Content Platform Engine, Version 5.2.1            

Using RC4-HMAC Security

You can change default encryption security to the more secure RC4-HMAC standard, if you fulfill certain prerequisites.

Following previous directions, Content Platform Engine will be set up to use 56-bit DES encryption security. This can be changed to use the more secure 128-bit RC4-HMAC security if your environment meets both these additional prerequisites:
  • Content Platform Engine is installed on either WebSphere 6 or later, or on WebLogic systems running Java 6 or later, and
  • your directory service is Active Directory 2003 or later.
To use RC4-HMAC, modify the krb5.ini or kbr5.conf file and change two lines in the following way:
default_tgs_enctypes = rc4-hmac
default_tkt_enctypes = rc4-hmac

That is, replace the recommended des-cbc-md5 des-cbc-crc on those two lines with rc4-hmac.

After changing this setting in your krb5.ini file, you might have to run (or re-run) the step to create the keytab (re-running ktpass or ktab is not needed if you have already run ktpass ktab on WebLogic Java 6 or later setups).

Make sure that the Kerberos identity user account you have set up does not have Use DES encryption types for this account selected. If it is already selected, then you must unselect it and re-enter the password.

It is not possible for the same SPN/identity user account to support both DES and RC4-HMAC security. It must be one or the other.



Last updated: March 2016
p8psn067.htm

© Copyright IBM Corporation 2016.