Teradata Wallet (tdwallet) is a facility for storage of sensitive/secret information, such as database user password. It is included in Teradata client utility tools. For items stored in tdwallet, there are two parts: name of the item that uniquely identities it and the value of the item (the secret).
tdwallet
tdwallet command can be directly called in Command Prompt (Windows) or terminals (UNIX-alike). The command usage are listed as below:
Usage: tdwallet <subcommand> ...
subcommands:
add <name> Add an item with the specified name.
del <name> Delete the item having the specified name.
exit Terminate this interactive session.
list List the names of all items in your wallet.
help [<topic>] ... Output help information for tdwallet.
version Output version information for tdwallet.
topics:
overview tool security encodings limits add del list help version
Add wallet item
USAGE: add <name>
DESCRIPTION:
Adds an item to your wallet. The name of the added item
will be <name>. tdwallet prompts you for the value of the item.
Example:
tdwallet add dbcpwd
Enter desired value for the item named "dbcpwd":
Item named "dbcpwd" added.
The above command added a wallet item named dbcpwd into Teradata wallet.
List wallet items
tdwallet list
dbcpwd
Delete wallet items
tdwallet del dbcpwd
Item named "dbcpwd" deleted.
Use tdwallet in other Teradata utilities
In Teradata utilities, use $tdwallet(wallet_item_name) to retrieve the values.
BTEQ interactive mode
In interactive mode, we cannot directly specify tdwallet in .LOGON statement.
.logon 192.168.119.128/dbc
Password:
Input password as $tdwallet(dbcpwd) to logon.
infoRemember to change wallet item name accordingly.
BTEQ script file
In script file, you can directly specify the password.
Create script file named test.bteq with the following content:
.LOGMECH TD2; .LOGON 192.168.119.128/dbc,$tdwallet(dbcpwd); SELECT * FROM DBC.DatabasesV; .LOGOFF;Run the script in BTEQ:
bteq < test.bteq
The output looks like the following in my Teradata environment:
BTEQ 16.10.00.02 Sun Dec 27 16:18:41 2020 PID: 12184
+---------+---------+---------+---------+---------+---------+---------+----
.LOGMECH TD2;
+---------+---------+---------+---------+---------+---------+---------+----
.LOGON 192.168.119.128/dbc,
*** Logon successfully completed.
*** Teradata Database Release is 16.10.00.03
*** Teradata Database Version is 16.10.00.03
*** Transaction Semantics are BTET.
*** Session Character Set Name is 'ASCII'.
*** Total elapsed time was 1 second.
+---------+---------+---------+---------+---------+---------+---------+----
SELECT * FROM DBC.DatabasesV;
*** Query completed. 32 rows found. 18 columns returned.
*** Total elapsed time was 1 second.
DatabaseName
---------------------------------------------------------------------------
TD_SYSXML
TDStats
TD_SYSGPL
SYSBAR
SQLJ
SYSLIB
Default
LockLogShredder
tdwm
EXTUSER
External_AP
SystemFe
dbcmngr
TDQCD
SysAdmin
Sys_Calendar
TDMaps
TD_SERVER_DB
Crashdumps
SYSUDTLIB
viewpoint
SYSSPATIAL
SYSUIF
TDPUSER
console
PUBLIC
TD_SYSFNLIB
TD_MS_SAMPLE_DB
DBC
All
SYSJDBC
TestDb
+---------+---------+---------+---------+---------+---------+---------+----
.LOGOFF;
*** You are now logged off from the DBC.
*** BTEQ exiting due to EOF on stdin.
*** Exiting BTEQ...
*** RC (return code) = 0
The script first set logon mechanism as TD2 and then logon using Teradata user and password (from tdwallet) and then select all the databases before logoff.
warning All the users that can logon or su as the tdwallet user will be able to access the tdwallet entries directly as tdwallet itself is not protected. This is different from Java keystore or other secret management mechanism.