Reply
Highlighted
Contributor
Posts: 57
Registered: ‎04-26-2017

Kerberos - Remove rc4-hmac

[ Edited ]

Hi,

My security team have asked me to remove rc4-hmac as a encruption type from out Cloudera CDH Kerberos cluster.

At present my kerb5.conf lists

default_tgs_enctypes = aes256-cts aes128-cts rc4-hmac
default_tkt_enctypes = aes256-cts aes128-cts rc4-hmac
permitted_enctypes = aes256-cts aes128-cts rc4-hmac


klist -e on a datanode lists

08/03/19 06:49:12  08/03/19 16:49:12  krbtgt/XXX

        renew until 15/03/19 06:49:12, Etype (skey, tkt): arcfour-hmac, aes256-cts-hmac-sha1-96
08/03/19 06:49:12  08/03/19 16:49:12  impala/XXX
        renew until 15/03/19 06:49:12, Etype (skey, tkt): arcfour-hmac, arcfour-hmac
08/03/19 06:49:12  08/03/19 16:49:12  impala/XXX
        renew until 15/03/19 06:49:12, Etype (skey, tkt): arcfour-hmac, arcfour-hmac


Within Cloduera Manager I have Kerberos Encryption Types set as aes256-cts, aes128-cts, rc4-hmac

Java -version shows

java version "1.8.0_162"
Java(TM) SE Runtime Environment (build 1.8.0_162-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.162-b12, mixed mode)


Am I correct in thinking I can just remove the rc4-hmac within cloudera manager and restart the cluster without any problems?


Announcements