Go to main content

Managing Kerberos in Oracle^® Solaris 11.4

Exit Print View

» ...Documentation Home » Oracle Solaris 11.4 Information Library » Managing Kerberos in Oracle^® ... » Configuring the Kerberos Service » Configuring KDC Servers » How to Configure Kerberos to Run in FIPS 140-2 ...

Updated: November 2020

Managing Kerberos in Oracle^® Solaris 11.4

Document Information

Using This Documentation

Chapter 1 Kerberos on Oracle Solaris

Chapter 2 Planning for the Kerberos Service

Chapter 3 Configuring the Kerberos Service

Configuring the Kerberos Service

Configuring KDC Servers

How to Install the KDC Package

How to Require Strong Encryption in Kerberos

How to Configure Kerberos to Run in FIPS 140-2 Mode

How to Use kdcmgr to Configure the Master KDC

How to Use kdcmgr to Configure a Slave KDC

Configuring KDC Servers on LDAP Directory Servers

Configuring a Master KDC on an OpenLDAP Directory Server

Configuring a Master KDC on an Oracle Unified Directory Server

How to Mix Kerberos Principal Attributes in a Non-Kerberos Object Class Type on an OpenLDAP Server

How to Destroy a Kerberos Realm on an LDAP Directory Server

Configuring Kerberos Clients

How to Create a Kerberos Client Installation Profile

How to Use a Kerberos Client Profile

How to Use the kclient Utility Without an Installation Profile

How to Join a Kerberos Client to an Active Directory Server

Verifying Kerberos Clients Without a Host Principal

How to Access a Kerberos Protected NFS File System as the root User

How to Configure Automatic Migration of Users in a Kerberos Realm

Configuring Kerberos Network Application Servers

How to Configure a Kerberos Network Application Server

How to Use the Generic Security Service With Kerberos When Running FTP

Configuring Kerberos NFS Servers

How to Configure Kerberos NFS Servers

How to Set Up a Secure NFS Environment With Multiple Kerberos Security Modes

Configuring Delayed Execution for Access to Kerberos Services

How to Configure a cron Host for Access to Kerberos Services

Administering the Kerberos Database

How to Convert a Kerberos Database After a Server Upgrade

Observing Mapping From GSS Credentials to UNIX Credentials

Increasing Security on Kerberos Servers

Restricting Access to KDC Servers

Using a Dictionary File to Increase Password Security

Chapter 4 Users Using Kerberos

Kerberos Glossary

Language:

How to Configure Kerberos to Run in FIPS 140-2 Mode

Before You Begin

For Kerberos to run in FIPS 140-2 mode, you must enable FIPS 140-2 mode on your system. See How to Create a Boot Environment With FIPS 140-2 Enabled in Managing Encryption and Certificates in Oracle Solaris 11.4.

On the master KDC, edit the encryption types for the KDC.
In the [realms] section of the kdc.conf file, set the master key type for the KDC database:
```
# pfedit  /etc/krb5/kdc.conf
...
master_key_type = des3-cbc-sha1-kd
```
In the same file, explicitly forbid other encryption types.
Because you can also set encryption by running a command, the configuration files should prevent the use of a non-FIPS 140-2 algorithm argument to a command.
```
        supported_enctypes = des3-cbc-sha1-kd:normal
```

Edit the encryption types for transactions in the [libdefaults] section of the krb5.conf file.

These parameters limit the encryption types for the Kerberos servers, services, and clients.

# pfedit /etc/krb5/krb5.conf
        default_tgs_enctypes = des3-cbc-sha1-kd
        default_tkt_enctypes = des3-cbc-sha1-kd
        permitted_enctypes = des3-cbc-sha1-kd

In the same file, explicitly forbid weak encryption types.
```
        allow_weak_enctypes = false
```

Troubleshooting

For the encryption types that Kerberos recognizes, see Kerberos Encryption Types on the MIT Kerberos Documentation web site. For the encryption types that OpenSSL provides, see the documentation links at OpenSSL Cryptography and SSL/TLS Toolkit. An encryption type that is both in Kerberos and in the Oracle OpenSSL FOM 1.0 can be used to run Kerberos in FIPS 140-2 mode.

See Also

For information about Oracle OpenSSL FOM 1.0, see Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4.

Copyright © 2002, 2020, Oracle and/or its affiliates.