Removing AES-256
Steps to remove AES-256 settings.
If you do not use AES-256, you must remove the AES-256 settings as an allowed cipher for each Kerberos principal and then regenerate the keys for the krbtgt principal.
Prerequisites
Procedure
Remove AES-256 settings in one of the following ways:
- If you have not created the principals, use the -e flag to specify encryption:salt type pairs. For example: -e "arcfour-hmac:normal des3-hmac-sha1:normal".
-
If you have already created the principals, modify the Kerberos principals
using the -e flag as described above and then recreate the
keytab file.
Alternately, you can modify the /etc/krb5kdc/kdc.conf file by removing any entries containing aes256 from the supported_enctypes variable for the realm in which the DataStax Enterprise nodes are members. Then change the keys for the krbtgt principal.Note: If the KDC is used by other applications, changing the krbtgt principal's keys invalidates any existing tickets. To prevent this, use the -keepold option when executing the change_password command. For example:
'cpw -randkey krbtgt/krbtgt/REALM@REALM'