Layer7 Compatibility With the Keytab Encryption aes256-cts-hmac-sha384-192
search cancel

Layer7 Compatibility With the Keytab Encryption aes256-cts-hmac-sha384-192

book

Article ID: 380271

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

Is Layer7 compatible with the keytab encryption aes256-cts-hmac-sha384-192? 

A keytab with the encryption aes256-cts-hmac-sha384-192 and aes256-cts-hmac-sha1-96 was created with the same command but only the encryption aes256-cts-hmac-sha384-192 failed authentication in Layer7. Our Kerberos team prefers aes256-cts-hmac-sha384-192 but it isn’t required.

Environment

API Gateway 11.X

Resolution

1. Edit the krb5.conf file: nano /opt/SecureSpan/Gateway/node/default/var/krb5.conf
2. Edit the krb5.conf file to include the expected/desired encryption type such as aes256-cts-hmac-sha384-192. Be sure to replace that example with whatever encryption type is needed.
     [libdefaults]
     default_realm = <default_realm>
     default_tkt_enctypes = aes256-cts-hmac-sha384-192,rc4-hmac,des-cbc-md5

3. Validate the Kerberos communication in Policy Manager after making the above change.