News
Abstract
The Kerberos configuration commands were updated to include parameters to specify the list of encryption types to add and remove for the specified principal from the keytab entries. The default encryption types when creating a new entry now only include AES algorithms.
Content
You are in: IBM i Technology Updates > IBM i Security > Kerberos encryption types enhancements
The Kerberos configuration commands include parameters to specify the list of encryption types to add and remove for the specified principal from the keytab entries.
The default encryption types when creating a new entry are now *AES256 and *AES128. The default in prior releases is *AES256 *AES128 *CBCDES *DESHMAC *CBCDES3 *ARCFOUR.
The following example command calls show the new parameter and common values in bold.
Kerberos Keytab Entry (ADDKRBKTE)
- Add a service principal entry into the default Key Table file for each of the default encryption types.
- ADDKRBKTE PRINCIPAL('krbsvr400/camolts.myco.com' MYCO.COM) PASSWORD(uneed2chg) VERSION(*GEN) KEYTABFILE(*DFT) ENCTYPE(*DFT)
- Add a principal name keytab entry with specific encryption types
- ADDKRBKTE PRINCIPAL(‘ferb’ ROCH.MN.COM) PASSWORD(uneed2chg) KEYTABFILE(*DFT) ENCTYPE(*AES128 *AES256)
Remove Kerberos Keytab Entry (RMVKRBKTE)
- Remove all the keytab entries for a principal
- RMVKRBKTE PRINCIPAL('krbsvr400/my.gmyco.com' *DFT) KEYTABFILE(*DFT) ENCTYPE(*ALL)
- Remove specific keytab entries for a principal, in this example remove the deprecated or less secure algorithms.
[{"Type":"MASTER","Line of Business":{"code":"LOB68","label":"Power HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG60","label":"IBM i"},"ARM Category":[{"code":"a8m0z000000cxZdAAI","label":"Authentication"},{"code":"a8m0z0000000CHyAAM","label":"Security"}],"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.6.0"}]
Was this topic helpful?
Document Information
Modified date:
08 April 2025
UID
ibm17229786