Before You Begin
For Kerberos to run in FIPS 140-2 mode, you must enable FIPS 140-2 mode on your system. See How to Create a Boot Environment With FIPS 140-2 Enabled in Managing Encryption and Certificates in Oracle Solaris 11.3.
In the [realms] section of the kdc.conf file, set the master key type for the KDC database:
# pfedit /etc/krb5/kdc.conf ... master_key_type = des3-cbc-sha1-kd
Because you can also set encryption by running a command, the configuration files should prevent the use of a non-FIPS 140-2 algorithm argument to a command.
supported_enctypes = des3-cbc-sha1-kd:normal
These parameters limit the encryption types for the Kerberos servers, services, and clients.
# pfedit /etc/krb5/krb5.conf default_tgs_enctypes = des3-cbc-sha1-kd default_tkt_enctypes = des3-cbc-sha1-kd permitted_enctypes = des3-cbc-sha1-kd
allow_weak_enctypes = false
For the encryption types that Kerberos recognizes, see Kerberos Encryption Types on the MIT Kerberos Documentation web site. For the encryption types that OpenSSL provides in FIPS 140-2 mode, see https://csrc.nist.gov/csrc/media/projects/cryptographic-module-validation-program/documents/security-policies/140sp1747.pdf. An encryption type that is both in Kerberos and in the FIPS 140-2 mode of OpenSSL can be used to run Kerberos in FIPS 140-2 mode.