Have you ever wanted to keep your Teradata Database passwords private and not be exposed in scripts? If you have, then we have a solution for you.
Teradata Wallet is a new software package included in the Teradata Tools and Utilities 14.00. This article explains how you can use this new software to secure your Teradata Database passwords on your client computer.
The information stored by Teradata Wallet is segregated by client user. So, if a given client computer has three users:
joen, then you might visualize the information stored in Teradata Wallet as follows:
A given user can only access information from his own wallet. So, all Teradata Wallet accesses by
davidp will necessarily go to
davidp's wallet. davidp cannot access anything in scottr's wallet and cannot access anything in joen's wallet.
A wallet contains a set of items. Each item has two parts:
The following picture shows a wallet containing four items:
One of the items has a name of "password_for_slugger" and a value of "g0t#L0st#".
One of the items has a name of "password_for_cs4400s3" and a value of "heLP4me$".
One of the items has a name of "password_for_deft1" and a value of "rsKr0myH".
One of the items has a name of "banana" and a value of "YRUhere1$".
Both item names and item values are sequences of Unicode characters. The Teradata Wallet software preserves the case of item names and item values.
Item names are arbitrary and are fabricated by the user. An item name is used to select an item from a user's wallet. For example, in the following LOGON command, there is a reference to an item named "banana":
In this way, wallet item names are similar to filenames... you can name a file just about anything, but it is beneficial to use a name that helps you remember what's in it.
Wallet item names are case insensitive. As such a name of "banana" is the same as a name of "BANANA". If you added an item using the name "banana", you could reference that item as "Banana", "BANANA", or even "BaNaNa". But if you added an item using the name "banana", you could not then add an item named "BANANA" because you would get an error indicating that an item with the given name already exists in your wallet.
It is important to realize that wallet names are within the scope of a user's wallet. So if davidp added a string named "banana" to his wallet and then scottr then tried to add a string named "banana", the second addition could still succeed because davidp and scottr are using different wallets and an item named "banana" in davidp's wallet is a different item than an item named "banana" in joer's wallet.
Item names are not considered by the Teradata Wallet software to be sensistive/confidential and the software does not take extensive measures to protect them.
Item values may contain sensitive/confidential information such as Teradata Database passwords. The Teradata Wallet software takes extensive measures to protect item values such as:
The Teradata Wallet package contains a rudimentary command-line tool named "tdwallet". This tool is used to add items to your wallet, delete items from your wallet, list the names of items in your wallet, etc. tdwallet includes on-line help information; to access this, execute "tdwallet help" from the command line:
USAGE: tdwallet help [<topic>] ...
Displays helpful information about the listed topic(s). If no topic is
given, displays this information. Available topics include:
overview tool security encodings limits add del list help version
tdwallet help overview
This shows the "help" topic itself. To read another topic, execute "
tdwallet help <topicname>" where <topicname> is the name of the topic. View the "add" topic as follows:
C:\Users\davidp>tdwallet help add
USAGE: tdwallet add <name>
Adds a string to your wallet. The name of the added string
will be <name>. tdwallet prompts you for the value of the string.
tdwallet help overview
$ tdwallet add password_proddev
Enter desired value for the string named "password_proddev":
String named "password_proddev" added.
How to get started:
When the logon information is processed, "$tdwallet(password_proddev)" will be replaced with the value of the item named "password_proddev" from the current user's wallet.
When found during logon processing, a string of the form $tdwallet(somestring) is replaced as follows:
Thus, instead of:
we could have used:
When found during logon processing, a string of the form $tdwallet (without "(somestring)") is replaced as follows:
The replacement process is iterative, querying the wallet repeatedly until no instances of $tdwallet(somestring) or $tdwallet remain.
To demonstrate, consider the following:
If joen uses a script that starts as follows:
The logon processing will detect the $tdwallet in the logon information. Since logon processing is using the TD2 logon mechanism, the logon processing queries joen's wallet for an item named com.teradata.TD2. This query will result in an item having a value of $tdwallet(password_$(tdpid)). This matches $tdwallet(somestring) where somestring is
password_$(tdpid). Next "password_$(tdpid)" is processed into "password_proddev". The logon processing queries
joen's wallet for an item named password_proddev. This query will result in an item having a value of UR1geek2B. This does not contain any matches of $tdwallet(somestring) or $tdwallet. So, UR1geek2B is the ultimate replacement yielding logon information of
proddev/joen,UR1geek2B, which is used to attempt to log on to the Teradata Database.
Replacement processing can be useful on other parts of the logon information. To demonstrate, consider the following:
All three of these users could use a shared script having a LOGON command like:
When each user runs the script, the Teradata Database username and Teradata Database password are retrieved from the appropriate wallet during the logon processing.
Teradata Wallet prevents one user from accessing the wallet information of another user. However, it makes a user's wallet information freely available to the owning user. The software provides this enforcement based on the client system's notion of a user. On Unix/Linux this is by user identifier (UID). On Windows this is by security identifier (SID). Obviously, the client computer cannot tell what human is typing on the keyboard, it provides security based on the logged in user. As such, it is important to secure access to your user account, for example, by logging off or locking your computer when you leave your computer unattended.
At present, only logon processing that is initiated through Teradata CLIv2 for Network Attached Systems and Teradata ODBC Driver utilizes Teradata Wallet. This includes tools such as:
- Basic Teradata Query Utility (BTEQ)
- Teradata FastLoad
- Teradata MultiLoad
- Teradata Parallel Data Pump (TPump)
- Teradata FastExport
- Teradata ARC
- Teradata Preprocessor2 (PP2)
- Teradata Parallel Transporter (TPT)
As a diagnostic tool, you can set the
TDWALLET_DEBUG_FILE environment variable before attempting to use Teradata Wallet. For example:
fastload < flinsert.fastload
This will produce a trace of the calls to the Teradata Wallet subsystem.
Good judgment comes from experience and experience comes from bad judgment.