Loading Keytab in Gateway shows "Could not login 'Do not have keys of types listed in default_tkt_enctypes available'"

Article Id: 128900
Status: Published
Updated On: 30-09-2019 08:06
Products:
STARTER PACK-7 , CA Rapid App Security , CA API Gateway , CA API Gateway , CA API Gateway
Issue/Introduction:

  • During setup of Kerberos in the API Gateway, validation fails with the following error:
    • Could not login 'Do not have keys of types listed in default_tkt_enctypes available'

Cause:

  • API Gateway overwrites the krb5.conf file on reboot, and the encryption types listed in that file may not contain the encryption type specified in the keytab file.

Environment:

  • This applies to all Gateway versions (as of this publish date)
  • Windows Active Directory KDC

Resolution:

  1. Edit the krb5.conf file: vi /opt/SecureSpan/Gateway/node/default/var/krb5.conf
  2. Edit the krb5.conf file to include the expected/desired encryption type such as aes128-cts-hmac-sha1-96 for example. Be sure to replace that example with whatever encryption type is needed.

    [libdefaults]
    default_realm = <default_realm>
    default_tkt_enctypes = aes128-cts-hmac-sha1-96,rc4-hmac,des-cbc-md5

  3. Validate the Kerberos communication in Policy Manager after making the above change.
  4. To make this change permanent, the kerberos.krb5Config.overwrite cluster property needs to be set to a value of false via Tasks -> Cluster Wide Properties.

Additional Information:

  • An alternative resolution would be to generate a new keytab with the already supported default encryption types specified in the krb5.conf file.