Using a FIPS 140 Enabled System in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Kerberos as a FIPS 140 Consumer

The Kerberos client installs as the package pkg:/service/security/kerberos-5, and the KDC manager as the package pkg:/system/security/kerberos-5. As the Kerberos administrator, you are responsible for enabling Kerberos servers, the Kerberos database, and Kerberos clients to use the FIPS 140 algorithm that is validated for Oracle Solaris.

Examples of Enabling Kerberos in FIPS 140 Mode

Several Kerberos configuration files specify the encryption types to use for the KDC database and Kerberos clients. To satisfy FIPS 140 requirements, you must specify the des3-cbc-sha1 encryption type. This type is not the default.

    To limit all transactions to des3-cbc-sha1, you specify that the KDC and Kerberos clients accept that mechanism only.

  • In the [realms] section of the /etc/krb5/kdc.conf file, set the master key type for the KDC database:

            master_key_type = des3-cbc-sha1-kd

    Because you can also set encryption by running a command, the configuration files should prevent the use of a non-FIPS 140 algorithm argument to a command.

            supported_enctypes = des3-cbc-sha1-kd:normal
  • In the [libdefaults] section of the /etc/krb5/krb5.conf file, limit the encryption types:

            default_tgs_enctypes = des3-cbc-sha1-kd
            default_tkt_enctypes = des3-cbc-sha1-kd
            permitted_enctypes = des3-cbc-sha1-kd

    For clarity, explicitly forbid weak encryption types:

            allow_weak_enctypes = false

For configuration examples, see Chapter 4, Configuring the Kerberos Service, in Managing Kerberos and Other Authentication Services in Oracle Solaris 11.2 .