Loading Keytab in Gateway shows "Could not login 'Do not have keys of types listed in default_tkt_enctypes available'"

book

Article ID: 128900

calendar_today

Updated On:

Products

STARTER PACK-7 CA Rapid App Security CA API Gateway

Issue/Introduction

  • During setup of Kerberos in the API Gateway, validation fails with the following error:
    • Could not login 'Do not have keys of types listed in default_tkt_enctypes available'

Cause

  • API Gateway overwrites the krb5.conf file on reboot, and the encryption types listed in that file may not contain the encryption type specified in the keytab file.

Environment

  • This applies to all Gateway versions (as of this publish date)
  • Windows Active Directory KDC

Resolution

  1. Edit the krb5.conf file: vi /opt/SecureSpan/Gateway/node/default/var/krb5.conf
  2. Edit the krb5.conf file to include the expected/desired encryption type such as aes128-cts-hmac-sha1-96 for example. Be sure to replace that example with whatever encryption type is needed.

    [libdefaults]
    default_realm = <default_realm>
    default_tkt_enctypes = aes128-cts-hmac-sha1-96,rc4-hmac,des-cbc-md5

  3. Validate the Kerberos communication in Policy Manager after making the above change.
  4. To make this change permanent, the kerberos.krb5Config.overwrite cluster property needs to be set to a value of false via Tasks -> Cluster Wide Properties.

Additional Information

  • An alternative resolution would be to generate a new keytab with the already supported default encryption types specified in the krb5.conf file.