Cloudera Docs

Step 2: Install JCE policy files for AES-256 encryption

How to install JCE policy files, if required.

By default, CentOS and Red Hat Enterprise Linux 5.5 (and higher) use AES-256 encryption for Kerberos tickets, so the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files must be installed on all cluster hosts as detailed below. Alternatively, the Kerberos instance can be modified to not use AES-256.

To manually install the JCE policy files on the host system:
  1. Download the jce_policy-<version>.zip file from the Oracle website.
  2. Unzip the file.
  3. Follow the steps in README.txt to install it.
To use Cloudera Manager to install the JCE policy file:
  1. Log in to the Cloudera Manager Admin Console.
  2. Navigate to Administration > Security.
  3. Click Install Java Unlimited Strength Encryption Policy Files.
  4. Specify the repository location for your version of Cloudera Manager, and click Continue.
  5. Check the box labeled Install Oracle Java SE Development Kit (JDK 8), and then check the box labeled Install Java Unlimited Strength Encryption Policy Files. Click Continue.
  6. Provide cluster host login credentials, and then click Continue.
  7. After the installation completes, click Finish. If the Upgrade Cloudera Manager page displays, you can exit by clicking the Cloudera Manager logo to return to the home page.
Alternative: Disable AES-256 encryption from the Kerberos instance:
  1. Remove any aes256 entries from the supported_enctypes field of the kdc.conf or krb5.conf files.
  2. Restart the Kerberos KDC and the kadmin server so the changes take effect.

The keys of relevant principals, such as Ticket Granting Ticket principal (krbtgt/REALM@REALM), might need to change.

To verify the type of encryption used in your cluster:

  1. For MIT KDC: On the local KDC host, type this command in the kadmin.local or kadmin shell to create a test principal:
    kadmin:  addprinc test

    For Active Directory: Create a new AD account with the name, test.

  2. On a cluster host, type this command to start a Kerberos session as test: 
    kinit test
  3. On a cluster host, type this command to view the encryption type in use: 
    klist -e

    If AES is being used, output like the following is displayed after you type the klist command (note that AES-256 is included in the output):

    Ticket cache: FILE:/tmp/krb5cc_0
Default principal: test@Cloudera Manager
Valid starting     Expires            Service principal
05/19/11 13:25:04  05/20/11 13:25:04  krbtgt/Cloudera Manager@Cloudera Manager
    Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC