Introducing Teradata Wallet

Tools
Tools covers the tools and utilities you use to work with Teradata and its supporting ecosystem. You'll find information on everything from the Teradata Eclipse plug-in to load/extract tools.
Enthusiast

Re: Introducing Teradata Wallet

I have one question. Teradata Wallet makes wallet data available to the user that created the wallet data.
Now I am Admin of a Teradata RDBMS and we have an ETL Server with named user for every operator. Now I want to save some credentials which I want every operator can use to make sure they continue their work and only purpose is that they must not know the password of the use. So in that case I will be creating this wallet data. o how will I be enabling them to use it. As I cannot login from each user to enter the credentials.
Teradata Employee

Re: Introducing Teradata Wallet

Hi AJ,

Some points:

(1) The security of Teradata Wallet is focused around preventing the wallet
data of a given user from access by other users. Teradata Wallet does
not go to great lengths to protect wallet data from access by the user
owning the wallet.

(2) Only the owner of a wallet may add items to that wallet.

Having said this, depending on your requirements and environment, if you have administrative access on the ETL server perhaps you could accomplish what you want by using the "su" (switch user) utility. For example, if the user names of the operators on the ETL server are davidp, scottr, and joen, then you could log in to the ETL server as root (or other super-user account) and issue commands as follows:

# su davidp -c 'tdwallet add password_proddev'
Enter desired value for the string named "password_proddev":
String named "password_proddev" added.
# su scottr -c 'tdwallet add password_proddev'
Enter desired value for the string named "password_proddev":
String named "password_proddev" added.
# su joen -c 'tdwallet add password_proddev'
Enter desired value for the string named "password_proddev":
String named "password_proddev" added.
#

Thanks!
-shawn :-)
Enthusiast

Re: Introducing Teradata Wallet

Thanks Shawn. But what about Windows. How would I go to specific user to add entries for him through Administrator account.
Teradata Employee

Re: Introducing Teradata Wallet

Hi AJ,

Recent Windows systems include the "runas" command. So, for example, to add an item named password_proddev to davidp's wallet, you could run:

runas /user:davidp "tdwallet add password_proddev"

However, runas will prompt you to enter the password for davidp. If you can have the operator come type his password on your keyboard in response to this prompt (or if you know his password and can thus type it yourself) you are set.

Teradata Wallet's protection of item values in a user's wallet on Windows systems indirectly makes use of the user's login password and as such it is not possible to access the values of a user's wallet (including adding a new item) without some involvement of the user's login password. This is intentional and is by design.

Summoning the operator every time you need to manipulate the content of his wallet may seem like a bit of a hassle. The "runas" command also supports a /savecred option. You can use it like:

runas /savecred /user:davidp "tdwallet add password_proddev"

When the /savecred option to runas is used, the runas processing will check to see if you have saved the credentials for the target user (in this case davidp). If so, the saved credentials will be used and runas will not prompt for a password. If no saved credentials are found, runas prompts for the password and saves the credentials. In general, when using /savecred this means you only need to provide davidp's password the first time.
While this could lessen the hassle a bit in some circumstances, it could still be a hassle. For example, if you work at a different physical location from one of the operators it may not be convenient for them to visit your desk to type in their password. Or, if one of the operators works on a different shift than you, then you and the operator may not be at the same location at the same time.
You might think that you could just ask davidp to run...

runas /savecred /user:davidp "tdwallet list"

...from his own account. Unfortunately, this is not sufficient because it would result in davidp's credentials being saved within davidp's account. You need davidp's credentials to be saved within your Administrator account such that you can manipulate his wallet in the future. So, you need a way for you to permit davidp to run...

runas /savecred /user:davidp "tdwallet list"

...from the Administrator account. This, of course, would be easy to do if you were willing to give davidp the password to your Administrator account. However, giving away your Administrative password obviously is not a good idea! :-) I have found multiple third-party tools designed to allow a standard user to run a given program as Administrator without that user supplying the Administrator password; a list of these tools is available at http://www.wilderssecurity.com/showthread.php?t=267045. I have successfully used SuperExec for this type of thing in the past, but have not used the others. I should mention that both (a) saving passwords, and (b) using software downloaded from the Internet involves risks.

Best wishes!
-shawn :-)
Fan

Re: Introducing Teradata Wallet

Hi Shawn,
Thanks for providing great info on the TD wallet. I was able to setup the wallet configuration on my windows client which i will be doing the same on AIX, however while using BTEQ 13.10 it gives me error logon. I couldnot find the 14.x BTEQ in the TTU downloads. Any help would be appreciated.
Thanks.
Teradata Employee

Re: Introducing Teradata Wallet

Hi sjetti,

Teradata BTEQ 14.00 is on the Teradata Tools and Utilities DVD.

Regards,
-shawn :-)

Re: Introducing Teradata Wallet

It's easy enough to get tdwallet working with bteq, but does anyone have instructions for how to reference a wallet string from within a TPT script? I have tried several variations on the syntax used for bteq without success.

Specifically, the TPT script in the DDL operator, for example, requires a value for UserPassword:

DEFINE OPERATOR DDL_OPERATOR
TYPE DDL
ATTRIBUTES
(
VARCHAR PrivateLogName = 'ddl_log',
VARCHAR TdpId = @jobvar_tdpid,
VARCHAR UserName = @jobvar_username,
VARCHAR UserPassword = @jobvar_password,
VARCHAR WorkingDatabase = @jobvar_working_database,
VARCHAR ARRAY ErrorList = ['3807','3803','5980']
);

How can I replace that file or command-line provided @jobvar_password with a tdwallet reference?

Thanks.
Not applicable

Re: Introducing Teradata Wallet

Hi Shawn,

Can the TDwallet application be used with other database system like Oracle, MySQL, MSSQL etc? Is the application capable of working with SSH and other login mechanism ?

Thanks in advance!
-cslovak
Teradata Employee

Re: Introducing Teradata Wallet

Hi Shawn,

Something confuse me. The process of iterative substitution, it would be a infinite loop or not?
I have add item like this:

./tdwallet add abcd -> $tdwallet(efgh)
./tdwallet add efgh -> $tdwallet(abcd)

What is the real password when i running -w $tdwallet(abcd).

Thanks
-jeffry

Re: Introducing Teradata Wallet

Is there a way to pass the "password" or other encrypted text to the 'add' or 'addsk' command?