After installing CR03 in our gateway cluster, we have an issue with Kerberos authentication due to deprecated encryption type RC4.

We have added the system property "com.l7tech.server.krb5.allowWeakCrypto = true"  and rebooted both the node of a cluster

https://techdocs.broadcom.com/us/en/ca-enterprise-software/layer7-api-management/api-gateway/10-1/security-configuration-in-policy-manager/tasks-menu-security-options/manage-kerberos-configuration.html

But despite the setting the same error continues.

" Could not process Kerberos token (Negotiate); error is "KrbException: Encryption type RC4 with HMAC is not supported/enabled" "

After the upgrade and setting the new config check the krb5.conf file in opt/SecureSpan/Gateway/node/default/var directory.

Check if there is entry in the file "allow_weak_crypto = true " !

If not  you can you add it manual "ignore the do not edit for a moment" to the file .

###############################
# Generated file, DO NOT EDIT #
###############################

[libdefaults]
default_realm = L7TECH.SUP
allow_weak_crypto = true[realms]

Or use the gateway policymanager to update the Kerberos config by creating a new config. 

Then restart the gateway service to clear the cache.

The setting system property "com.l7tech.server.krb5.allowWeakCrypto = true"  tells the gateway to add the line "allow_weak_crypto = true " when the Kerberos config is created , this may not occur automatically when CR3 is applied.