Before You Begin
For Kerberos to run in FIPS 140-2 mode, you must enable FIPS 140-2 mode on your system. See How to Create a Boot Environment With FIPS 140-2 Enabled in Managing Encryption and Certificates in Oracle Solaris 11.4.
In the [realms] section of the kdc.conf file, set the master key type for the KDC database:
# pfedit /etc/krb5/kdc.conf ... master_key_type = des3-cbc-sha1-kd
Because you can also set encryption by running a command, the configuration files should prevent the use of a non-FIPS 140-2 algorithm argument to a command.
supported_enctypes = des3-cbc-sha1-kd:normal
These parameters limit the encryption types for the Kerberos servers, services, and clients.
# pfedit /etc/krb5/krb5.conf default_tgs_enctypes = des3-cbc-sha1-kd default_tkt_enctypes = des3-cbc-sha1-kd permitted_enctypes = des3-cbc-sha1-kd
allow_weak_enctypes = false
For the encryption types that Kerberos recognizes, see Kerberos Encryption Types on the MIT Kerberos Documentation web site. For the encryption types that OpenSSL provides, see the documentation links at OpenSSL Cryptography and SSL/TLS Toolkit. An encryption type that is both in Kerberos and in the Oracle OpenSSL FOM 1.0 can be used to run Kerberos in FIPS 140-2 mode.
For information about Oracle OpenSSL FOM 1.0, see Using a FIPS 140-2 Enabled System in Oracle Solaris 11.4.