How are authentication credentials stored and protected within the local KDC created during Kerberos implementation? What encryption algorithm can be used ?
As of Ambari 2.1.2, the KDC administrator credential is stored in an in-memory or on-disk credential store (keystore), depending on your configuration. If Ambari's credential store is set up using the ambari-server setup-security utility (option #2 - Encrypt passwords stored in ambari.properties file) then the KDC administrator credential can be stored there until manually removed. Else the credential will be stored in an in-memory credential store for up to 90 minutes or until Ambari is restarted.
The storage location for the credential (in-memory or on-disk credential store), may be chosen via the UI at the time it is set. Else, it may be set, updated, or removed via Ambari's REST API - see https://github.com/apache/ambari/blob/trunk/ambari-server/docs/api/v1/credential-resources.md.