NPS requirements for enhanced cryptography support

If you configure your Netezza Performance Server system to support the SP 800-131a cryptography standard, familiarize yourself with the following important requirements for connecting to and using the system.

• To support the enhanced cryptography standards, the NPS system now supports stronger cryptographic controls for passwords and connections and for encrypting data within an audit history database. You can use the DSA_KEYPAIR_2048 data type to create SP 800-131a-compliant cryptography keys.
• You must set the system host key to a cryptography key that uses AES-256 encoding to ensure that the system uses a strong cryptography when encrypting all of the passwords that are stored in the system.
• All connections to the Netezza Performance Server database must use SHA256 authentication. The MD5 and CRYPT authentication connections are not allowed for an NPS system that uses enhanced cryptography. You will have to drop the MD5 and CRYPT connections and redefine them using SHA256 authentication.
• If you use Kerberos authentication, work with your Kerberos administrator to ensure that the Kerberos Key Distribution Center (KDC) confirms with SP800-131a. Verify that the Kerberos netezza principal uses only the des3-cbc-sha1, aes128-cts-hmac-sha1-96, or aes256-cts-hmac-sha1-96 encryption types.
• If you use an audit history database on your system, the audit history configuration must be digitally signed with an SP 800-131a compliant key of type DSA_KEYPAIR_2048.