Step 2: If You are Using AES-256 Encryption, Install the JCE Policy File

If you are using CentOS or Red Hat Enterprise Linux 5.5 or later, which use AES-256 encryption by default for tickets, you must install the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy File on all cluster and Hadoop user hosts. There are 2 ways to do this:
  • In the Cloudera Manager Admin Console, go to the Hosts page. Both, the Add New Hosts to Cluster wizard and the Re-run Upgrade Wizard will give you the option to have Cloudera Manager install the JCE Policy file for you.
  • You can follow the JCE Policy File installation instructions in the README.txt file included in the jce_policy-x.zip file.

Alternatively, you can configure Kerberos to not use AES-256 by removing aes256-cts:normal from the supported_enctypes field of the kdc.conf or krb5.conf file. Note that after changing the kdc.conf file, you'll need to restart both the KDC and the kadmin server for those changes to take affect. You may also need to recreate or change the password of the relevant principals, including potentially the Ticket Granting Ticket principal (krbtgt/REALM@REALM). If AES-256 is still used after all of those steps, it's because the aes256-cts:normal setting existed when the Kerberos database was created. To fix this, create a new Kerberos database and then restart both the KDC and the kadmin server.

To verify the type of encryption used in your cluster:

  1. For MIT KDC: On the local KDC host, type this command in the kadmin.local or kadmin shell to create a test principal:
    kadmin:  addprinc test

    For Active Directory: Create a new AD account with the name, test.

  2. On a cluster host, type this command to start a Kerberos session as test:
    $ kinit test 
  3. On a cluster host, type this command to view the encryption type in use:
    $ klist -e 

    If AES is being used, output like the following is displayed after you type the klist command (note that AES-256 is included in the output):

    Ticket cache: FILE:/tmp/krb5cc_0
    Default principal: test@Cloudera Manager
    Valid starting     Expires            Service principal
    05/19/11 13:25:04  05/20/11 13:25:04  krbtgt/Cloudera Manager@Cloudera Manager
        Etype (skey, tkt): AES-256 CTS mode with 96-bit SHA-1 HMAC, AES-256 CTS mode with 96-bit SHA-1 HMAC