The .NET Data Provider for Teradata supports two mutually exclusive features for network security: Transport Layer Security (TLS) and .NET TeraGSS. This section describes these features.
Transport Layer Security (TLS)
If the TLS feature is available on the client and enabled on the Teradata Advanced SQL Engine server, the Data Provider may, depending the server configuration and the SslMode value as described in the Connection Strategy section below, establish a connection to the TLS/HTTPS port. This port is specified in the HttpsPortNumber connection string parameter and has a default value of 443. All messages between client and server will be encrypted using TLS. This feature is only available with Teradata Advanced SQL Engine 16.20.53.30 and above.
 Note |
|---|
| The Data Provider does not check the certificate revocation list during TLS authentication. |
Connection Strategy
While non-TLS connections to the SQL Engine use the port specified in PortNumber, TLS connections use the port specified in HttpsPortNumber. The Data Provider supports multiple versions of the Advanced SQL Engine and is not aware if the SQL Engine specified in the DataSource accepts TLS connections. This presents a challenge for establishing connections, because different servers may be waiting for connections on different ports. The SslMode connection string parameter controls which port(s) may be used to establish a connection with the server as described in the table below:
| SslMode | Port(s) used to establish the connection |
|---|---|
| Disable | Only PortNumber (non-TLS) |
| Allow | Both ports may be used, with preference given to PortNumber. If the SQL Engine is configured to only accept connections on HttpsPortNumber, the Data Provider may take up to approximately 240ms longer to establish the connection. |
| Prefer | Both ports may be used, with preference given to HttpsPortNumber. If the SQL Engine does not support TLS, the Data Provider may take up to approximately 240ms longer to establish the connection. |
| Require, Verify-CA, Verify-Full | Only HttpsPortNumber (TLS) |
.NET TeraGSS
If the TLS feature is not enabled on the client or the Advanced SQL Engine server, the Data Provider may, depending on the server configuration and the SslMode value as described in the Connection Strategy section above, establish a connection to the non-TLS port. This port is specified in the PortNumber connection string parameter and has a default value of 1025. The features described below may be used for network security when connected to the non-TLS port.
Confidentiality
In order to enhance network security during the logon process, the .NET Data Provider for Teradata encrypts logon strings to ensure the confidentiality of passwords transmitted between client applications and the Teradata Gateway. Client applications cannot enable or disable encryption of the logon string. See Connection Overview for more information about the logon process.
Data Integrity
The DataIntegrity option allows the application to specify that validation checking should occur for all messages that are transmitted between client and server. The message contents are not encrypted and all messages are compared to what was sent to ensure that data has not been corrupted during transmission. This provides the application with assurance that data corruption has not occurred without incurring the overhead of full data encryption.
| Note |
|---|
| For the TD2 authentication mechanism, this option is only supported with Teradata Database 12.0 and above. Specifying DataIntegrity with earlier versions of the Teradata Database will result in a TdException of the form [.NET Data Provider for Teradata] [115027] Session initialization error: unable to execute HELP SESSION. with an InnerException of [Teradata Database] [8028] The LAN message Authentication is invalid. |
Data Encryption
The DataEncryption option allows the application to specify that all messages should be encrypted prior to being transmitted between client and server. Although security provided by the encryption of transmitted data is desirable, you should not use this feature indiscriminately. Depending on the application you use and the type of session being run, encrypting data may significantly reduce system performance. Users should not encrypt a session unless the value of the security outweighs the potential performance losses.