Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

How to Configure Kerberos to Run in FIPS 140 Mode

Before You Begin

In order for Kerberos to run in FIPS 140 mode, you must enable FIPS 140 mode on your system. See Create a Boot Environment with FIPS 140 Enabled in Managing Encryption and Certificates in Oracle Solaris 11.2 .

  1. Edit the encryption types for the KDC.

    In the [realms] section of the kdc.conf file, set the master key type for the KDC database:

    # pfedit  /etc/krb5/kdc.conf    
    master_key_type = des3-cbc-sha1-kd
  2. In the same file, explicitly forbid other encryption types.

    Because you can also set encryption by running a command, the configuration files should prevent the use of a non-FIPS 140 algorithm argument to a command.

            supported_enctypes = des3-cbc-sha1-kd:normal
  3. Edit the encryption types for transactions in the [libdefaults] section of the krb5.conf file.

    These parameters limit the encryption types for the Kerberos servers, services, and clients.

    # pfedit /etc/krb5/krb5.conf
            default_tgs_enctypes = des3-cbc-sha1-kd
            default_tkt_enctypes = des3-cbc-sha1-kd
            permitted_enctypes = des3-cbc-sha1-kd
  4. In the same file, explicitly forbid weak encryption types.
            allow_weak_enctypes = false


See Kerberos Encryption Types.