Downgrading an SP 800-131a crypto NPS system

If you must downgrade the NPS software on your system, and you configured the system to use SP 800-131a crypto support, review the following steps and precautions to ensure a successful downgrade.

Downgrades are typically performed by Netezza Performance Server Support in cases where there is a need to return to a release that ran previously on your Netezza Performance Server system.

If you are downgrading to a release before 7.1, those releases do not support the enhanced cryptography for SP 800-131a compliance. The nzupgrade command, which upgrades and downgrades the current release on the Netezza Performance Server system, checks for enhanced crypto support and returns an error if the command detects any crypto-related objects that are not supported on the release to which you are downgrading.

To clear your system of the crypto-related objects and settings before a downgrade, do the following:

  • Run the nzconfigcrypto -disable command to disable the crypto support. Stop and restart the NPS software using the nzstop and nzstart commands to start the system in a non-SP 800-131a mode.
  • Identify and drop any keys that are defined with DSA_KEYPAIR_2048 authentication type. You can use the SHOW KEYSTORE ALL VERBOSE command to list all the keys. Identify the keys that are of key type DSA_KEYPAIR_2048 and use the DROP CRYPTO KEY <keystore>.<keyname> command to drop each of those keys.
  • Identify and drop any audit history configurations that are digitally signed with a DSA_KEYPAIR_2048 key. You can use the SHOW HISTORY CONFIGURATION ALL command to list all the configurations. Look for audit history configuration that are digitally signed with a DSA_KEYPAIR_2048 key, and use the DROP HISTORY CONFIGURATION <histname> command to remove those configurations. If you loaded audit history data using this stronger DSA_KEYPAIR_2048 key, that audit database is not viewable after the downgrade to a release that does not support SP 800-131a cryptography.
  • If your system uses LDAP authentication for the Netezza Performance Server database user accounts, use the SET AUTHENTICATION LOCAL command to drop the current LDAP configuration, which is encrypted using the SP 800-131a enhanced support. You can then re-enable LDAP authentication, which will use the current host key and authentication levels, and the downgrade will proceed.
  • If your system uses Kerberos authentication for the Netezza Performance Server database user accounts, use the SET AUTHENTICATION LOCAL command to disable Kerberos support. NPS releases before 7.1 do not support Kerberos authentication.

After you make these changes on your system, you can re-try the nzupgrade command to proceed with the downgrade to the previous release.