_td2_$(tdpid))
String named "com.teradata.TD2" added.
machine> tdwallet add uid_ldap_server2
Enter desired value for the string named "uid_ldap_server2": joe_user
String named "uid_ldap_server2" added.
machine> tdwallet add password_ldap_server2
Enter desired value for the string named "password_ldap_server2": joe333444999
String named "password_ldap_server2" added.
machine> tdwallet add com.teradata.LDAP
Enter desired value for the string named "com.teradata.LDAP":
$tdwallet(password_ldap_$(tdpid))
String named "com.teradata.LDAP" added.
In the item definitions
for com.teradata.TD2 and com.teradata.LDAP, the argument to the $tdwallet
function includes $(tdpid). This is a reference
to a predefined Teradata environment variable.
Use the following code to access a table that contains data about a new class. The call to the $tdwallet function with no argument automatically returns the password value for uid_td2_server2. All other calls to the $tdwallet function require arguments.
libname td Teradata user="$tdwallet(uid_td2_server2)" password="$tdwallet"
server=server2;
proc sort data=td.class_new out=lsgout nodupkey;
by age;
run;The Teradata Wallet feature works with LDAP and TPT support. The call to the $tdwallet function with no argument automatically returns the password value for uid_ldap_server2. All other calls to the $tdwallet function require arguments.
libname td.teradata user="$tdwallet(uid_ldap_server2)" password="$tdwallet"
server=server2;
proc delete data=td.foo;
run;
data td.foo (multiload=yes tpt=yes);
x=55;
run;