When this document was originally prepared, LDAP with Kerberos authentication running with
FIPS 140-2 was untested. Since then, a station running in FIPS mode can only use FIPS-compliant algorithms, the LDAP and Kerberos servers
were also required to support the
FIPS 140-2 algorithms. The lack of FIPS-compliant support was a known problem for all versions of Windows Active Directory, which supported
only DES and RC4 (neither of which are FIPS-compliant algorithms).
Kerberos authentication working together with
FIPS 140-2 is not possible without meeting these requirements:
- The LDAP and Kerberos servers must support either 3DES or AES. Systems that include Hotspot QNX-based controller platforms
(JACE-3E, JACE-6, JACE-7 series controllers), are limited to only 3DES.
-
NiagaraAX hosts must support Kerberos. Only
AX-3.8 Hotspot JVM platforms meet this standard. J9 JVM platforms (such as the JACE-2/4/5 series) do not support Kerberos authentication.
- It may be necessary to enable the use of stronger encryption on the Kerberos server. This is something the Kerberos administrator
at your site would need to implement.
To ensure that only
FIPS 140-2 algorithms are used when doing Kerberos authentication, configure
Workbench to request only certain specific
FIPS 140-2 encryption types. You do this by editing the krb5.conf file, described in the Niagara LDAP Guide. To restrict which encryption types are allowed by a client, add the following lines to the [libdefaults] section of this file:
[libdefaults]
default_tkt_enctypes = aes256-cts aes128-cts des3-cbc-sha1
default_tgs_enctypes = aes256-cts aes128-cts des3-cbc-sha1
permitted_enctypes = aes256-cts aes128-cts des3-cbc-sha1
These entries restrict the ciphers used to AES-128, AES-256 or 3DES.