Page tree

Upgrading to Jira 8? - Important notice: https://docs.kantega.no/pages/viewpage.action?pageId=57278555





Skip to end of metadata
Go to start of metadata

Why should I consider using AES encryption

While the default RC4-HMAC is the most compatible encryption type, it is no longer considered to offer strong encryption.

For this reason, we recommend that you use AES-128 or AES-256 encryption instead.

Prerequisites for using AES encryption 

Prerequisites / Tasks
 
Domain functional level must be 2008 or higher.

Domain functional level prior to 2008 does not support AES encryption.

To find domain functional level, right click on the root of the domain and choose properties.

Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files  must be in place

Replace local_policy.jar and US_export_policy.jar in

$JAVA/HOME/jre/lib/security/ 

The service must be restarted in order to apply the new policies.

AES must be enabled on the user account that holds the SPN.

 

Creating a keytab with AES.

  1. Enable AES 128 or AES 256 on the user account
  2. (Re)Create the keytab with support for AES.

     

    ktpass -princ HTTP/issues.example.com@EXAMPLE.LOCAL /mapuser EXAMPLE\svc-jira-sso-pass * /out C:\issues.example.com.keytab /ptype KRB5_NT_PRINCIPAL /crypto AES256-SHA1
  3. Upload the new keytab file to our plugin.

    Purge tickets

    Recreating keytabs with new versions or different encryption types will make kerberos fail for clients that already has a ticket. Logging out or running "klist purge" on the command line will make clients acquire a new ticket with AES-256

Example:

The first command in the picture below issues a keytab for issues.example.com. This keytab has "vno 3" meaning key version number (kvno) 3.

The second command is run after the user object has AES256 enabled. A new version of the keytab is issued (vno 4). 


  • No labels