Removing AES-256

Steps to remove AES-256 settings.

If you do not use AES-256, you must remove the AES-256 settings as an allowed cipher for each Kerberos principal and then regenerate the keys for the krbtgt principal.

Prerequisites

These methods require Kerberos 5-1.2 on the KDC.

Procedure

Remove AES-256 settings in one of the following ways:
  • If you have not created the principals, use the -e flag to specify encryption:salt type pairs. For example: -e "arcfour-hmac:normal des3-hmac-sha1:normal".
  • If you have already created the principals, modify the Kerberos principals using the -e flag as described above and then recreate the keytab file.
    Alternately, you can modify the /etc/krb5kdc/kdc.conf file by removing any entries containing aes256 from the supported_enctypes variable for the realm in which the DataStax Enterprise nodes are members. Then change the keys for the krbtgt principal.
    Note: If the KDC is used by other applications, changing the krbtgt principal's keys invalidates any existing tickets. To prevent this, use the -keepold option when executing the change_password command. For example:
    'cpw -randkey krbtgt/krbtgt/REALM@REALM'

What's next

Preparing DSE nodes for Kerberos