Step 2: If You are Using AES-256 Encryption, Install the JCE Policy File
- In the Cloudera Manager Admin Console, navigate to the Hosts page. Both, the Add New Hosts to Cluster wizard and the Re-run Upgrade Wizard will give you the option to have Cloudera Manager install the JCE Policy file for you.
- You can follow the JCE Policy File installation instructions in the README.txt file included in the jce_policy-x.zip file.
Alternatively, you can configure Kerberos to not use AES-256 by removing aes256-cts:normal from the supported_enctypes field of the kdc.conf or krb5.conf file. Note that after changing the kdc.conf file, you'll need to restart both the KDC and the kadmin server for those changes to take affect. You may also need to recreate or change the password of the relevant principals, including potentially the Ticket Granting Ticket principal (for example, krbtgt/EXAMPLE.COM@EXAMPLE.COM). If AES-256 is still used after all of those steps, it's because the aes256-cts:normal setting existed when the Kerberos database was created. To fix this, create a new Kerberos database and then restart both the KDC and the kadmin server.
- On the local KDC host, type this command in the kadmin.local or kadmin shell to create a test principal:
kadmin: addprinc test
- On a cluster host, type this command to start a Kerberos session as the test principal:
$ kinit test
- After successfully running the previous command, type this command to view the encryption type in use:
$ klist -e
If AES is being used, output like the following is displayed after you type the klist command (note that AES-256 is included in the output):
Ticket cache: FILE:/tmp/krb5cc_0 Default principal: test@EXAMPLE.COM Valid starting Expires Service principal 05/19/11 13:25:04 05/20/11 13:25:04 krbtgt/EXAMPLE.COM@EXAMPLE.COM Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC