Using AES-256 Encryption
If you are using CentOS/Red Hat Enterprise Linux 5.6 or higher, or Ubuntu, which use AES-256
encryption by default for tickets, you must install the Java Cryptography Extension
(JCE) Unlimited Strength Jurisdiction Policy File on all cluster and Hadoop user
machines. For JCE Policy File installation instructions, see the README.txt
file included in the jce_policy-x.zip file. For more information, see Java Cryptography Extension (JCE) Unlimited Strength
Jurisdiction Policy File
Alternately, you can configure Kerberos to not use AES-256 by removing
aes256-cts:normal from the
supported_enctypes field of the
kdc.conf or krb5.conf file. After
changing the kdc.conf file, you must restart both the KDC
and the kadmin server for those changes to take affect. You may also need
to re-create or change the password of the relevant principals, including,
potentially the Ticket Granting Ticket principal
(krbtgt/REALM@REALM). If AES-256 is still used after
completing steps, the aes256-cts:normal setting existed
when the Kerberos database was created. To fix this, create a new Kerberos
database and then restart both the KDC and the kadmin server.
To verify the type of encryption used in your cluster:
- On the local KDC host, type this command to create a test
principal:
kadmin -q "addprinc test" - On a cluster host, type this command to start a Kerberos session as
the test
principal:
kinit test - On a cluster host, type this command to view the encryption type in
use:
klist -eIf AES is being used, output like the following is displayed after you type the
klistcommand; note thatAES-256is included in the output:Ticket cache: FILE:/tmp/krb5cc_0 Default principal: test@SCM Valid starting Expires Service principal 05/19/11 13:25:04 05/20/11 13:25:04 krbtgt/SCM@SCM Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC
