The host key must already
be defined in your NPS system and must be of type AES-256. An example
command follows:
[nz@nzhost1 ~]$ nzconfigcrypto -HK ks1.key1 -enable
Checking support for crypto standard in NPS
Checking support for crypto standard in OS
Checking for required library
All required libraries found installed
Checking NPS system state
Checking and updating Host Key
Host Key already set
Checking and updating LDAP connection
No LDAP configuration found
Checking and updating Kerberos connection
No Kerberos configuration found
Checking and updating Authentication type
Checking and updating Audit History Configuration
No audit history configuration found
Checking and updating postgresql.conf file
Successfully updated parameter enable_crypto_std_v1
Crypto mode successfully enabled
You may now restart NPS
The script checks the system
and sets the system default host key to the specified one (if it is
not already the default key). In the example, the system was not configured
to use either LDAP or Kerberos authentication, or an audit history
configuration. However, if you use either LDAP, Kerberos, or audit
history, the command disables those features if they are currently
non-compliant with the enhanced cryptography support.
If Kerberos
was enabled on the system, the command also displays the following
messages. Note the SET AUTHENTICATION command in the output. You will
supply that command in a future step to enable Kerberos authentication
again.
Restore Kerberos configuration with following command
SET AUTHENTICATION kerberos kdc 'mykdc.com' realm 'MYREALM.COM'
WARNING:
Kerberos conformance with SP800-131a cannot be controlled by the NPS.
Verify that the Kerberos netezza principal will use only the des3-cbc-sha1,
aes128-cts-hmac-sha1-96, or aes256-cts-hmac-sha1-96 encryption types.
This must be configured on your Kerberos KDC.