Remote Password Changing for Teradata

With Remote Password Changing (RPC), secrets can automatically change remote account passwords on a schedule, upon check-in, or explicit user request. The complexity requirements for the password are user-configurable.

Teradata is a performance scaling RDBMS. Teradata Vantage is the on-prem offering (supplied as VMware VMI). Teradata Clearscape is the cloud SaaS offering. Secret Server uses a Teradata-supplied NuGet client, compatible with Teradata v15–v20.

In Teradata RPC, accounts can change their own password, or the password can be changed using privileged credentials.

Prerequisites

Make sure you have:

  • Access to a Teradata database service (Vantage or Clearscape).

  • User credentials to access Secret Server.

  • Heartbeat monitoring and remote password changing enabled in Secret Server.

  • A distributed engine from which to make the connection.

Configuration

  1. Log into Secret Server.

  2. Install a distributed engine onto a site (“Default” for this procedure).

  3. Navigate to Secret Server > All secrets.

  4. Select the Create secret button. The Create new secret popup appears.

  5. Select the TeradataDb account template.

  6. Complete the mandatory fields:

    • Secret name: Give the secret an appropriate name.
    • Datasource Specify the DNS name or the IP address of the Teradata connection.
    • Username: The username of the TeradataDB account.
    • Password: The password of the TeradataDB account.
    • Site: Leave it set to Default for this tutorial.

  7. Select Create Secret. The newly created secret appears automatically, with Last Heartbeat Status set to Pending.

    After a few minutes if the DE is working correctly it will attempt to run a heartbeat and Last Heartbeat Status will change to either Success or Failure.

    In the event of a failure the cause can be searched for in the Heartbeat Log entries. After selecting the correct log entry the error will appear in the popup pane on the right.

  8. A heartbeat has now been performed.

Heartbeats are queued whenever:

  • The secret’s password value is changed manually (to determine if the new password value is valid).

  • An RPC is performed.

  • A user manually clicks the Heartbeat button on the secret's overview page.

The distributed engine processes a heartbeat on a short schedule (<5 min) unless the heartbeat button is selected, causing it to run immediately (within 15 seconds).

Remote Password Changing

Teradata account passwords can be changed through the Remote Password Changing feature in Secret Server. When this feature is enabled and activated the command executes, then a heartbeat is automatically performed. If the heartbeat returns with a successful result the secret is valid.

There are various reasons why a failure might result instead, such as the new password not being accepted due to complexity requirements, or the Teradata database server might be down. In these cases, the cause will show up in the heartbeat log.

  1. Access the secret you created above.

  2. Select the Remote Password Changing tab.

  3. For the RPC / Autochange section, select Edit.

  4. For Change password using set Privileged account credentials.

    If a secret’s password is valid, it can use itself to change its own password. If a secret’s password is not valid, then the secret cannot be used to authenticate in order to perform the password change. Teradata supports changing passwords with a secret that represents a privileged (superuser) Teradata account.

  5. Click no secret selected.

  6. Choose the secret you created previously. The password change command will be run as the privileged user listed here. This allows the RPC to succeed even if the account’s password in the secret is invalid.

  7. Select Save. On the Overview tab, the last heartbeat status becomes Pending again until the RPC completes.

    1. You can skip the wait time by navigating to Settings > Password Change Log.

    2. Select Run RPC Now to launch the process immediately.

      When RPC is complete a banner will briefly appear at the bottom of the page indicating success or failure. If you miss it the result can be seen in the password change log list.