Removing AES-256

If you do not use AES-256, you must first remove the AES-256 settings as an allowed cipher for each Kerberos principal and then regenerate the keys for the krbtgt principal.

Prerequisites

These methods require Kerberos 5-1.2 on the Key Distribution Center (KDC).

Procedure

Remove AES-256 settings in one of the following ways:

  • If you have not created the principals, use the -e flag to specify encryption:salt type pairs. For example: -e "arcfour-hmac:normal des3-hmac-sha1:normal".

  • If you have already created the principals, modify the Kerberos principals using the -e flag as described in the prior example and then recreate the keytab file.

    Alternately, you can modify the /etc/krb5kdc/kdc.conf file by removing any entries containing aes256 from the <supported_enctypes> variable for the realm in which the DataStax Enterprise (DSE) nodes are members. Then change the keys for the krbtgt principal.

    If the KDC is used by other applications, changing the krbtgt principal’s keys invalidates any existing tickets. To prevent this, use the -keepold option when executing the change_password command. For example:

    'cpw -randkey krbtgt/krbtgt/REALM@REALM'

What is Next

Preparing DSE nodes for Kerberos

Was this helpful?

Give Feedback

How can we improve the documentation?

© 2025 DataStax | Privacy policy | Terms of use | Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: +1 (650) 389-6000, info@datastax.com