Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-71802

RFE: Request to have a utility or way to upgrade kerberos master key in Rhel IdM

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Duplicate
    • Icon: Undefined Undefined
    • None
    • None
    • ipa
    • None
    • rhel-sst-idm-ipa
    • ssg_idm
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • None

      Cu is coming from a secure environment and needs to remove :sha1 from all crypto.
      The show stopper seems to be around the kerberos master key which evidently came from older versions of ipa:

      $ kadmin.local getprinc K/M | grep Key
      Key: vno 1, aes256-cts-hmac-sha1-96

      Goal

      • Update kerberos master key from aes256-cts-hmac-sha1-96
        • to aes256-cts-hmac-sha384-192

      Acceptance criteria

      A list of verification conditions, successful functional tests, or expected outcomes in order to declare this story/task successfully completed.

      • While it's possible to change this it's very manual as I understand requiring
        change passwords, all clients would need to re-enroll and any Kerberized services would need new keytabs after a change.
      • is it possible to automate such a transition for IdM Cu coming from older configurations of IPA?

              jrische@redhat.com Julien Rische
              rhn-support-jabsher Jeremy Absher
              Florence Renaud Florence Renaud
              Sudhir Menon Sudhir Menon
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: