Thursday, 1 December 2016

Understanding Teradata Wallet (tdwallet)

Understanding Teradata Wallet (tdwallet)
Teradata Wallet is a facility for storage of  sensitive/secret information, such as Teradata Database user passwords. Users save and retrieve items by using the facility. 
Wallet or tdwallet is the latest piece or pack of Terdata software, introduced  in latest Teradata Tools and Utilities packages those are version 14.00/15.00 and later, where the customers can store passwords/credentials (or other confidential information)  securely and safely on client computers or application servers. This stored information is used while signing in to the Teradata Database using any utility or piece of software that uses Teradata .


Key Concept behind Teradata Wallet (tdwallet):
The information stored by Teradata Wallet is separated by client user.  So, if a given client computer has three users: User1, User2, and user3, then you might visualize the information stored in Teradata Wallet as follows:

A given user can only access information from his own wallet.  So, all Teradata Wallet accesses by User1 will necessarily go to User1's wallet.  User1 cannot access anything in User2's wallet and cannot access anything in User3's wallet.
Items :
Teradata Wallet is a facility for storage of sensitive/secret information, such as Teradata Database user passwords.  Users save and retrieve items by using the facility.  Each item has two parts:
      (1) the name of the item, and
      (2) the value of the item.
 Both "Name" and "value" of the item are sequences of Unicode characters of arbitrary content.
 An item name, (1), is used to uniquely select an item; for example, it is possible to retrieve the value of the item named "password_proddev".
An item value, (2), is the actual content of the item; for example, a Teradata Database user password, or a credit card number.
Items are stored in a wallet.  Each user has exactly one wallet.Item names must be unique within a given wallet; for example, specific user could only have a single item named "password_proddev", but two different users, say "User1" and "User2", could each have items named "password_proddev" with possibly different values.
Item values, (2), typically contain sensitive information.  This facility provides unrestricted access by a given user to that user's stored items, (2), while employing various techniques including encryption, memory locking and overwriting, and system protections to inhibit access by other users.  This facility does not consider item names, (1), as sensitive and does not similarly protect them.Item names, (1), are case-insensitive such that a user could save an item using the name "password_proddev" and retrieve the same item using the name "Password_proddev".

One of the items has a name of "banana" and a value of "YRUhere1$".
Both item names and item values are sequences of Unicode characters.  The Teradata Wallet software preserves the case of item names and item values.
Items :
Item names are random and are made-up by the user.  An item name is used to handpicked an item from a user's wallet.  For example, in the following LOGON command, there is a position to an item named "banana":
.LOGON TestEnv/User1,$tdwallet(banana)
In this way, wallet item names are like to filenames... you can name a file just about anything, but it is positive to use a name that helps you remember what's in it.
Item Values :
Item values may have sensitive/confidential information such as Teradata Database passwords.  The Teradata Wallet software takes widespread methods to protect item values such as:
1.       Encrypting item values when fleeting them to any system call.
2.       Encrypting item values when they are saved on disk.

CLIv2(Call Level Interface version2) to connect to the Teradata Database.
Logging on to a Teradata Database requires the user to submit a password which sometimes causes problems:
-Job scripts require the inclusion of a password, which is then exposed in plain text.
-Someone watches the user type in the password.
-Users with access to multiple database systems record their password son sticky notes in order to remember them.
Now, rather than placing passwords within job scripts or recording them on sticky notes, users can store passwords managed by Teradata Wallet/tdwallet.
The tdwallet utility
tdwallet is a emergent command-line program used to administer your wallet.  tdwallet supports one subcommand for each action that it can implement.  Supply subcommands as command-line arguments when appealing tdwallet.  When you give multiple subcommands, the associated actions are performed in the order given on the command-line.  Alternatively, execute tdwallet with no arguments to use tdwallet in interactive mode.  In interactive mode, supply subcommands as input to tdwallet.
The Teradata pack have a basic command-line tool named "tdwallet". 
This tool is used to add items to your wallet, delete items from your wallet, list the names of items in your wallet, etc.  tdwallet includes on-line help information; to access this, execute "tdwallet help" from the command line:
sh-4.1$ tdwallet help
USAGE: tdwallet help [<topic>] ...
DESCRIPTION:
    Displays helpful information about the listed topic(s).  If no topic is given, displays this information.  Available topics include:
      overview tool security encodings limits add addsk del list chgpwd suppwd forgetpwd chgsavkey help version

SEE ALSO:
    tdwallet help overview
sh-4.1$

This shows the "help" topic itself.  To read another topic, execute "tdwallet help <topicname>" where <topicname> is the name of the topic.  View the "add" topic as follows:
sh-4.1$ tdwallet help add
USAGE: tdwallet add <name>

DESCRIPTION:
    Adds an item to your wallet.  The name of the added item will be <name>.  tdwallet prompts you for the value of the item.

    The added item value will be protected using the password protection scheme.

NOTE:
    If the wallet password is not already available, then tdwallet prompts you for the wallet password.

SEE ALSO:
    tdwallet help overview

EXAMPLE:
    $ tdwallet add com.teradata.td2,cs4400s3,joe
    Enter desired value for the item named "com.teradata.td2,cs4400s3,joe":
    Item named "com.teradata.td2,cs4400s3,joe" added.
    $
sh-4.1$

Business Value
Teradata Wallet delivers an easy method for making Teradata passwords, and therefore your Teradata data, more secure. It is particularly valuable for easy rescue of passwords on application servers or other shared computers that host multiple users and connect to multiple databases.
Teradata Wallet restricts one user from accessing the tdwallet data of another user.  However, it makes a user's wallet information freely available to the possessing user.  The software provides this administration based on the client system's opinion of a user. 
On Unix/Linux this is by user identifier (UID). 
On Windows this is by security identifier (SID). 
Obviously, the client machine cannot express what we are typing on the keyboard, it provides security based on the logged in user.  As such, it is important to secure admission to your user account, for example, by logging off or locking your computer when you leave your computer unattended.
At the current Env., only logon handling that is introduced through Teradata Call level interface version2(CLIv2) for Network Attached Systems and Teradata ODBC Driver operates Teradata Wallet. The resulting is a list of Teradata Client products that use Teradata CLIv2 to connect to the Teradata Database:
-Basic Teradata Query Utility(BTEQ)
-Teradata FastLoad(FL)
-Teradata MultiLoad(ML)
-Teradata Parallel Data Pump(Tpump)
-Teradata FastExport(FE)
-Teradata ARC(ARC)
-Teradata Preprocessor 2(PP2)
-Teradata Parallel Transporter(TPT)
As a pinpointing tool, we can set the TDWALLET_DEBUG_FILE background variable before bidding to use Teradata Wallet.  For example:
TDWALLET_DEBUG_FL=tdwalletgenerated.log
export TDWALLET_DEBUG_FL
fastload < flinsert.fastload
cat tdwalletgenerated.log
This will produce a trace of the calls to the Teradata Wallet subsystem.
How it Works
Wallet data is isolated by client user and a given user can only access data from his/her own wallet.
The system will check User1’s tdwallet for the string that has the name (any name like “password_for_User1‖”) and would then access the encrypted value associated with it ( like g0t#L0st#).
How to get started:
1.       If you are not yet with tdwallet packages, install the TdWallet software package onto your client computer.  This package is part of the TTU release (Teradata tools and Utilities).  Teradata Wallet is an elective package, meaning that you need to select it in order to install it, but you need not install it if you do not want to use Teradata Wallet. 
2.       Install the Teradata Call Level interface version2 software pack onto your client machine.  This should be version latest and should be installed after you install the tdwallet package.
3.       Run the tdwallet utility to add items to your wallet.  For example:
    $ tdwallet add password_Test
    Enter desired value for the string named "password_Test":
    Us3r@T3st
    String named "password_Test" added.
4.       Use $tdwallet in login information when connecting to the Teradata Database.  For example:
    $ cat deptquery.txt
    .logon Test/User1,$tdwallet(password_Test)
    .SET SEPARATOR ' | '
    SELECT * FROM department;
    .logoff
    .exit
    $ bteq < deptquery.txt
    BTEQ 15.00.00.00 Mon Nov 14 15:55:38 2011
    +---------+---------+---------+---------+---------+---------+---------+----
    .LOGON Test/User1,
     *** Logon successfully completed.
     *** Teradata Database Release is 15.00.00.00
    ...
When the logon information is processed, "$tdwallet(password_Test)" will be replaced with the value of the item named "password_Test" from the current user's wallet.

The tdwallet Security:
Teradata Wallet protects each item value using one of the following two protection schemes:  password, saved-key
A single wallet may contain both password-protected and saved-key-protected item values.

The password protection scheme enciphers item values with a key that is derived from a user-supplied wallet password.  Before any password-protected item values can be added to a user's wallet, the user must establish a password for the wallet.  This encryption password is never saved to any file. 
The Teradata Wallet facility starts a daemon process automatically to maintain information derived from this wallet password.  This daemon process permits the user to add new password-protected items to the user's wallet and to retrieve password-protected items from the user's wallet without repeatedly having to provide the wallet password.    During the lifespan of the daemon process, the user need not provide the wallet password again; for example, even if the user logs out and logs back in.  However if the daemon process terminates for any reason (for example, if the system is rebooted, or if the user kills the daemon process), then the user will need to resupply    the wallet password to regain access to password-protected item values in the wallet.
The user may issue the "suppwd" subcommand to resupply the wallet password.  Because the information needed to decipher password-protected item values in the wallet is never saved, the password protection scheme is considered to be more secure than the saved-key protection scheme.
The saved-key protection scheme enciphers item values with a key that is derived from a user-supplied encryption passphrase.  Before any saved-key item values can be added to a user's wallet, the user must provide an encryption passphrase from which an encryption key is derived.  This encryption key is itself enciphered and stored within the user's wallet.  The key used in this second encipherment while buried in the software is not well hidden and as such an attacker who gains access to a user's wallet (by somehow defeating system protections), may be able to access the stored sensitive information.  The saved-key protection scheme supports non-interactive environments in which a user's job needs to run after the system is rebooted, but where the user is not physically present to supply any information.

In summary, after the system is rebooted, the user must resupply the wallet password before accessing password-protected item values, but need not supply the wallet password before accessing saved-key-protected item values.
It is worthwhile to take note of distinctions between the secret information used by the two protection schemes.  The password protection scheme uses a secret referred to as the wallet password.
In contrast, the saved-key protection scheme uses a secret derived from the wallet's encryption passphrase.  It is very important for the user to remember the wallet password; if the wallet password is lost, password-protected item values cannot be accessed. In contrast, there is no need to remember the wallet's encryption   passphrase as it never needs to be reentered.

Features
Use this feature when:
Users are running scripted applications: They can embed password retrieval syntax into scripts instead of compromising security by including a password.
Users are retrieving multiple Teradata Database systems: They can inevitably reclaim the correct password for a system instead of having to think of the password or look it up.
Do NOT use this feature when:
All users log in to the similar client machine using the same login info (and as such are frozen as the same user on the client system) AND each user has a detached Teradata Database user name and password.
In this situation, it would not be sensible to use the tdwallet concept because the users would be able to access each other‘s Teradata Database password (since they would all be using the same tdwallet).

 Credits:
Pankaj Chahar         
at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)