Step 2: Installing JCE Policy File for AES-256 Encryption
Note: This step is not required when using JDK 1.8.0_161 or greater. JDK 1.8.0_161 enables unlimited
strength encryption by default.
By default, CentOS and Red Hat Enterprise Linux 5.5 (and higher) use AES-256 encryption for Kerberos tickets, so the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File must be installed on all cluster hosts as detailed below. Alternatively, the Kerberos instance can be modified to not use AES-256.
To install the JCE Policy file on the host system at the OS layer:
- Download the jce_policy-x.zip.
- Unzip the file.
- Follow the steps in the README.txt to install it.
To use Cloudera Manager to install the JCE policy file:
- Log in to the Cloudera Manager Admin Console.
- Select .
- Click the Re-run Upgrade Wizard and select the option to have Cloudera Manager install the JCE Policy file.
Alternative: Disable AES-256 encryption from the Kerberos instance:
- Remove aes256-cts:normal from the supported_enctypes field of the kdc.conf or krb5.conf file.
- Restart the Kerberos KDC and the kadmin server so the changes take effect.
The passwords of relevant principals, such as Ticket Granting Ticket principal (krbtgt/REALM@REALM), may need to change.
Note: If AES-256 remains in use despite disabling it, it may be because the aes256-cts:normal setting existed when the Kerberos database was created. To resolve this issue, create a new Kerberos database and then restart both the KDC and the kadmin
server.
To verify the type of encryption used in your cluster:
- For MIT KDC: On the local KDC host, type this command in the kadmin.local or kadmin shell to create a test principal:
kadmin: addprinc test
For Active Directory: Create a new AD account with the name, test.
- On a cluster host, type this command to start a Kerberos session as test:
$ kinit test
- On a cluster host, type this command to view the encryption type in use:
$ klist -e
If AES is being used, output like the following is displayed after you type the klist command (note that AES-256 is included in the output):
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: test@Cloudera Manager Valid starting Expires Service principal 05/19/11 13:25:04 05/20/11 13:25:04 krbtgt/Cloudera Manager@Cloudera Manager Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
Page generated May 18, 2018.
<< Step 1: Install Cloudera Manager and CDH | ©2016 Cloudera, Inc. All rights reserved | Step 3: Create the Kerberos Principal for Cloudera Manager Server >> |
Terms and Conditions Privacy Policy |