If you do not use
AES-256, you must first remove the
AES-256 settings as an allowed cipher for each Kerberos principal and then regenerate the keys for the
These methods require Kerberos 5-1.2 on the Key Distribution Center (KDC).
AES-256 settings in one of the following ways:
If you have not created the principals, use the
-eflag to specify
encryption:salttype pairs. For example:
-e "arcfour-hmac:normal des3-hmac-sha1:normal".
If you have already created the principals, modify the Kerberos principals using the
-eflag as described in the prior example and then recreate the
Alternately, you can modify the
/etc/krb5kdc/kdc.conffile by removing any entries containing
aes256from the <supported_enctypes> variable for the realm in which the DataStax Enterprise nodes are members. Then change the keys for the
If the KDC is used by other applications, changing the
krbtgtprincipal’s keys invalidates any existing tickets. To prevent this, use the
-keepoldoption when executing the
change_passwordcommand. For example:
'cpw -randkey krbtgt/krbtgt/REALM@REALM'