Alignment of encryption algorithms for Kerberos/SPNEGO SSO in ELM

To avoid issues, encryption algorithms must align on ELM Eclipse clients, including Engineering Workflow Management .NET clients, and IBM® WebSphere® Application Server.

If the Global Domain Policy and Global Domain Controller Policy are not updated, or Advanced Encryption Standard 256-bit (AES-256) encryption is not explicitly disabled, the IBM JRE used by each ELM client must be updated. The IBM Engineering Workflow Management .NET clients (Engineering Workflow Management client for Microsoft Visual Studio IDE, Engineering Workflow Management Windows Explorer integration, and Engineering Workflow Management MS-SCCI Provider) include their own version of the IBM JRE that must be updated as well. For more information, see AES 256-bit encryption and the IBM JRE in configuring Kerberos/SPNEGO and Enforcing encryption algorithms on Microsoft Active Directory domain clients.

If the Global Domain Policies are updated to permit only Rivest Cipher 4 (RC4) or AES-128 encryption, there should be no encryption issues with Kerberos tickets issued by the Windows operating system.

If the ELM application user is using the kinit utility to obtain a Kerberos ticket-granting ticket (TGT) and session key, the user must explicitly configure the krb5.conf or krb5.ini file to specify the encryption algorithms to use. The same encryption algorithms that are in the krb5.conf file for WebSphere Application Server can be used. For more information, see Configuring WebSphere Application Server with SPNEGO for encryption.

com.ibm.security.krb5.internal.crypto.KrbCryptoException

If client logging is enabled, the following exception is thrown when Microsoft Active Directory is not configured to avoid AES-256 encryption, or when the policy files in the IBM JRE on the ELM client are not updated:
com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0
     message: com.ibm.security.krb5.internal.crypto.KrbCryptoException, status code: 0
     message: java.security.InvalidKeyException: Illegal key size 

video icon Video

Jazz.net channel
Software Education channel

learn icon Courses

IoT Academy
Skills Gateway

ask icon Community

Jazz.net
Jazz.net forums
Jazz.net library

support icon Support

IBM Support Community
Deployment wiki