I have one question. Teradata Wallet makes wallet data available to the user that created the wallet data. Now I am Admin of a Teradata RDBMS and we have an ETL Server with named user for every operator. Now I want to save some credentials which I want every operator can use to make sure they continue their work and only purpose is that they must not know the password of the use. So in that case I will be creating this wallet data. o how will I be enabling them to use it. As I cannot login from each user to enter the credentials.
(1) The security of Teradata Wallet is focused around preventing the wallet data of a given user from access by other users. Teradata Wallet does not go to great lengths to protect wallet data from access by the user owning the wallet.
(2) Only the owner of a wallet may add items to that wallet.
Having said this, depending on your requirements and environment, if you have administrative access on the ETL server perhaps you could accomplish what you want by using the "su" (switch user) utility. For example, if the user names of the operators on the ETL server are davidp, scottr, and joen, then you could log in to the ETL server as root (or other super-user account) and issue commands as follows:
# su davidp -c 'tdwallet add password_proddev' Enter desired value for the string named "password_proddev": String named "password_proddev" added. # su scottr -c 'tdwallet add password_proddev' Enter desired value for the string named "password_proddev": String named "password_proddev" added. # su joen -c 'tdwallet add password_proddev' Enter desired value for the string named "password_proddev": String named "password_proddev" added. #
However, runas will prompt you to enter the password for davidp. If you can have the operator come type his password on your keyboard in response to this prompt (or if you know his password and can thus type it yourself) you are set.
Teradata Wallet's protection of item values in a user's wallet on Windows systems indirectly makes use of the user's login password and as such it is not possible to access the values of a user's wallet (including adding a new item) without some involvement of the user's login password. This is intentional and is by design.
Summoning the operator every time you need to manipulate the content of his wallet may seem like a bit of a hassle. The "runas" command also supports a /savecred option. You can use it like:
When the /savecred option to runas is used, the runas processing will check to see if you have saved the credentials for the target user (in this case davidp). If so, the saved credentials will be used and runas will not prompt for a password. If no saved credentials are found, runas prompts for the password and saves the credentials. In general, when using /savecred this means you only need to provide davidp's password the first time. While this could lessen the hassle a bit in some circumstances, it could still be a hassle. For example, if you work at a different physical location from one of the operators it may not be convenient for them to visit your desk to type in their password. Or, if one of the operators works on a different shift than you, then you and the operator may not be at the same location at the same time. You might think that you could just ask davidp to run...
runas /savecred /user:davidp "tdwallet list"
...from his own account. Unfortunately, this is not sufficient because it would result in davidp's credentials being saved within davidp's account. You need davidp's credentials to be saved within your Administrator account such that you can manipulate his wallet in the future. So, you need a way for you to permit davidp to run...
runas /savecred /user:davidp "tdwallet list"
...from the Administrator account. This, of course, would be easy to do if you were willing to give davidp the password to your Administrator account. However, giving away your Administrative password obviously is not a good idea! :-) I have found multiple third-party tools designed to allow a standard user to run a given program as Administrator without that user supplying the Administrator password; a list of these tools is available at http://www.wilderssecurity.com/showthread.php?t=267045. I have successfully used SuperExec for this type of thing in the past, but have not used the others. I should mention that both (a) saving passwords, and (b) using software downloaded from the Internet involves risks.
Hi Shawn, Thanks for providing great info on the TD wallet. I was able to setup the wallet configuration on my windows client which i will be doing the same on AIX, however while using BTEQ 13.10 it gives me error logon. I couldnot find the 14.x BTEQ in the TTU downloads. Any help would be appreciated. Thanks.
It's easy enough to get tdwallet working with bteq, but does anyone have instructions for how to reference a wallet string from within a TPT script? I have tried several variations on the syntax used for bteq without success.
Specifically, the TPT script in the DDL operator, for example, requires a value for UserPassword: