Recent comments
Introducing Teradata Wallet
Have you ever wanted to keep your Teradata Database passwords private and not be exposed in scripts? If you have, then we have a solution for you.
Teradata Wallet is a new software package included in the Teradata Tools and Utilities 14.00. This article explains how you can use this new software to secure your Teradata Database passwords on your client computer.
Key concepts
Wallets
The information stored by Teradata Wallet is segregated by client user. So, if a given client computer has three users: davidp, scottr, and joen, then you might visualize the information stored in Teradata Wallet as follows:
A given user can only access information from his own wallet. So, all Teradata Wallet accesses by davidp will necessarily go to davidp's wallet. davidp cannot access anything in scottr's wallet and cannot access anything in joen's wallet.
Items
A wallet contains a set of items. Each item has two parts:
- The item name.
- The item value.
The following picture shows a wallet containing four items:
.bmp "Attribution: http://www.flickr.com/photos/rh1n0/4157547404/in/photostream/")
One of the items has a name of "password_for_slugger" and a value of "g0t#L0st#".
One of the items has a name of "password_for_cs4400s3" and a value of "heLP4me$".
One of the items has a name of "password_for_deft1" and a value of "rsKr0myH".
One of the items has a name of "banana" and a value of "YRUhere1$".
Both item names and item values are sequences of Unicode characters. The Teradata Wallet software preserves the case of item names and item values.
Item names
Item names are arbitrary and are fabricated by the user. An item name is used to select an item from a user's wallet. For example, in the following LOGON command, there is a reference to an item named "banana":
.LOGON proddev/dave,$tdwallet(banana)
In this way, wallet item names are similar to filenames... you can name a file just about anything, but it is beneficial to use a name that helps you remember what's in it.
Wallet item names are case insensitive. As such a name of "banana" is the same as a name of "BANANA". If you added an item using the name "banana", you could reference that item as "Banana", "BANANA", or even "BaNaNa". But if you added an item using the name "banana", you could not then add an item named "BANANA" because you would get an error indicating that an item with the given name already exists in your wallet.
It is important to realize that wallet names are within the scope of a user's wallet. So if davidp added a string named "banana" to his wallet and then scottr then tried to add a string named "banana", the second addition could still succeed because davidp and scottr are using different wallets and an item named "banana" in davidp's wallet is a different item than an item named "banana" in joer's wallet.
Item names are not considered by the Teradata Wallet software to be sensistive/confidential and the software does not take extensive measures to protect them.
Item values
Item values may contain sensitive/confidential information such as Teradata Database passwords. The Teradata Wallet software takes extensive measures to protect item values such as:
- Encrypting item values when passing them to any system call.
- Encrypting item values when they are saved on disk.
The tdwallet utility
The Teradata Wallet package contains a rudimentary command-line tool named "tdwallet". This tool is used to add items to your wallet, delete items from your wallet, list the names of items in your wallet, etc. tdwallet includes on-line help information; to access this, execute "tdwallet help" from the command line:
C:\Users\davidp>tdwallet help
USAGE: tdwallet help [<topic>] ...
DESCRIPTION:
Displays helpful information about the listed topic(s). If no topic is
given, displays this information. Available topics include:
overview tool security encodings limits add del list help version
SEE ALSO:
tdwallet help overview
C:\Users\davidp>
This shows the "help" topic itself. To read another topic, execute "tdwallet help <topicname>" where <topicname> is the name of the topic. View the "add" topic as follows:
C:\Users\davidp>tdwallet help add
USAGE: tdwallet add <name>
DESCRIPTION:
Adds a string to your wallet. The name of the added string
will be <name>. tdwallet prompts you for the value of the string.
SEE ALSO:
tdwallet help overview
EXAMPLE:
$ tdwallet add password_proddev
Enter desired value for the string named "password_proddev":
String named "password_proddev" added.
$
C:\Users\davidp>
Simple usage scenario
How to get started:
- If you have not done so already, install the Teradata Wallet software package onto your client computer. This package is part of the Teradata Tools and Utilities 14.00 release. Teradata Wallet is an optional package, meaning that you need to select it in order to install it, but you need not install it if you do not want to use Teradata Wallet. Teradata Wallet is also available for download from http://developer.teradata.com/downloads.
- Install the Teradata CLIv2 software package onto your client computer. This should be version 14.00.00.02 or later and should be installed after you install the Teradata Wallet package.
-
Run the tdwallet utility to add items to your wallet. For example:
$ tdwallet add password_proddev
Enter desired value for the string named "password_proddev":
UR1geek2B
String named "password_proddev" added. -
Use $tdwallet in login information when connecting to the Teradata Database. For example:
$ cat deptquery.txt
.logon proddev/davepickard,$tdwallet(password_proddev)
.SET SEPARATOR ' | '
SELECT * FROM department;
.logoff
.exit
$ bteq < deptquery.txt
BTEQ 14.00.00.00 Mon Jun 12 15:55:38 2011
+---------+---------+---------+---------+---------+---------+---------+----
.LOGON proddev/davepickard,
*** Logon successfully completed.
*** Teradata Database Release is 14.00.00.00
...
When the logon information is processed, "$tdwallet(password_proddev)" will be replaced with the value of the item named "password_proddev" from the current user's wallet.
Logon information processing
When found during logon processing, a string of the form $tdwallet(somestring) is replaced as follows:
-
Process somestring as follows:
(a) Replace "\)" with ")".
(b) Replace "\$" with "$".
(c) Replace "\\" with "\".
(d) Replace "$(tdpid)" with the Teradata Database system. - Query the current user's wallet for an item with a name matching the result of the processing in step 1.
- The value of the item found by the query in step 2 is the replacement.
Thus, instead of:
.logon proddev/davepickard,$tdwallet(password_proddev)
we could have used:
.logon proddev/davepickard,$tdwallet(password_$(tdpid))
When found during logon processing, a string of the form $tdwallet (without "(somestring)") is replaced as follows:
- Query the current user's wallet for an item with a name matching com.teradata.mechanism, where mechanism is the logon mechanism being used (for example, "TD2").
- The value of the item found by the query in step 1 is the replacement.
The replacement process is iterative, querying the wallet repeatedly until no instances of $tdwallet(somestring) or $tdwallet remain.
To demonstrate, consider the following:
If joen uses a script that starts as follows:
.logmech TD2
.logon proddev/joen,$tdwallet
The logon processing will detect the $tdwallet in the logon information. Since logon processing is using the TD2 logon mechanism, the logon processing queries joen's wallet for an item named com.teradata.TD2. This query will result in an item having a value of $tdwallet(password_$(tdpid)). This matches $tdwallet(somestring) where somestring is password_$(tdpid). Next "password_$(tdpid)" is processed into "password_proddev". The logon processing queries joen's wallet for an item named password_proddev. This query will result in an item having a value of UR1geek2B. This does not contain any matches of $tdwallet(somestring) or $tdwallet. So, UR1geek2B is the ultimate replacement yielding logon information of proddev/joen,UR1geek2B, which is used to attempt to log on to the Teradata Database.
Replacement processing can be useful on other parts of the logon information. To demonstrate, consider the following:
All three of these users could use a shared script having a LOGON command like:
.logon proddev/$tdwallet(u),$tdwallet(p)
When each user runs the script, the Teradata Database username and Teradata Database password are retrieved from the appropriate wallet during the logon processing.
Notes
Teradata Wallet prevents one user from accessing the wallet information of another user. However, it makes a user's wallet information freely available to the owning user. The software provides this enforcement based on the client system's notion of a user. On Unix/Linux this is by user identifier (UID). On Windows this is by security identifier (SID). Obviously, the client computer cannot tell what human is typing on the keyboard, it provides security based on the logged in user. As such, it is important to secure access to your user account, for example, by logging off or locking your computer when you leave your computer unattended.
At present, only logon processing that is initiated through Teradata CLIv2 for Network Attached Systems and Teradata ODBC Driver utilizes Teradata Wallet. This includes tools such as:
- Basic Teradata Query Utility (BTEQ)
- Teradata FastLoad
- Teradata MultiLoad
- Teradata Parallel Data Pump (TPump)
- Teradata FastExport
- Teradata ARC
- Teradata Preprocessor2 (PP2)
- Teradata Parallel Transporter (TPT)
As a diagnostic tool, you can set the TDWALLET_DEBUG_FILE environment variable before attempting to use Teradata Wallet. For example:
TDWALLET_DEBUG_FILE=tdwallet.log
export TDWALLET_DEBUG_FILE
fastload < flinsert.fastload
cat tdwallet.log
This will produce a trace of the calls to the Teradata Wallet subsystem.
Good judgment comes from experience and experience comes from bad judgment.
Can we use this feature for LDAP ids too or only for NON LDAP and generic ids.
And i tried with NON LDAP id, its not working throwing an error: Logon Failed!
Is there any document or KA on this to explore more on this?
Thanks,
Geeta
Hi geethareddy,
You asked:
...Can we use this feature for LDAP ids...
Yes, Teradata Wallet can be used in conjunction with LDAP authentication.
You wrote:
...its not working throwing an error: Logon Failed!...
Verify that you are using the latest patch of Teradata CLIv2. If it still does not work for you, try it again with TDWALLET_DEBUG_FILE set as described in this article and send the specifics of what you tried along with the output it produced and the output written via TDWALLET_DEBUG_FILE to your local Teradata support representative.
Thanks!
-shawn :-)
Hi,
I too getting the same Error : "*** Failure 8017 The UserId, Password or Account is invalid.". Currently, We are in v13.10 version and as you said, i installed recent version of cliv2 (13.10.0.8) and also set the environment variable (TDWALLET_DEBUG_FILE) in windows xp machine. but it is not tracing anything in tdwallet.log file. Please assist me to test this tool.
Hi harshateradata,
You must use a 14.0 version of Teradata CLIv2. Teradata Wallet cannot be used from Teradata CLIv2 13.10.
Thanks!
-shawn :-)
Please let me know if I understand this correctly:
-The actual wallet data is stored locally on the application server
-The wallet utility is called on the application server by the user looking to set up its wallet
-The wallet is only accessible to the specific user it is created by (how is this security managed on linux vs windows?)
Thanks!
Marty
Hi Marty,
Teradata Wallet is intended for use on the computer which will be connecting to the Teradata Database. The actual wallet data is stored locally on that computer where you used Teradata Wallet. Teradata Wallet makes wallet data available to the user that created the wallet data while protecting that wallet data from access by other users. Teradata Wallet provides this enforcement based on the operating system's notion of a user. On Unix/Linux computers this is by user identifier (UID). On Windows computers this is by security identifier (SID). All application processes have an associated user. On Unix/Linux computers, you can see the user associated with a given process by displaying process status information by executing the "ps" utility with the "-f" option and inspecting the UID column. On Windows computers, you can see the user associated with a given process by viewing the "User Name" column on the Processes tab of Windows Task Manager. Security for wallet data involves a number of measures including, but not limited to, operating system protections (for example, file-system permissions on Unix/Linux computers) and cryptography (for example, AES-256 on Unix/Linux computers and DPAPI on Windows computers).
Thanks!
-shawn :-)
Shwan,
i tried with the V14 CLIv2, but when i tried to login, that time i got the ICU 14 is required, which is not available in T@YS, can you confirm what i am missing here, I really want to implement this at my client place instead of maintaining the passwords in an XL or some where. Also i would like to know about the documentation or Knowledge articles on this, can we get any further info in the form of PDF or something on this great feature.
Thanks.
Thanks,
Geeta
OK i got the confirmation from TERADATA, in the incident they have confirmed this feature is not supported right now. HEre is the comment by GSC rep.
All client packages must be 14.x to match. CLIV2, ICU, BTEQ, etc.... all must be 14.x or it will continue to fail. And yes, when it is in this state, this is unsupported because it is mismatched TTU versions which causes a conflict within all the client packages. All must be 13.xx or 14.xx. Yes, this current method you have set up is not supported. Please either downgrade to 13.10 to match all other TTU packages or upgrade to 14.xx which there may not be all the necessary patches available at this time to fix this issue.
Thanks,
Geeta
Hi geethareddy,
Teradata Wallet is supported right now, and yes, you do need to use matching Teradata Tools and Utilities 14.0 packages. Teradata ICU 14.0 is available on the Teradata Tools and Utilities 14.0 DVD and is also included in the CLIv2 download bundles available at https://downloads.teradata.com/download/connectivity. You should install software from the DVD and/or from Teradata Developer Exchange and only then install patches from T@YS.
Thanks!
-shawn :-)
I have one question. Teradata Wallet makes wallet data available to the user that created the wallet data.
Now I am Admin of a Teradata RDBMS and we have an ETL Server with named user for every operator. Now I want to save some credentials which I want every operator can use to make sure they continue their work and only purpose is that they must not know the password of the use. So in that case I will be creating this wallet data. o how will I be enabling them to use it. As I cannot login from each user to enter the credentials.
Regards,
AJ
Hi AJ,
Some points:
(1) The security of Teradata Wallet is focused around preventing the wallet
data of a given user from access by other users. Teradata Wallet does
not go to great lengths to protect wallet data from access by the user
owning the wallet.
(2) Only the owner of a wallet may add items to that wallet.
Having said this, depending on your requirements and environment, if you have administrative access on the ETL server perhaps you could accomplish what you want by using the "su" (switch user) utility. For example, if the user names of the operators on the ETL server are davidp, scottr, and joen, then you could log in to the ETL server as root (or other super-user account) and issue commands as follows:
# su davidp -c 'tdwallet add password_proddev'
Enter desired value for the string named "password_proddev":
String named "password_proddev" added.
# su scottr -c 'tdwallet add password_proddev'
Enter desired value for the string named "password_proddev":
String named "password_proddev" added.
# su joen -c 'tdwallet add password_proddev'
Enter desired value for the string named "password_proddev":
String named "password_proddev" added.
#
Thanks!
-shawn :-)
Thanks Shawn. But what about Windows. How would I go to specific user to add entries for him through Administrator account.
Regards,
AJ
Hi AJ,
Recent Windows systems include the "runas" command. So, for example, to add an item named password_proddev to davidp's wallet, you could run:
runas /user:davidp "tdwallet add password_proddev"
However, runas will prompt you to enter the password for davidp. If you can have the operator come type his password on your keyboard in response to this prompt (or if you know his password and can thus type it yourself) you are set.
Teradata Wallet's protection of item values in a user's wallet on Windows systems indirectly makes use of the user's login password and as such it is not possible to access the values of a user's wallet (including adding a new item) without some involvement of the user's login password. This is intentional and is by design.
Summoning the operator every time you need to manipulate the content of his wallet may seem like a bit of a hassle. The "runas" command also supports a /savecred option. You can use it like:
runas /savecred /user:davidp "tdwallet add password_proddev"
When the /savecred option to runas is used, the runas processing will check to see if you have saved the credentials for the target user (in this case davidp). If so, the saved credentials will be used and runas will not prompt for a password. If no saved credentials are found, runas prompts for the password and saves the credentials. In general, when using /savecred this means you only need to provide davidp's password the first time.
While this could lessen the hassle a bit in some circumstances, it could still be a hassle. For example, if you work at a different physical location from one of the operators it may not be convenient for them to visit your desk to type in their password. Or, if one of the operators works on a different shift than you, then you and the operator may not be at the same location at the same time.
You might think that you could just ask davidp to run...
runas /savecred /user:davidp "tdwallet list"
...from his own account. Unfortunately, this is not sufficient because it would result in davidp's credentials being saved within davidp's account. You need davidp's credentials to be saved within your Administrator account such that you can manipulate his wallet in the future. So, you need a way for you to permit davidp to run...
runas /savecred /user:davidp "tdwallet list"
...from the Administrator account. This, of course, would be easy to do if you were willing to give davidp the password to your Administrator account. However, giving away your Administrative password obviously is not a good idea! :-) I have found multiple third-party tools designed to allow a standard user to run a given program as Administrator without that user supplying the Administrator password; a list of these tools is available at http://www.wilderssecurity.com/showthread.php?t=267045. I have successfully used SuperExec for this type of thing in the past, but have not used the others. I should mention that both (a) saving passwords, and (b) using software downloaded from the Internet involves risks.
Best wishes!
-shawn :-)
Hi Shawn,
Thanks for providing great info on the TD wallet. I was able to setup the wallet configuration on my windows client which i will be doing the same on AIX, however while using BTEQ 13.10 it gives me error logon. I couldnot find the 14.x BTEQ in the TTU downloads. Any help would be appreciated.
Thanks.
Hi sjetti,
Teradata BTEQ 14.00 is on the Teradata Tools and Utilities DVD.
Regards,
-shawn :-)
It's easy enough to get tdwallet working with bteq, but does anyone have instructions for how to reference a wallet string from within a TPT script? I have tried several variations on the syntax used for bteq without success.
Specifically, the TPT script in the DDL operator, for example, requires a value for UserPassword:
DEFINE OPERATOR DDL_OPERATOR
TYPE DDL
ATTRIBUTES
(
VARCHAR PrivateLogName = 'ddl_log',
VARCHAR TdpId = @jobvar_tdpid,
VARCHAR UserName = @jobvar_username,
VARCHAR UserPassword = @jobvar_password,
VARCHAR WorkingDatabase = @jobvar_working_database,
VARCHAR ARRAY ErrorList = ['3807','3803','5980']
);
How can I replace that file or command-line provided @jobvar_password with a tdwallet reference?
Thanks.
Hi Shawn,
Can the TDwallet application be used with other database system like Oracle, MySQL, MSSQL etc? Is the application capable of working with SSH and other login mechanism ?
Thanks in advance!
-cslovak
Hi Shawn,
Something confuse me. The process of iterative substitution, it would be a infinite loop or not?
I have add item like this:
./tdwallet add abcd -> $tdwallet(efgh)
./tdwallet add efgh -> $tdwallet(abcd)
What is the real password when i running -w $tdwallet(abcd).
Thanks
-jeffry
Is there a way to pass the "password" or other encrypted text to the 'add' or 'addsk' command?
Is tdwallet supposed to work with Sql Assistant and Teradata.Net? It works fine with SQLA and ODBC. We are using SQLA 14.01.00.01, tdwallet 14.00.00.05 and Teradata.Net 14.00.00.01
Hi Shawn,
How many character could we use as item name and item value.
Thanks
-jeffry
response to an incident: Teradata Wallet presently is not supported by the .NET Data Provider
Jeffry,
You asked:
How many character could we use as item name and item value.
Execute:
tdwallet help limits
to see the implementation limits for Teradata Wallet.
Thanks!
-shawn :-)
Hi Jeffry,
You asked:
The process of iterative substitution, it would be a infinite loop or not?
I have add item like this:
./tdwallet add abcd -> $tdwallet(efgh)
./tdwallet add efgh -> $tdwallet(abcd)
What is the real password when i running -w $tdwallet(abcd).
It appears that you added a circular reference to your wallet; I suggest avoiding this. :-)
At present this could result in Teradata CLIv2 hanging in an infinite loop. There is an open issue to detect this scenario (CLAC-28850).
Thanks!
-shawn :-)
Hi JerryZott,
You asked:
Is there a way to pass the "password" or other encrypted text to the 'add' or 'addsk' command?
On Unix systems, the tdwallet tool reads security sensitive information from the terminal device. It is possible to use the expect tool (see http://en.wikipedia.org/wiki/Expect) to pass this information to the tdwallet tool.
Thanks!
-shawn :-)
Hi Scaster,
You wrote:
does anyone have instructions for how to reference a wallet string from within a TPT script? I have tried several variations on the syntax used for bteq without success.
Specifically, the TPT script in the DDL operator, for example, requires a value for UserPassword:
DEFINE OPERATOR DDL_OPERATOR
TYPE DDL
ATTRIBUTES
(
VARCHAR PrivateLogName = 'ddl_log',
VARCHAR TdpId = @jobvar_tdpid,
VARCHAR UserName = @jobvar_username,
VARCHAR UserPassword = @jobvar_password,
VARCHAR WorkingDatabase = @jobvar_working_database,
VARCHAR ARRAY ErrorList = ['3807','3803','5980']
);
How can I replace that file or command-line provided @jobvar_password with a tdwallet reference?
In your operator definition, you could replace:
VARCHAR UserPassword = @jobvar_password,
with:
VARCHAR UserPassword = '$tdwallet(password_proddev)',
Alternatively, you could change your job variables file from having something like:
jobvar_password = 'UR1geek2B'
to instead contain:
jobvar_password = '$tdwallet(password_proddev)'
Or, if you are used to specifying this on the command line like:
tbuild -f weekly_update.tbr -u "jobvar_password = 'UR1geek2B'"
you could instead use:
tbuild -f weekly_update.tbr -u "jobvar_password = '\$tdwallet(password_proddev)'"
Hope it helps!
-shawn :-)
Hi Shawn,
Can the TDWallet be used from within a .bat ?
I need to invoke Selector.exe (for use in TVA).
By Example:
PROMPT $T$G
@ECHO **********************************************
SET PATH_TVA=C:"\Program Files\NCR\Teradata Value Analyzer 3.0"
SET JOB=RNCP
@ECHO **********************************************
@ECHO * MODULO SELECTOR *
@ECHO **********************************************
C:
CD %PATH_TVA%
Selector.exe UserID=tva_usr Password=tva_psw RunGroupId=14 Resume=NO
Regards.
Dixxie wrote:
Can the TDWallet be used from within a .bat ?
As mentioned in the Notes above, any application that initiates logon processing using Teradata CLIv2 for Network-Attached Systems (14.0 or later) can utilize Teradata Wallet. Whether this application is executed directly or from a script is irrelevant.
I do not know which interface is used by Selector.exe for logon processing.
Does Teradata wallet works on JDBC Connection?
shreya_singh asked:
Does Teradata wallet works on JDBC Connection?
No. At this time, only applications that initiate logon processing through Teradata CLIv2 for Network Attached Systems and Teradata ODBC Driver may utilize Teradata Wallet.
Can tdwallet store non teradata passwords? i have source system that is oracle and when i stored the password in tdwallet, i get invalid/user password error from the odbc driver. if i hardcode the password it works. Is there anyway i can retrieve password string in a variable?
i.e abc=$($tdwallet(mypass))
thanks
madhurao asked:
Can tdwallet store non teradata passwords?
Teradata Wallet stores opaque name-value paris, but access to the value is only available to software that utilizes Teradata Wallet (see the Note and my reply just above your question).
i have source system that is oracle and when i stored the password in tdwallet, i get invalid/user password error from the odbc driver.
I suspect since you are not connecting to a Teradata Database, you are not using the Teradata ODBC Driver.
Is there anyway i can retrieve password string in a variable?
i.e abc=$($tdwallet(mypass))
This would completely defeat the purpose of Teradata Wallet.
Hello,
maybe a stupid question, but... is there a way how to migrate the wallet for a single user between 2 server. Lets say, we have a user user1 on server1 and server2, we create all the entries on server1 with tdwallet addsk and then we want to have all the passwords available for user1 on server2. Do we have to recreate all the entries manually or is there a way to copy the wallet to server2 from server1?
Thanks, GLHF,
Yuri
Duri83 -- It's a good question and I''ll reply as soon as I get the answer. This may vary between platforms, so if you could mention the OS of your servers that would be helpful.
Duri83 asked:
Do we have to recreate all the entries manually or is there a way to copy the wallet to server2 from server1
Due to security concerns, the wallets were not designed to be portable. At this time all the entries have to be recreated manually.
Hi Shawn,
I am unable to login through BTEQ using TDwallet from my windows system.
These are the steps that i have used
C:\Users\299164>tdwallet
Use the "help" command to get help.
tdwallet> add b45
Enter desired value for the item named "b45":
Item named "b45" added.
tdwallet> exit
C:\Users\299164>bteq
Teradata BTEQ 14.10.00.00 for WIN32.
Copyright 1984-2013, Teradata Corporation. ALL RIGHTS RESERVED.
Enter your logon or BTEQ command:
.logmech LDAP
.logmech LDAP
Teradata BTEQ 14.10.00.00 for WIN32. Enter your logon or BTEQ command:
.logon fsltdtest2/b44057,$tdwallet(b45);
.logon fsltdtest2/b44057,$tdwallet(b45);
*** Error: Invalid logon!
Teradata BTEQ 14.10.00.00 for WIN32. Enter your logon or BTEQ command:
.logon fsltdtest2/b44057,tdwallet(b45);
.logon fsltdtest2/b44057,tdwallet(b45);
*** Error: Invalid logon!
nipunm - BTEQ does not allow the user's password to be entered on the same line as the .logon command in interactive mode.
MaxG: thanks for the answer
Can the Wallet be used with the Teradata OleLoad utility and if so how?
thompsonhab asked:
Can the Wallet be used with the Teradata OleLoad utility and if so how?
I'm not familiar with that utility, but based on the name I'm guessing it uses ODBC for the actual connection. If so, you'd use it the same way as any other ODBC connection.
Hello,
Could you suggest how we can view the wallet details
e.g. I have saved a password for TDPROD string I need to see the password by list I can see all my strings but not the password values.
Thanks,
Geeta A. Gwalani
Geeta -- if you try an invalid subcommand with the tdwallet tool, it'll print a list of all supported subcommands. One of those is the answer.
Hello,
I have an administrator user that register five WALLET.
Cai i share this wallet with other user?
Fo example:
User "Scott" add WALLET "US_GROUP" and register US_GROUP password.
Can User "Paul" connect with:
.logon proddev/US_GROUP,$tdwallet(US_GROUP)
Or each user must register their WALLET.
Hi All,
I am unable to use td wallet in Windows command line - I have TD Wallet 14.00.00.05 and running Win 7 32bit.
I am using cmdline tool for Aster db act or ncluster_loader and I am passing password as cmd line argument, but none of this works:
... -w "$tdwallet(key)"
... -w \"$tdwallet(key)"
... -w $tdwallet(key)
... -w \$tdwallet(key)
On linux cmd line this is working: ... -w \"$tdwallet(key)"
Could you please help?
Regards,
Michal
Hello,
Will tdwallet loose passwords that were stored if server restarts? We found issue issue when server restarts all userid's and passwords enterd in tdwallet were lost.
This appears to be inactive. No responses.
gbendinelli asked:
I have an administrator user that register five WALLET.
Cai i share this wallet with other user?
I don't know what your example means or what application you are using, but wallets cannot be shared between users, as that would be a serious security vilation.
mm250136 asked:
I am using cmdline tool for Aster db act or ncluster_loader and I am passing password as cmd line argument
I can't help with this, because I don't provide support for Aster. Please contact your support team or open an incident.
krrish said:
Will tdwallet loose passwords that were stored if server restarts? We found issue issue when server restarts all userid's and passwords enterd in tdwallet were lost.
Teradata Wallet should not lose passwords on restart. Your question is not precise enough for me to determine exactly what happened. Please open an incident so we can get more information and resolve it.
Rbar -- this is active, but because I don't get any notifications, I only visit here once or twice a month.
If you need immediate assistance, please follow the usual support channels.
What is the TD Wallet limits on the number of passwords can be store. If any know performance issues with high number of registered password (Eg, 10k's of passwords)?
chiran54321 asked:
What is the TD Wallet limits on the number of passwords can be store. If any know performance issues with high number of registered password (Eg, 10k's of passwords)?
There is no predetermined limit for the number of items that can be stored in a wallet. There are no known performance issues with a large number of wallet items. To find out about other limits imposed by Teradata Wallet, execute:
tdwallet help limits
Hi Shawn,
What is change in TD wallet 15.0? I have installed 15.0 in windows and I can not see options to set, change or forget the wallet password. I am not sure if it was removed in 15.00 or it is not applicable for windows. I would like to get a change summary.
Thanks,
Gyanendra
There were no changes in this area in 15.0.
Generally, any notable changes can be found in the TTU Release Definition document or in the readme files that accompany the package.
I was asked to look at the wallet for some projects in the my company...
One of the first questions that popped up is " Is the wallet portable? or is it really more like a locker? "
Okay so what is meant my this, is can we create central wallets in one location and take move them from machine to machine for a user? or are they only good in one location?
Think of it this way.. My wallet is something I carry around, from store to store and purchase things when needed.
Lockers that I use stay at the location where they are accessed and used.. e.g. Gym, School, work, etc.
If they are not portable, is there a way to backup and restore them on another machine?
xytwan asked:
Is the wallet portable?
You are correct, it is more like a locker than a wallet. The wallet was not designed to be portable as one of many security measures.
We are aware that this poses a problem for some use cases. You may open an incident with our support organization with a detailed description of your concerns, use cases, and desired behavior. In the incident, please reference this commend and ask the support team to contact engineering. We'll try to address this if an alternative solution is provided in the future.
Are there any other parameters like $(tdpid) that can be used? I have a number of different IDs that I use and was wondering if there was something like $(username)? I could then have a mechanism default that would be '$(username)_$(tdpid)'. I could then use the same password string "$tdwallet" and only change the username and/or tdpid in the .logon tdpid/username,$tdwallet to access the different IDs.
JerryZott -- this was envisioned in the design, but has not been implemented However, I think there's a simple workaround, you would just have to use the '$tdwallet(something)' keyword instead of '$tdwallet' (without something). Instead of asking Teradata Wallet to replace the $(username) keyword with the username provided earlier in the logon string, you could just supply that username twice:
tdpid/username,$tdwallet(username_$(tdpid))
Since you've already exposed the username in your script once, adding it a second time does not raise additional security concerns.
If you also hid the username in your wallet, you could try nested keywords:
tdpid/$tdwallet(usr1),$tdwallet($tdwallet(usr1)_$(tdpid))
Just make sure that all the open parentheses and dollar signs are properly escaped, if necessary, as discussed above.
I am trying to use Tdwallet in our enterprise scheduler (ESP) jobs to run our teradata jobs and the scheduler launches these jobs from a Linux slice (client). The ESP uses a non-interactive user id (Usr1) on the linux slice to launch these jobs and Usr1 doesn't have any password on the linux slice.
I know we can create wallet entries for an interactive user and invoke the wallet passwords through a bteq script. I would like to find out how to create wallet entries for the non-interactive client user?
As showm below, I can only "su - " to the Usr1, but the user doesn't switch to Usr1 and cannot create wallet entries for this Usr1.
[root@Linux1 ~]# su - Usr1
[root@Linux1 ~]# pwd
/root
[root@Linux1 ~]
My basic question is ,can we create wallet entries for non-interactive client ids? If so, how can we do it.
Any help would be appreciated.
paluvayi -- there's a difference between a user with no password and a user with no shell access, but this is not my area of expertise. I think the command you want to use after "su" is "whoami", not "pwd". If Usr1 is the effective user, you should be able to create wallet entries. I suspect you should use "tdwallet addsk" instead of "tdwallet add" command. For more info, see
tdwallet help security
If Usr1 is not the effective user, you could try using the expect tool (mentioned in a comment above) to create wallet entries.
need help in setting up TDWallet.
1. I have installed TDWallet and was able to add item name with value to it.
2. When I tried to refer to this wlet item from "SQL Assistant" it is throwing me following error.
The Teradata Wallet software is not installed
(the HKEY_LOCAL_MACHINE\Software\Teradata\CLient\Teradata Wallet registry key does not exist)
Another question is, I have some mload scripts on windows server which are executed on TDServer by SSIS packages. How can I use my wallet on the mloads used by these ssis packages.
Please let me know if I am missing anything.
Thanks,
P
sptdata said:
The Teradata Wallet software is not installed
(the HKEY_LOCAL_MACHINE\Software\Teradata\CLient\Teradata Wallet registry key does not exist)
Please make sure you installed the correct Windows package (32-bit or 64-bit). I would also make sure you have the latest available efixes of all Teradata client software from the same release, just in case this issue has already been fixed. If this doesn't help, please open an incident with GSC.
I have some mload scripts on windows server which are executed on TDServer by SSIS packages. How can I use my wallet on the mloads used by these ssis packages.
I don't know anything about SSIS. It sounds like you are executing mload on Teradata DBS nodes. I am hoping this was a conscious decision and you understand the potential impact on server performance. Having said that, you can certainly install Teradata Wallet on the same Teradata DBS nodes where mload executes. You would have to determine under which OS user mload is executed and add wallet entries for that user (on every node). If this doesn't answer your question, please open an incident with GSC.
All,
My client want to implement TDWallet agaist TD 13.10.
If they upgrade TTU to 14.10 and install TDWallet 14.10 against Teradata 13.10 database, would it work or does we need to upgrade dataabase to TD14.0 or above ?
In my understanding, all TTU ulities are backward compatable (which means TTU 15.00 can work with TD13.00)
Thanks.
shaunkim1123 -- a document titled Teradata Tools and Utilities Release Definition (B035-2029) is available at www.info.teradata.com. If you scroll down to the section describing Teradata Wallet, you will find a sub-section titled Supported Teradata Database Versions. There you will find that Teradata Wallet 14.10 supports Teradata Database 13.10.
I imagine your client will need to use a CLIv2 or ODBC-based utilities in order to utilize Teradata Wallet. You should also check the Release Definition document to make sure that each of those utiliities also supports Teradata Database 13.10. I suspect that they all do, but there may be exceptions or discontinued products.
Thanks Shawn for the article & MaxG for answering the queries by all the Forum Members. These answers clearly enhance the understanding of Wallet especially concerning portability, Unix/Linux & Windows differentiated appraoch, limitations, curious case of infinite loop etc.
-Smarak
Hello Shawn & MaxG,
03 Questions concerning TD Wallet:
(a) The "list" command will show the item names only, not the item values. Any way for a user to see the item names and item values also in his/her own wallet.
(b) When a User change the password from "Old_Value" to "New_Value" (Eg: 90 Days Password Expiry for most Business Users), do they need to delete the corresponding entry from their TD Wallet and update the new values by adding the same.
(c) Any "Update" feature available instead of "Deleting & Adding" for changing the Item Value corresponding to a Item Name.
(d) In Batch Or Interactive Mode, I noticed the "tdwallet" keyword needs to be provided in small letters only. Teradata considers Password case insensitive. But while using TDWallet, I noticed getting Failed Login,Password,Account Error when the "tdwallet" keyword is Capital. Bit of an irony as I have always liked this case insensitivity of Teradata Password.
Thanks In Advance,
Smarak
Smarak -- thank you for the feedback. Here are the answers you seek:
(a) No, as that would defeat the purpose of Teradata Wallet.
(b) Yes. We are aware that this is not optimal, but there are no other solutions at time time.
(c) No. Trying to keep it simple.
(d) The password in the logon command is not necessarily the Teradata Database password -- it could be a case-sensitive third-party sign-on password (like LDAP or Kerberos).
Hello Shawn & MaxG,
I have tried to use tdwallet with our job scheduling software IBM TWS (Maestro) using Windows server.
Running a bteq script interactively tdwallet works fine.
Running the same script using tws I get the following error message:
*** CLI error: CLI2: TDWALLETERROR(543): Teradata Wallet error. The wallet does not contain an item named "pwd_for_autccp_admin".
*** Return code from CLI is: 543
*** Error: Logon failed!
Unfortunately I don’t know a possibility to add a password in tdwallet by using a batch program or to retrieve the user which tdwallet is using.
To get the sid and username I added the command .os whoami /user to the bteq script.
I get in both scenarios (interactive and batch) the same result. Either username and sid.
The last test I made was creating the password list by using the user which is used by tws. That test also failed.
Any ideas?
Wolfgang -- you can use the Expect tool (mentioned in the comments above) to add entries to the wallet.
The Teradata Wallet user should be the same as the BTEQ user. Wallet entries on Windows are just generic user credentials with Enterprise persistence -- they can be listed (but not added or modified) using the Credential Manager. The only thing I can think of is that the script executes under the same account but on a different system, and for some reason the credentials did not sync up. Maybe the user needs to log out and then log in on that system. I would try ".os hostname" and ".os tdwallet list" in both scenarios.
Hi MaxG,
As mentioned we use a Windows Server. I could not find a Windows tool (Expect one for 999$) to download. Do you have a link where I can download Expect for Windows?
A non interactive mode to generate the wallet entries would be very helpful. The security would not be worse than using Expect.
Regarding “different system”:
It is the same virtual computer and the same user. The difference is that I start the first test with cmd.exe and the second with a service running with the same user.
I tried several logins.
I get the same result for ".os hostname" and “.os whoami /user”.
Tdwallet list returns in the first test the complete list. The second test returns an empty list. I would need a parameter for tdwallet which returns the user because .os whoami/user is obviously not the right choice.
Thanks Wolfgang
Wolfgang - Expect is free open source. You can download the source and build it yourself. Also it looks like there's a free community edition of ActiveTcl, which should contain an Expect executable (I haven't verified this).
I would imagine that the user executing tdwallet is the same as the user executing the whoami command. There is no parameter for tdwallet to return the effective user. My guess is that the service is not running with the same permissions as the regular user account. It may be missing some privileges and can't access the credential storage. Please open an incident with GSC if you need me to pursue this further, although I suspect this is a Windows account management issue, not a Teradata Wallet issue.
Hello Shawn and MaxG,
I´m facing the issue bellow: (tdwallet.log)
wallet destructor RETURNS (tid=0x00000001)
EXCEPTION Teradata_TdWallet::TdWalletException thrown, what="Attempt to add the data file failed beacause the data file is full. (database or disk is full)" (wallet=0x200CC460. tid=0x00000001)
I thought tdwallet would create some kind of temporary file from tdwallet info and I checked my disk space, and there´s a lot of free space.
So, the question is: what its cause ?
Any tips would be very welcome!
Tks!
mceoni -- how many wallet entries were you able to add for this user? You can get the info on the limits by executing "tdwallet help limits", as mentioned a few times in the comments above.
The only way to get that exception should be if the user's wallet file (or disk) was full, just like the message says. The wallet file should be capable of containing a very high number of entries, so filling the file is not trivial. Perhaps there's some kind of other disk space quota you've ran into, or the free space you checked is not on the same disk as where the wallet file is located. If you can't figure it out, please open an incident with GSC so we can take a closer look.
Hi guys,
I have the same scenario that "mceoni" posted before. I'm getting the message below from TPT:
**** 10:25:17 TPT10507:
CLI Error 543: CLI2: TDWALLETERROR(543): Teradata Wallet error. Attempt
to add to the data file failed because the data file is full. (database
or disk is full)
and various messages like below from tdwallet.log:
EXCEPTION Teradata_TdWallet::TdWalletException thrown, what="Attempt to add to the data file failed because the data file is full. (database or disk is full)" (wallet=0x20907AA0,tid=0x00000001)
Everything was running ok, and suddenly applications started to fail with these errors. It seems some file got full. But how to fix that? Databases involved have enough space. I do can validate all tdwallet string connections through BTEQ. They are all fine.
I have opened an incident with Teradata but got no answers..
Thanks!
Lizarb -- I found your incident (it didn't make its way to me yet, so I asked to have it escalated).
Could you please check if your temporary directory or partition is full or nearly full? That may also trigger the exception. Please use the incident to provide the answer -- I will communicate with you through our support team.
I just realized that in an earlier comment I provided a bad example for hiding a username in the wallet:
tdpid/$tdwallet(usr1),$tdwallet($tdwallet(usr1)_$(tdpid))
This is wrong, because the item name would have to include the contents of $tdwallet(usr1), thus exposing the username. If the intention is to hide the username, the correct answer would be something like the following:
tdpid/$tdwallet(usr1),$tdwallet(usr1_$(tdpid))
which does not require the use of nested keywords.
Hello - Thanks for the wonderful article. I am getting the error "The logmech string exceeds the length limit. The maximum length is 8" when I try to run a fast export job. Below are the login info and the TD Wallet entry.
.logon tdpid/bakthro,$tdwallet # fast Export login
com.teradata.TD2 -> $td_wallet(testpw).
testpw -> P@$sw0rd
I don't get this error, when I do the same in a bteq script.
Also, when I use the below.
.logon tdpid/$tdwallet(user),$tdwallet(password) # Fastexport logon
I get the below error. This too works well in bteq.
**** 15:17:26 UTY1006 CLI error: 303, CLI2: BADLOGON(303): Invalid logon
string .
Thanks
Roopalini
I figured out the reason for the second issue- CLI2: BADLOGON(303): Invalid logon
string . I just missed a semi colon. Could I get the reason and work around for the first error - "The logmech string exceeds the length limit". It works in bteq and not in fast export.
Roopalini -- there is an invalid underscore in one of your keywords -- "$td_wallet(testpw)". But that would not cause the logmech string error. The logmech string error doesn't have anything to to with Teradata Wallet -- it is reporting that your .logmech command is invalid. If you can't resolve this, please open an incident.
Hi,
I'm new to tdwallets. Was wondering if tdwallets work on linux odbc? R14.00.
Using $tdwallet(mydev1) at the password prompt. Same tdwallet works with bteq. And same password works with ODBC when not using tdwallets.
Enter Data Source Name: devpridsn
Enter UserID: myid1
Enter Password:
Connecting with SQLConnect(DSN=devpridsn,UID=rssabdev1,PWD=*)...
adhoc: (SQL Diagnostics) STATE=28000, CODE=4294959279, MSG=[Teradata][ODBC Teradata Driver][Teradata Database] The UserId, Password or Account is invalid.
ODBC connection closed.
JohnE
ndbajde - it's "tdwallet" not "tdwallets". Teradata ODBC Driver 14.0 works, just make sure you are using the latest efix.
Regarding Portability? How feasibile would it be to populate the wallet on one linux server and then copy the config and wallet files to other servers? What are all of the files that must be copied?
Hi Butchex,
As one of many security measures, the wallet was designed to be non-portable. We are aware that this poses a problem for some use cases. If this does not meet your needs, please open an incident with our support organization with a detailed description of your concerns. In the incident, please reference this comment and ask the support team to contact engineering.
Thanks!
-shawn :-)
Hi,
We have been successful in using tdwallet with CLI below, however cannot get same to work in ODBC.
.logon usps11/$tdwallet(u),$tdwallet(p)
What we are using to test ODBC below does not work. Howevever if we put in the actual User Name it does. TTU15.00 on Susie Linux. What are we missing?
/opt/teradata/client/current_TTU/odbc_64/samples/C/adhoc -c SQLConnect -d devpridsn -u "\$tdwallet(u)" -p "\$tdwallet(p)"
JohnE
Hi John -- this appears to be a problem in either adhoc application or the Teradata ODBC Driver. I think you or someone from your organization has already opened an incident. It is being researched.
Hello Shawn, We are running teradata 14.10. I installed tdwallet 14.10 on a linux server. I logged as user 'admin' to the system and added an item to the wallet successfully. This might be a silly question. Is the name of my wallet 'admin' (same as the username) ?
Is there a command to name the wallet with any desired name ?
Pls see below.
However when I use it in bteq, logon fails. What am I missing ?
I turned on debugging but a log wasn't generated.
admin@hostname:~>:~> TDWALLET_DEBUG_FILE=tdwallet.log
admin@hostname:~>:~>:~> export TDWALLET_DEBUG_FILE
admin@hostname:~> bteq
Teradata BTEQ 14.00.00.09 for LINUX.
Copyright 1984-2013, Teradata Corporation. ALL RIGHTS RESERVED.
Enter your logon or BTEQ command:
.logon qvcdev/admin,$tdwallet(dbc_dev)
.logon qvcdev/adminusr,$tdwallet(dbc_dev)
*** Error: Invalid logon!
----------------------------
tdwallet add dbc_dev
NOTICE: No password has been established for this wallet.
Enter desired wallet password:
Reenter desired wallet password:
Wallet password established. Remember your wallet password.
Enter desired value for the item named "dbc_dev":
Item named "dbc_dev" added.
------------------------------
Swetha
Swetha,
There is no way to name the wallet file. The wallet can only be accessed by the system user that created it (in your case, that user is admin, so only admin can access the wallet).
The log was not generated, because you are providing invalid input to BTEQ and the wallet access not even attempted -- you can't supply the password on the .logon command this way.
Additionally I suspect you may be confusing the database username with the wallet item name.
Hello Max,
Here is the login command I used in bteq. Please correct me if I am wrong.
.LOGON SYSTEMNAME/DATABASEUSERNAME,$tdwallet(wallet item name)
.logon qvcdev/adminusr,$tdwallet(dbc_dev)
Swetha
Hello - Anybody knows what could cause this? I forgot my original wallet password and tried to use "forgetpwd" option to set a new password. For some reason it is not allowing me to do so.
$ tdwallet forgetpwd
Password forgotten.
$ tdwallet suppwd
Enter wallet password:
ERROR: Password incorrect; please try again
Enter wallet password:
This is for TD14 in AIX environment and any help would be greatly appreciated.
Hi,
Is there any expectation on tdwallet suppot for JDBC?
Thanks.
We plan to introduce a password encryption feature for the Teradata JDBC Driver.
Initially, it will be a separate feature from Teradata Wallet. They may interoperate at some point in the future, but we do not have any plans for that yet.
Got this figured out, I just had to type incorrect passwords 3 times before tdwallet prompted me for a new password. Kind of confusing but got my tdwallet up and going now.
Hi,
If TDWALLET isn't supported; Do we have any other mechanism to securely supply passwords in JDBC connections?
with Regards
Many Java applications such as Eclipse (which Teradata Studio is based on), and many commercial application servers such as WebSphere and WebLogic, provide an encrypted password store for JDBC data source passwords. If you are using one of those products, then your JDBC data source passwords are already protected.
The concern about a lack of stored password protection typically relates to command-line Java applications that may store JDBC data source passwords in cleartext configuration files. To assist those types of applications, encrypted password support is on the product roadmap for the Teradata JDBC Driver.
Hi, I want tdwallet to be supported by .NET provider for Teradata on Windows. Or... any alternative to encrypt password.
Can the Terdata url be substituted by $tdwallet(td_url)?
td_url being tdpid.mycompany.com (it works like this)
so the logon string would look like this:
.LOGON $tdwallet(db_url)/$tdwallet(u),$tdwallet(p);
I get CLI '224' occurred while connecting to the RDBMS when I try to execute the above.
input output putput
Can you help me understand how do we use TDWALLET with LDAP. I am looking for the exact steps.
Hello,
How can I reset my tdwallet password if I lost my current password ?
Swetha
Has anyone tried using tdwallet from a Python script ? Using Teradata ODBC, via pyodbc interface.
Thanks
Hi Shawn and MaxG,
Can we add item in tdwallet using ssh application??
I am trying to add item in tdwallet using ssh. but not able to add it is stucking and not getting any output.
Please look into below for more details:
Administrator@xxxx
$ ./tdwallet.exe
Use the "help" command to get help.
tdwallet> add lokesh ---> this step is not completing
Thanks,
Lokesh
Hi Shawn and MaxG,
I am trying to add item in tdwallet using ssh. but not able to add. it is stucking and not getting any output.
Please look into below for more details:
Administrator@xxxx
$ ./tdwallet.exe
Use the "help" command to get help.
tdwallet> add lokesh --->this step is not completing.
Thanks,
Lokesh
Hi Shawn and MaxG,
can we add item in tdwallet using ssh application??
I am trying to add item in tdwallet using ssh. but not able to add it is stucking and not getting any output.
Please look into below for more details:
Administrator@xxxx
$ ./tdwallet.exe
Use the "help" command to get help.
tdwallet> add lokesh --->this step is not completing
Thanks,
Lokesh