Go to main content

Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.3

Exit Print View

Updated: May 2019
 
 

How to Configure Kerberos to Run in FIPS 140-2 Mode

Before You Begin

For Kerberos to run in FIPS 140-2 mode, you must enable FIPS 140-2 mode on your system. See How to Create a Boot Environment With FIPS 140-2 Enabled in Managing Encryption and Certificates in Oracle Solaris 11.3.

  1. On the master KDC, edit the encryption types for the KDC.

    In the [realms] section of the kdc.conf file, set the master key type for the KDC database:

    # pfedit  /etc/krb5/kdc.conf
    ...
    master_key_type = des3-cbc-sha1-kd
  2. In the same file, explicitly forbid other encryption types.

    Because you can also set encryption by running a command, the configuration files should prevent the use of a non-FIPS 140-2 algorithm argument to a command.

            supported_enctypes = des3-cbc-sha1-kd:normal
  3. Edit the encryption types for transactions in the [libdefaults] section of the krb5.conf file.

    These parameters limit the encryption types for the Kerberos servers, services, and clients.

    # pfedit /etc/krb5/krb5.conf
            default_tgs_enctypes = des3-cbc-sha1-kd
            default_tkt_enctypes = des3-cbc-sha1-kd
            permitted_enctypes = des3-cbc-sha1-kd
  4. In the same file, explicitly forbid weak encryption types.
            allow_weak_enctypes = false

Troubleshooting

For the encryption types that Kerberos recognizes, see Kerberos Encryption Types on the MIT Kerberos Documentation web site. For the encryption types that OpenSSL provides in FIPS 140-2 mode, see https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1747.pdf. An encryption type that is both in Kerberos and in the FIPS 140-2 mode of OpenSSL can be used to run Kerberos in FIPS 140-2 mode.