Post3

Understanding Teradata Wallet

Posted by

Teradata Wallet is a facility for storage of sensitive/secret information, such as Teradata Database user passwords. Users are able to save and retrieve items by using this facility.

Teradata wallet is the latest piece of Teradata software, introduced  in latest Teradata Tools and Utilities packages those are version 14.00/15.00 and later. Here in the customers can store passwords/credentials (or other confidential information) securely and safely on client computers or application servers. This stored information is used while signing into the Teradata Database.

 

Key Concept behind Teradata Wallet:

The information stored by Teradata Wallet is separated by client user.  So, if a given client computer has three users: User1, User2, and user3, then the scenario of the information stored in Teradata Wallet will be as follows:

tdwallet 1

A user can only access information from his own wallet.  So, all Teradata Wallet accesses by User1 will necessarily go to User1’s wallet.  User1 cannot access anything from User2 or User3’s wallet.

Items:

Teradata Wallet is a facility for storage of sensitive/secret information, such as Teradata Database user passwords.  Users can save and retrieve items, using the facility.  Each item has two parts:

      (1) The name of the item, and

      (2) The value of the item.

Both “Name” and “value” of the item are sequences of Unicode characters of arbitrary content.

An item name is used to uniquely select an item. An item value is the actual content of the item; for example, a Teradata Database user password, or a credit card number.

Items are stored in a wallet and each user has a unique wallet, thus, Item names within a wallet must be unique too. The names in a single wallet cannot be repeated. For example, a user could only have a single item named “password_proddev”. But different users could each have items named “password_proddev”, with possibly different values.

Item values typically contain sensitive information. This facility provides unrestricted access by a given user to that user’s stored items, while employing various techniques including encryption, memory locking and overwriting, and system protections to inhibit access by other users.  This facility does not consider item names as sensitive and does not similarly protect them. Item names are case-insensitive such that a user could save an item using the name “password_proddev” and retrieve the same item using the name “Password_proddev”.

2

As shown in the picture, the item name is “banana” and a value of “YRUhere1$”.

Both item names and item values are sequences of Unicode characters.  The Teradata Wallet software preserves the case of item names and item values.

Item Names:

Item names are random and are made-up by the user.  An item name is used to handpick an item from a user’s wallet.  For example, in the following LOGON command, there is a position to an item named “banana”:

.LOGON TestEnv/User1,$tdwallet(banana)

Wallet item names are just like filenames, you can name a file just about anything, but it is positive to use a name that helps you remember what’s in it.

Item Values:

Item values may have sensitive/confidential information such as Teradata Database passwords.  The Teradata Wallet software protects these values in the two ways:

  1. Encrypting item values when fleeting them to any system call.
  2. Encrypting item values when they are saved on disk.

 

‘CLI v2 (Call Level Interface version2) to connect to the Teradata Database’

Logging on to a Teradata Database requires the user to submit a password which sometimes causes problems:

-Job scripts require the inclusion of a password, which is then exposed in plain text.

-Someone watches the user type in the password.

-Users with access to multiple database systems record their password sticky notes in order to remember them.

Now, rather than placing passwords within job scripts or recording them on sticky notes, users can store passwords in Teradata Wallets.

The Teradata wallet utility

The Teradata wallet is an emergent command-line program used to administer your wallet.  It supports one subcommand for each action that it can implement.  Supply subcommands as command-line arguments when using Teradata wallet.  When you give multiple subcommands, the associated actions are performed in the order given on the command-line.  Alternatively, execute Teradata wallet with no arguments to use it in interactive mode.  In interactive mode, supply subcommands as input to Teradata wallet.

The Teradata pack has a basic command-line tool named Teradata Wallet.

This tool is used to add and delete items from the wallet, to list the names of items in the wallet, etc.

The wallet includes online help information; to access this, execute “tdwallet help” from the command line:

sh-4.1$ tdwallet help

USAGE: tdwallet help [<topic>] …

DESCRIPTION:

Displays helpful information about the listed topic(s).  If no topic is given, displays this information.  Available topics include:

overview tool security encodings limits add addsk del list chgpwd suppwd forgetpwd chgsavkey help version

 

SEE ALSO:

tdwallet help overview

sh-4.1$

 

This shows the “help” topic itself.  To read another topic, execute “tdwallet help <topicname>” where <topicname> is the name of the topic.  View the “add” topic as follows:

sh-4.1$ tdwallet help add

USAGE: tdwallet add <name>

 

DESCRIPTION:

Adds an item to your wallet.  The name of the added item will be <name>.  tdwallet prompts you for the value of the item.

 

The added item value will be protected using the password protection scheme.

 

NOTE:

If the wallet password is not already available, then tdwallet prompts you for the wallet password.

 

SEE ALSO:

tdwallet help overview

 

EXAMPLE:

$ tdwallet add com.teradata.td2,cs4400s3,joe

Enter desired value for the item named “com.teradata.td2,cs4400s3,joe”:

Item named “com.teradata.td2,cs4400s3,joe” added.

$

sh-4.1$

 

Business Value

Teradata Wallet provides an easy method for creating Teradata passwords, making your Teradata data, more secure. It is particularly valuable for security of passwords on application servers, or other shared computers that host multiple users and connect to multiple databases.

Teradata Wallet restricts every user from accessing the wallet data of another user.  However, it makes a user’s wallet information freely available to the possessing user.  The software provides this administration based on the client system’s opinion of a user.

On Unix/Linux this is administered by user identifier (UID).

On Windows it is administered by security identifier (SID).

Obviously, the client machine cannot express what we are typing on the keyboard, it provides security based on the logged in user.  As such, it is important to secure admission to your user account, for example, by logging off or locking your computer when you leave your computer unattended.

In the current environment, only logon handling that is introduced through Teradata Call level interface version2(CLIv2) for Network Attached Systems and Teradata ODBC Driver operates Teradata Wallet. The resulting is a list of Teradata Client products that use Teradata CLIv2 to connect to the Teradata Database:

-Basic Teradata Query Utility (BTEQ)

-Teradata Fast Load (FL)

-Teradata MultiLoad (ML)

-Teradata Parallel Data Pump (Tpump)

-Teradata Fast Export (FE)

-Teradata ARC (ARC)

-Teradata Preprocessor 2(PP2)

-Teradata Parallel Transporter (TPT)

As a pinpointing tool, we can set the TDWALLET_DEBUG_FILE background variable before bidding to use Teradata Wallet.  For example:

TDWALLET_DEBUG_FL=tdwalletgenerated.log
export TDWALLET_DEBUG_FL
fastload < flinsert.fastload
cat tdwalletgenerated.log

This will produce a trace of the calls to the Teradata Wallet subsystem.

How it Works

Wallet data is isolated by client user and a given user can only access data from his/her own wallet.

The system will check User1’s tdwallet for the string that has the name (any name like “password_for_User1‖”) and would then access the encrypted value associated with it (like g0t#L0st#).

How to get started:

  1. If you are not yet familiar with tdwallet packages, install the TDWallet software package onto your client computer.  This package is part of the TTU release (Teradata tools and Utilities).  Teradata Wallet is an elective package, meaning that you need to select it in order to install it, but you need not install it if you do not want to use Teradata Wallet.
  2. Install the Teradata Call Level interface version2 software pack onto your client machine.  This should be version latest and should be installed after you install the tdwallet package.
  3. Run the tdwallet utility to add items to your wallet.  For example:
    $ tdwallet add password_Test
    Enter desired value for the string named “password_Test”:
    Us3r@T3st
    String named “password_Test” added.
  4. Use $tdwallet in login information when connecting to the Teradata Database.  For example:
    $ cat deptquery.txt
    .logon Test/User1,$tdwallet(password_Test)
    .SET SEPARATOR ‘ | ‘
    SELECT * FROM department;
    .logoff
    .exit
    $ bteq < deptquery.txt
    BTEQ 15.00.00.00 Mon Nov 14 15:55:38 2011
    +———+———+———+———+———+———+———+—-
    .LOGON Test/User1,
    *** Logon successfully completed.
    *** Teradata Database Release is 15.00.00.00

When the logon information is processed, “$tdwallet(password_Test)” will be replaced with the value of the item named “password_Test” from the current user’s wallet.

 

The TDWallet Security:

Teradata Wallet protects each item value using one of the following two protection schemes:  password, saved-key

A single wallet may contain both password-protected and saved-key-protected item values.

The password protection scheme enciphers item values with a key that is derived from a user-supplied wallet password.  Before any password-protected item values can be added to a user’s wallet, the user must establish a password for the wallet.  This encryption password is never saved to any file.

The Teradata Wallet facility starts a daemon process automatically to maintain information derived from this wallet password.  This daemon process permits the user to add new password-protected items to the user’s wallet and to retrieve password-protected items from the user’s wallet without repeatedly having to provide the wallet password. During the lifespan of the daemon process, the user need not provide the wallet password again; even if the user logs out and logs back in.  However, if the daemon process terminates for any reason, say if the system is rebooted, or if the user kills the daemon process, then in this case the user will have to resupply the wallet password to regain access to password-protected item values in the wallet. The user may issue the “suppwd” subcommand to resupply the wallet password.

Since the information needed to decipher the password-protected item values in the wallet is never saved, this password protection scheme is considered to be more secure than the saved-key protection scheme. The saved-key protection scheme enciphers item values with a key that is derived from a user-supplied encryption passphrase.  Before any saved-key item values can be added to a user’s wallet, the user must provide an encryption passphrase from which an encryption key is derived.  This encryption key is itself enciphered and stored within the user’s wallet.  The key used in this second encipherment while buried in the software is not well hidden, so an attacker who somehow gains access to a user’s wallet (by defeating system protections), will be able to access the stored sensitive information.  The saved-key protection scheme supports non-interactive environments in which a user’s job needs to run after the system is rebooted, but where the user is not physically present to supply any information.

 

To summarize, once the system is rebooted, the user must resupply the wallet password for accessing password-protected item values, but need not supply the wallet password for accessing saved-key-protected item values.

It is worthwhile to take note of distinctions between the secret information used by the two protection schemes.  The password protection scheme uses a secret referred to as the wallet password. In contrast, the saved-key protection scheme uses a secret derived from the wallet’s encryption passphrase.  It is very important for the user to remember the wallet password; if the wallet password is lost, password-protected item values cannot be accessed. In contrast, with saved-key there is no need to remember the wallet’s encryption passphrase as it never needs to be reentered.

 

Features

Use this feature when:

Users are running scripted applications: They can embed password retrieval syntax into scripts instead of compromising security by including a password.

Users are retrieving multiple Teradata Database systems: They can inevitably reclaim the correct password for a system instead of having to think of the password or look it up.

DO NOT use this feature when:

All users log in to the similar client machine using the same login info (and as such are frozen as the same user on the client system) AND each user has a detached Teradata Database user name and password.

In this situation, it would not be sensible to use the tdwallet concept because the users would be able to access each other‘s Teradata Database password (since they would all be using the same tdwallet).

 

Related Posts

  • Teradata IoT capabilities & Teradata ListenerTeradata IoT capabilities & Teradata Listener

    What is Teradata: Teradata is a relational database management system (RDBMS) that is: an open system, running on a UNIX MP-RAS or Windows server platform. capable of supporting many concurrent users from various…

  • Teradata Query Grid : With Database, NoSQL, HadoopTeradata Query Grid : With Database, NoSQL, Hadoop

    Teradata 15.0 has come up with various exciting features and enhanced capabilities, Teradata Query Grid being one of them. Teradata database is now able to connect Hadoop with this Query Grid,…

  • Teradata and JSON – Monetizing the Internet of Things (IoT)Teradata and JSON – Monetizing the Internet of Things (IoT)

    The prevalent influence of technology has resulted in a widespread use of a variety of devices such as cell phones, sensors, web API’s and browsers. These devices generate huge volume…

  • Oracle Goldengate

    Oracle GoldenGate is an Oracle proprietary software for real-time data integration and replication that supports different databases- Oracle, DB2, SQL Server, Ingres, MySQL etc. Even the source and target database…

  • Teradata NPARC (Named Pipe ARChive)

    Introduction to Teradata: Teradata is a fully scalable relational database management system produced by Teradata Corp. It is widely used to manage large data warehousing operations. The Teradata database system…

  • Teradata Intelligent Memory (TIM)

    Overview of Teradata Teradata is a RDBMS (Relational Database Management System). This system is solely based on off-the-shelf (readymade) symmetric multiprocessing (SMP) technology combined with communication networking, connecting SMP systems…

Leave a Reply

Your email address will not be published. Required fields are marked *