Before You Begin
In order for Kerberos to run in FIPS 140 mode, you must enable FIPS 140 mode on your system. See Create a Boot Environment with FIPS 140 Enabled in Managing Encryption and Certificates in Oracle Solaris 11.2 .
In the [realms] section of the kdc.conf file, set the master key type for the KDC database:
# pfedit /etc/krb5/kdc.conf ... master_key_type = des3-cbc-sha1-kd
Because you can also set encryption by running a command, the configuration files should prevent the use of a non-FIPS 140 algorithm argument to a command.
supported_enctypes = des3-cbc-sha1-kd:normal
These parameters limit the encryption types for the Kerberos servers, services, and clients.
# pfedit /etc/krb5/krb5.conf default_tgs_enctypes = des3-cbc-sha1-kd default_tkt_enctypes = des3-cbc-sha1-kd permitted_enctypes = des3-cbc-sha1-kd
allow_weak_enctypes = false
Troubleshooting