The Kerberos client installs as the package pkg:/service/security/kerberos-5, and the KDC manager as the package pkg:/system/security/kerberos-5. As the Kerberos administrator, you are responsible for enabling Kerberos servers, the Kerberos database, and Kerberos clients to use the FIPS 140 algorithm that is validated for Oracle Solaris.
Several Kerberos configuration files specify the encryption types to use for the KDC database and Kerberos clients. To satisfy FIPS 140 requirements, you must specify the des3-cbc-sha1 encryption type. This type is not the default.
To limit all transactions to des3-cbc-sha1, you specify that the KDC and Kerberos clients accept that mechanism only.
In the [realms] section of the /etc/krb5/kdc.conf file, set the master key type for the KDC database:
master_key_type = des3-cbc-sha1-kd
Because you can also set encryption by running a command, the configuration files should prevent the use of a non-FIPS 140 algorithm argument to a command.
supported_enctypes = des3-cbc-sha1-kd:normal
In the [libdefaults] section of the /etc/krb5/krb5.conf file, limit the encryption types:
default_tgs_enctypes = des3-cbc-sha1-kd default_tkt_enctypes = des3-cbc-sha1-kd permitted_enctypes = des3-cbc-sha1-kd
For clarity, explicitly forbid weak encryption types:
allow_weak_enctypes = false
For configuration examples, see Chapter 4, Configuring the Kerberos Service, in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 .
See also:
kdc.conf(4) and krb5.conf(4) man pages
kdb5_util(1M), krb5kdc(1M), and kdcmgr(1M) man pages