How to enable SP 800-131a support

You use the nzconfigcrypto -enable command to enable enhanced cryptography SP 800-131a support on your Netezza Performance Server systems.

The nzconfigcrypto -enable command checks the system to ensure that it meets the software and operating system prerequisites to support the SP 800-131a changes, as described in Netezza Performance Server enhanced cryptography support. If the prerequisites are complete, the command does the following tasks:

  • Sets the enable_crypto_srd_v1 postgresql.conf registry setting to true to enable support for enhanced cryptography.
  • Checks and if needed sets the supplied AES-256 host key as the default host key for the enhanced cryptographic support.
  • Updates the authentication for the connection settings to use the stronger encryption methods.
  • Disables the LDAP or Kerberos configuration, if either LDAP or Kerberos is configured. You must re-enable the LDAP or Kerberos configuration after enhanced cryptography support is enabled to ensure that the authentication enforces the strong cryptography standards.
  • Disables the current audit history configuration if the current audit configuration does not conform to SP 800-131a support. You must update the audit history configuration to use a digitally signed cryptography key of type DSA_KEYPAIR_2048 and make it the current configuration.

After you run the nzconfigcrypto command, you must stop and restart the NPS software using the nzstop and nzstart commands to activate the SP 800-131a compliant operation.